May 14, 2009

Malicious Site containing SWF:CVE-2007-0071

Malicious Site:http://jjxp22.cn/a/iqq.html
Someone submitted this malicious link "http://jjxp22.cn/a/iqq.html" to me . It seems to be a pop-up or hidden link from some compromised sites.

After checking on the Page Source, i found an obfuscated Javascript (Shown below).

Obfuscated JavaScript

I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player 9.0.115.0 and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.

The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.

De-obfuscated JavaScript

Sample Flash file info
###############

Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)

On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).

VirusTotal

From the "Who-is" record, the IP (61.164.108.35) belongs to RuiAn Telecom (China).

Who-is record

Posted by w01f at 1:48:00 PM
Labels: ,

2 comments:

  1. YekeenJune 1, 2009 at 2:34 PM

    Great analysis. Keep it up

    ReplyDelete
  2. flash to html5 converterMarch 7, 2012 at 8:21 PM

    Nice post. Great blog. Thanks for the share. Keep posting such kind of information on your blog.

    ReplyDelete

Subscribe to: Post Comments (Atom)