Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

SWF for malware deployment

October 31st 2008 in Uncategorized

Mea culpa: Marian is apparently male, not female.

Marian Radu of the Microsoft Malware Protection Center has written about SWF being used for malwareShe He states:

What I found out is that, excluding flash exploits, SWFs are mainly used as redirectors

Yep, we know this … that is why Flash is “the Typhoid Mary of the Internet”.

I’m glad that Marian has written about the problem of malicious SWF, but I admit that this got my back up:

More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry.”

I don’t know about you, but I am not too happy with the “special cases where the submitter was actually right” quip.

Regular readers of my blog will know that we have been fighting this problem for years – “we” being me, other security researchers such as Kimberley, every big advertising network there is (and lots of small ones), the web sites who have been victims, the end user victims themselves – every big name has been hit at some time or other – Microsoft, Google, Yahoo, AOL, Doubleclick, 247RealMedia and myriad advertising networks.   For Marian to call the examples that she he found “special cases” minimizes the existence of malicious SWF in a way that I find discomforting.

As for her his statement:

I’ve been spending part of today tracking down some SWF files that are part of “the dark side”.

I wish she he had got in touch – I have thousands of samples available for her his viewing pleasure on this machine alone.



Comments are closed.

Courtesy of Kimberley URLs used to facilitate the hijacking: bannersrotator.com/fx22010/click.phpstl.0ups.com/stl/in.cgi?24& Note that different SWF files are served to the potential victim, depending on the version of Flash being used… I’ll also emphasise that the malicious domain is not associated with the legitimate company Metrixlab at www.metrixlab.com. AND, guess who is the ICANN Registrar…. DIRECTI. […]

Previous Entry

The Microsoft Security Intelligence Report for the period covering January through June 2008 has been released.
Executive SummaryFull reportKey findings summary
The full report is a hefty 150 pages long.  I have only had time to take the briefest of glances at it, and even then I have focused only on my particular field of interest […]

Next Entry