SWF Malware analysis - Oct 22, 2013
Deep diving into a seemingly innocuous ad campaign
Note Oct 23: I notified the ad server used by bigfineads and the specific campaign was promptly stopped - although the files are still on their CDN
I stumbled upon this interesting ad campaign and decided to investigateThe tag serving the campaign is as follows
<iframe id="ad-home-2" src="http://Servedby.bigfineads.com/tt?id=1279210&size= 300x250&nfKwx7Ps=39_300x250_0" width="300" height="250" frameborder="0" border="0" scrolling="no" allowtransparency="true" scfpnhwf4="true" replaced="true"></iframe>
The ad network
Bigfineads.com is well known over the web to have served advertising via intrusive spyware programs and browser extensions, see malwaretips.com/blogs/bigfineads-virus/ for more info.
That would be a whole problem on its own right, but on top of that it appears to be serving malicious ads, as we discuss below.
Nothing happens in Chrome except the Flash ad creative is running a tiny JS snipped:
The SWF file is unknown to antiviruses on VirusTotal.
Let's dive into the SWF code:
The Flash file is clearly looking to hide from sandboxes and webkit-based browsers
The original SWF appears to be legitimate, despite the appearance.
The full JS injection is loaded in the same way from another embedded binary resource
SWFExtract (SWFDump) to extract the thing:
swfextract -b 2 13521c3cb5bb9e1e82d7bef5f35a8cdc.swf -o out_js.bin
It looks vaguely like JS! It uses non-ascii characters to obfuscate and make it harder to recognize. But the end of the file is more obvious.
Malzilla to the rescue
Malzilla shows two layers of encryption and reveals the machine where it is calling home to:
The control server is located at hxxp://seroplomo.com/svoykrik/gate.php
On VirusTotal, BitDefender and Websense report it as Malicious (2/47)
This exploit targets Java versions prior to 126.96.36.199
Thanks to Malekal for helping me make the link to the Reveton ransomware.
Interestingly, WOOT documented the same attack with a different C&C server and different SWF files.
See his write-up at Malekal's MalwareDB forum (in French!).
- SHA-256 79371d24576eb94b5de132d8ad8ceb931c36a5923dd93d01dcf9c96eb72d74a8
- SHA-256 46ce359ded4516f91799aede938e7920b18b5b4d33ac0c2a384a47c188d5c791
- SHA-256 2cec4cbee8b27db8a00823911b2e3edaa62f5ae2c878ffa570daa6e3c0b73aa7
- SHA-256 01d852738acdb387cef3f6062a361f8c9b59130275a55be9943184b585cd6fdd
Interested in all this? I'm hiring in New York.
Follow me on (t)