[nsp-sec] need help identifying malicious SWF

David Freedman david.freedman at uk.clara.net
Tue Mar 17 04:58:34 EDT 2009 

Hi, 

We were given the following URL as part of the latest malware report:

h t t p : / / www.astrongroup.biz/???????3.swf

The site is entirely in russian so apologies for the lack of sane characters used here.

Taking a look at the file, I can't seem to find anything odd about it:

~/malware_examine$ swfdump foo.swf 
[HEADER]        File version: 7
[HEADER]        File is zlib compressed. Ratio: 78%
[HEADER]        File size: 6963 (Depacked)
[HEADER]        Frame rate: 4.000000
[HEADER]        Frame count: 5
[HEADER]        Movie width: 240.00
[HEADER]        Movie height: 110.00
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[002]      1100 DEFINESHAPE defines id 0001
[01a]         6 PLACEOBJECT2 places id 0001 at depth 0001
[030]       315 DEFINEFONT2 defines id 0002
[00b]        26 DEFINETEXT defines id 0003
[01a]         9 PLACEOBJECT2 places id 0003 at depth 0002
[030]       831 DEFINEFONT2 defines id 0004
[00b]        45 DEFINETEXT defines id 0005
[01a]         9 PLACEOBJECT2 places id 0005 at depth 0003
[001]         0 SHOWFRAME 1 (00:00:00,000)
[002]      1053 DEFINESHAPE defines id 0006
[01a]         5 PLACEOBJECT2 moves id 0006 at depth 0001
[01a]         7 PLACEOBJECT2 moves object at depth 0002
[01a]         7 PLACEOBJECT2 moves object at depth 0003
[002]        76 DEFINESHAPE defines id 0007
[01a]         6 PLACEOBJECT2 places id 0007 at depth 0004
[001]         0 SHOWFRAME 2 (00:00:00,250)
[01c]         2 REMOVEOBJECT2 removes object from depth 0004
[002]       984 DEFINESHAPE defines id 0008
[01a]         5 PLACEOBJECT2 moves id 0008 at depth 0001
[016]       180 DEFINESHAPE2 defines id 0009
[01a]         6 PLACEOBJECT2 places id 0009 at depth 0006
[001]         0 SHOWFRAME 3 (00:00:00,500)
[002]       972 DEFINESHAPE defines id 0010
[01a]         5 PLACEOBJECT2 moves id 0010 at depth 0001
[016]       180 DEFINESHAPE2 defines id 0011
[01a]         5 PLACEOBJECT2 moves id 0011 at depth 0006
[001]         0 SHOWFRAME 4 (00:00:00,750)
[002]       989 DEFINESHAPE defines id 0012
[01a]         5 PLACEOBJECT2 moves id 0012 at depth 0001
[001]         0 SHOWFRAME 5 (00:00:00,1000)
[000]         0 END


Is this some kind of new player exploit? and if so, where can I find details on it such to 
be able to positively identify this as malware and take it down?

Many thanks,


------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net

More information about the nsp-security mailing list