May 14, 2009

Malicious Site containing SWF:CVE-2007-0071

Malicious Site:
Someone submitted this malicious link "" to me . It seems to be a pop-up or hidden link from some compromised sites.

After checking on the Page Source, i found an obfuscated Javascript (Shown below).

Obfuscated JavaScript

I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.

The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.

De-obfuscated JavaScript

Sample Flash file info

Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)

On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).


From the "Who-is" record, the IP ( belongs to RuiAn Telecom (China).

Who-is record


  1. Nice post. Great blog. Thanks for the share. Keep posting such kind of information on your blog.