Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

The Curse of the Flash Exploit

Created: 13 Oct 2009 14:35:50 GMT • Updated: 23 Jan 2014 18:32:17 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!

The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:

Warning.jpg
 
This roughly translates to:

“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”

In another part of the code the author (Dandong) provides a fake decryption key for people who are trying to decrypt the code and make a mistake. The fake decryption key is also a string of Chinese characters:

Warning2.jpg
 
Again, this roughly translates to:

“You f***ing stupid person to decrypt this ---- by dadong”

Nice!

Actually the real decryption key is the string “Dadong” and the decryption routine is an XOR loop rotating through the key:

Decryption.jpg 

(This code as been cleaned and the variables have been renamed for clarity.)

Since ActionScript and JavaScript are very similar we can actually just place the author’s decryption routine in a simple Web page, make some minor changes to it and decrypt the payload in the browser:

Decrypted.jpg

Decrypting the code results in a new Flash file (along with a curse on your family). This newly decrypted Flash file is the one that actually contains the exploit and payload. The payload is the same we normally see in these types of attacks—it connects back to a remote site, downloads a malicious file, and then executes it.

The exploit that is used in these flash files is CVE-2007-0071 and is outlined in this research paper. Symantec antivirus products detect these files as Bloodhound.Exploit.193.