Articles

A project dump

Current endeavors

  • ClarityAd, Creative verification software for the online ad industry

Past experience

  • 2008-2011
    CFO then GM at Fotolog and Allopass USA
  • 2004-2008
    Finance
  • 2000-2004
    Audencia business school-France
Let's talk!

SWF Malware analysis - Oct 22, 2013

Deep diving into a seemingly innocuous ad campaign

Note Oct 23: I notified the ad server used by bigfineads and the specific campaign was promptly stopped - although the files are still on their CDN

I stumbled upon this interesting ad campaign and decided to investigate

The tag serving the campaign is as follows
<iframe id="ad-home-2" src="http://Servedby.bigfineads.com/tt?id=1279210&amp;size=
300x250&amp;nfKwx7Ps=39_300x250_0" width="300" height="250" frameborder="0" 
border="0" scrolling="no" allowtransparency="true" scfpnhwf4="true" 
replaced="true"></iframe>

The ad network

Bigfineads.com is well known over the web to have served advertising via intrusive spyware programs and browser extensions, see malwaretips.com/blogs/bigfineads-virus/ for more info.

That would be a whole problem on its own right, but on top of that it appears to be serving malicious ads, as we discuss below.

Network log

Analysis

Nothing happens in Chrome except the Flash ad creative is running a tiny JS snipped:

    window.navigator.userAgent.toString;
    

The SWF file is unknown to antiviruses on VirusTotal.
Let's dive into the SWF code:

The Flash file is clearly looking to hide from sandboxes and webkit-based browsers

The original ad creative is added on the stage from a binary resource in the SWF.
The original SWF appears to be legitimate, despite the appearance.

The full JS injection is loaded in the same way from another embedded binary resource

SWFExtract (SWFDump) to extract the thing:

swfextract -b 2 13521c3cb5bb9e1e82d7bef5f35a8cdc.swf -o out_js.bin

It looks vaguely like JS! It uses non-ascii characters to obfuscate and make it harder to recognize. But the end of the file is more obvious.

Malzilla to the rescue

Malzilla shows two layers of encryption and reveals the machine where it is calling home to:

The control server is located at hxxp://seroplomo.com/svoykrik/gate.php
On VirusTotal, BitDefender and Websense report it as Malicious (2/47)

This exploit targets Java versions prior to 1.7.0.25

Thanks to Malekal for helping me make the link to the Reveton ransomware.
Interestingly, WOOT documented the same attack with a different C&C server and different SWF files.
See his write-up at Malekal's MalwareDB forum (in French!).

References VirusTotal

--Jerome


Interested in all this? I'm hiring in New York.

Follow me on (t)



All Rights Reserved. - Hosted by site44.com