NEWS FROM THE LAB - Thursday, May 29, 2008

Inside a Malicious Flash File Posted by Gerald @ 19:13 GMT

The lab has been receiving lots of malicious flash files lately. Most of the flash files that we've received have obfuscated shellcodes.

Our systems flagged one sample and I decided to take a closer look. The obfuscation is simple, it only uses XOR and ADD instructions.

Basically, its taking advantage of a recent exploit and it's coupled with SQL attacks. It downloads and executes a file from the following site:


We detect the downloaded EXE file as Trojan-PSW.Win32.OnlineGames.AYJU and the flash file as Exploit.SWF.Downloader.A.

Here's an animated image of decrypted shellcode:

Signing off,