More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry.

I’ve been spending part of today tracking down some SWF files that are part of “the dark side”. What I found out is that, excluding flash exploits, SWFs are mainly used as redirectors:

  • Most common case, directly linking to the target webpage, without user consent (trojan clicker behavior):
    calls getURL(“http://...”,[target]), where target is either “_blank” or “_self” from within an ACTION tag
    Also employed in spam e-mails by adding to the message body a link to a SWF file, as an indirection to avoid detection.
  • Used to insert an invisible iframe into the webpage it resides on:
    calls getUrl (“JavaScript:document.body.insertAdjacentHTML('beforeEnd','<iframe src=http://....  width=0 height=0></iframe>')",[target]) from within an ACTION tag

The first method described, which directly links to another website, I found to be used in the deployment of the Trojan:Win32/Helpud.AA malware. The entry point of the deployment chain was a SWF file (detected as Trojan:SWF/Redirector.I) that was issuing 6 redirects in a matter of seconds. Five of these were employing exploits to download and execute onto the user’s machine one and the same file, the end point of the chain, the Win32/Helpud executable.

Helpud SWF Chain 

-Marian Radu