The Curse of the Flash Exploit
Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!
The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:
This roughly translates to:
“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”
In another part of the code the author (Dandong) provides a fake decryption key for people who are trying to decrypt the code and make a mistake. The fake decryption key is also a string of Chinese characters:
Again, this roughly translates to:
“You f***ing stupid person to decrypt this ---- by dadong”
Actually the real decryption key is the string “Dadong” and the decryption routine is an XOR loop rotating through the key:
(This code as been cleaned and the variables have been renamed for clarity.)
Decrypting the code results in a new Flash file (along with a curse on your family). This newly decrypted Flash file is the one that actually contains the exploit and payload. The payload is the same we normally see in these types of attacks—it connects back to a remote site, downloads a malicious file, and then executes it.