Threat Research

Flash Mob Episode II: Attack of the Clones

By Bin Liu | November 20, 2009

Flash exploits targeting the old integer overflow vulnerability (CVE-2007-071) in Flash Player are still relatively active and multiplying on the base of the early versions exploit code, with more or less slight differences. One such variation was rendered tremendously more stealth and reliable, thanks to the use of a Flash run-time packer spawning a multiplexer component. It is caught as SWF/Dloader!exploit by Fortinet, yet, detection of this peculiar variant across the spectrum of antivirus products is still extremely scarce. Let's lift the lid on that variant by examining a sample here, named F1.swf.

As usual, all the dirty tricks here are done through ActionScript. ActionScript is compiled and stored in the flash file as bytecode. For analysis, it is therefore convenient to decompile the bytecode using casual tools, such as swfscan. Unfortunately, the latter having failed to decompile F1.swf for me, I had to summon swfdump, which can disassemble the bytecode into "something" easier to read. The analysis below is based on that dis-assembly.


Following below is the staticconstructor of class BinaryData, which contains an encoded payload:

sealed protectedNS([protected]BinaryData) class [public]::BinaryData extends [public]::Object{

staticconstructor * =()(0 params, 0 optional)

[stack:10349 locals:1 scope:3-4 flags:]


00000) + 0:0 getlocal_0 00001) + 1:0 pushscope 00002) + 0:1 debug [register 00=xorkey] 00003) + 0:1 findproperty [public]::xorkey 00004) + 1:1 pushstring "PrivateKey01232dfdFSdf"

Join the Discussion