Endpoint Protection

 View Only

The Curse of the Flash Exploit 

Oct 13, 2009 10:35 AM

Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!

The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:

This roughly translates to:

“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”

In another part of the code the author (Dandong) provides a fake decryption key for people who are trying to decrypt the code and make a mistake. The fake decryption key is also a string of Chinese characters:

Again, this roughly translates to:

“You f***ing stupid person to decrypt this ---- by dadong”


Actually the real decryption key is the string “Dadong” and the decryption routine is an XOR loop rotating through the key:


(This code as been cleaned and the variables have been renamed for clarity.)

Since ActionScript and JavaScript are very similar we can actually just place the author’s decryption routine in a simple Web page, make some minor changes to it and decrypt the payload in the browser:


Decrypting the code results in a new Flash file (along with a curse on your family). This newly decrypted Flash file is the one that actually contains the exploit and payload. The payload is the same we normally see in these types of attacks—it connects back to a remote site, downloads a malicious file, and then executes it.

The exploit that is used in these flash files is CVE-2007-0071 and is outlined in this research paper. Symantec antivirus products detect these files as Bloodhound.Exploit.193.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.