A project dump

Current endeavors

  • ClarityAd, Creative verification software for the online ad industry

Past experience

  • 2008-2011
    CFO then GM at Fotolog and Allopass USA
  • 2004-2008
  • 2000-2004
    Audencia business school-France
Let's talk!

SWF Malware analysis - Oct 22, 2013

Deep diving into a seemingly innocuous ad campaign

Note Oct 23: I notified the ad server used by bigfineads and the specific campaign was promptly stopped - although the files are still on their CDN

I stumbled upon this interesting ad campaign and decided to investigate

The tag serving the campaign is as follows
<iframe id="ad-home-2" src=";size=
300x250&amp;nfKwx7Ps=39_300x250_0" width="300" height="250" frameborder="0" 
border="0" scrolling="no" allowtransparency="true" scfpnhwf4="true" 

The ad network is well known over the web to have served advertising via intrusive spyware programs and browser extensions, see for more info.

That would be a whole problem on its own right, but on top of that it appears to be serving malicious ads, as we discuss below.

Network log


Nothing happens in Chrome except the Flash ad creative is running a tiny JS snipped:


The SWF file is unknown to antiviruses on VirusTotal.
Let's dive into the SWF code:

The Flash file is clearly looking to hide from sandboxes and webkit-based browsers

The original ad creative is added on the stage from a binary resource in the SWF.
The original SWF appears to be legitimate, despite the appearance.

The full JS injection is loaded in the same way from another embedded binary resource

SWFExtract (SWFDump) to extract the thing:

swfextract -b 2 13521c3cb5bb9e1e82d7bef5f35a8cdc.swf -o out_js.bin

It looks vaguely like JS! It uses non-ascii characters to obfuscate and make it harder to recognize. But the end of the file is more obvious.

Malzilla to the rescue

Malzilla shows two layers of encryption and reveals the machine where it is calling home to:

The control server is located at hxxp://
On VirusTotal, BitDefender and Websense report it as Malicious (2/47)

This exploit targets Java versions prior to

Thanks to Malekal for helping me make the link to the Reveton ransomware.
Interestingly, WOOT documented the same attack with a different C&C server and different SWF files.
See his write-up at Malekal's MalwareDB forum (in French!).

References VirusTotal


Interested in all this? I'm hiring in New York.

Follow me on (t)

All Rights Reserved. - Hosted by