Recently came across an interesting SWF that uses inventive ways of hiding exploits. This SWF was hiding the exploit very well inside completely legitimately looking SWF. The SWF was ofcourse coming over ADs from p0rn sites. What's interesting is how far deep inside the exploit was hidden within the legitimately looking SWF. Below is a snap from FFDEC when the SWF is loaded.
As seen the first level malicious SWF is hidden within the "DefineBinaryData" tag. This tag can hold multiple data blobs ranging from SWFs itself to JPG, MP3 etc etc. FFDEC helps loading the SWFs within "DefinBinaryData" tag directly. Loading so leads us to another SWF which again looks legitimate on the outset. Below is a snap of the same.
As seen there's a JPEG file embedded within the SWF. This JPEG file is whats hiding the SWF that triggers and exploit the vulnerability in Adobe Flash Player. Looking at the AS inside "prok" it becomes clear how the hidden SWF inside JPEG file is loaded into the memory.
Initially there are version checks for Adobe Player and OS. Based on the versions the script continues or aborts. Further into the script there are calls to the embedded JPEG file which is fed into the array and processed to form a SWF file.
And the data past the EOF JPEG file.
And the JPEG file itself.
The encoded SWF as seen above is decoded using a simple XOR key. Below script is what creates the key for decoding the encoded data.
And the decoded data as seen below forms a LZMA compressed SWF file. In the below snapshot the 1st XOR bytes corresponds to the bytes from the key and the 2nd XOR bytes corresponds to the bytes from the encoded data.
FFDEC snapshot of the decoded SWF.
VT scan results for the decompressed SWF file.
As seen the first level malicious SWF is hidden within the "DefineBinaryData" tag. This tag can hold multiple data blobs ranging from SWFs itself to JPG, MP3 etc etc. FFDEC helps loading the SWFs within "DefinBinaryData" tag directly. Loading so leads us to another SWF which again looks legitimate on the outset. Below is a snap of the same.
Initially there are version checks for Adobe Player and OS. Based on the versions the script continues or aborts. Further into the script there are calls to the embedded JPEG file which is fed into the array and processed to form a SWF file.
And the data past the EOF JPEG file.
The encoded SWF as seen above is decoded using a simple XOR key. Below script is what creates the key for decoding the encoded data.
And the decoded data as seen below forms a LZMA compressed SWF file. In the below snapshot the 1st XOR bytes corresponds to the bytes from the key and the 2nd XOR bytes corresponds to the bytes from the encoded data.
FFDEC snapshot of the decoded SWF.
VT scan results for the decompressed SWF file.
No comments:
Post a Comment