In a blog published in November titled “Explore the CVE-2010-3654 matryoshka“, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit.

In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A. Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second after New Year’s, a second after New Year’s and then a third and largest spike the weekend after New Year’s:

Image 1a – Prevalence chart for Trojan:SWF/Jaswi.A

Image 1a – Prevalence chart for Trojan:SWF/Jaswi.A

When we looked deeper into the targets of these attacks, we discovered that they were predominantly reported by computers in South Korea. Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here’s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):

Image 1b – Attack attempts by unique machines in the months January and February of 2011

Image 1b – Attack attempts by unique machines in the months January and February of 2011

Interested in the anomaly, I decided to have a look. After spending some time reviewing it, an interesting thing emerged. The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls “getURL <website address>” within an ACTION tag in order to visit a malicious website link without user consent. For more about this, see the following:
http://blogs.technet.com/b/mmpc/archive/2008/10/31/swf-for-malware-deployment.aspx

Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload. Although the analysis was only slightly involved, let’s take a simple step by step tour of the malware.

1. SWF with embedded JavaScript

Image 2 – Embedded JavaScript within Trojan:SWF/Jaswi.A

Image 2 – Embedded JavaScript within Trojan:SWF/Jaswi.A

If we convert the JavaScript into Actionscript, it should appear as below:

Image 3 – JavaScript from Image 1 converted to Actionscript illustrating Windows API call

Image 3 – JavaScript from Image 2 converted to Actionscript illustrating Windows API call

From the image above, we can see the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection. Well, this is not a new method after all, but only a few SWF malware take advantage of this technique.

2. JavaScript obfuscation
We notice the embedded JavaScript is also simply encrypted by a method “fromCharCode()”. After decryption, the real JavaScript code appears (edited below):

Image 4 – Decrypted JavaScript with black-outs added

Looks familiar? Yes, the Microsoft Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code.

3. Shellcode
In Image 4 above, you can see Unicode encrypted by the method “unescape()” – this is the malware shellcode body, which includes a simple xor algorithm to avoid the detection. Further into the obfuscation, we finally see the destination, show below:

Image 5 – Destination URL indicating an executable named “uusee.exe”

Image 5 – Destination URL indicating an executable named “uusee.exe”

The file “uusee.exe” from the obfuscated URL shown above is actually a prevalent password stealer in China that Microsoft antimalware technologies detects as PWS:Win32/Lolyda.AU (SHA1: 0bd98a39c2eaa9c523e41cec250623b44f6d3239).

We mentioned the embedded JavaScript technique used in the malicious SWF here because it appears to be a trend and may become a popular method. As always, use caution while surfing the Interwebs and use on-access antimalware protection from a credible scanner (for more information on antimalware software, see http://www.microsoft.com/windows/antivirus-partners/).

 

-- Tim Liu, Malware Researcher, MMPC