Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry.
I’ve been spending part of today tracking down some SWF files that are part of “the dark side”. What I found out is that, excluding flash exploits, SWFs are mainly used as redirectors:
The first method described, which directly links to another website, I found to be used in the deployment of the Trojan:Win32/Helpud.AA malware. The entry point of the deployment chain was a SWF file (detected as Trojan:SWF/Redirector.I) that was issuing 6 redirects in a matter of seconds. Five of these were employing exploits to download and execute onto the user’s machine one and the same file, the end point of the chain, the Win32/Helpud executable.