Lupius Posted January 29, 2012 Share Posted January 29, 2012 So the other day my mom forwarded me a chain email with an Excel attachment, saying it's a game. I opened it without giving it much thought and found out it was a flash game embedded inside. Because I can't think of a good reason for anyone to put flash in Excel, I got suspicious of it and discovered that this is a known method of trojan attack. Now, this exploit was discovered patched years ago and I'm pretty sure my Excel 2010 with the latest updates handled it safely. The question is, how do I find out if there was malicious code in that file to begin with? What tools can I use to prove my suspicions? Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 29, 2012 Share Posted January 29, 2012 Upload it to virus total. Quote Link to comment Share on other sites More sharing options...
digip Posted January 29, 2012 Share Posted January 29, 2012 (edited) Upload it to virus total. I've never had much luck on Virustotal with SWF files. EXE's, yes, but SWF files seem to get no hits on anything. Most virus scanners will ignore malicious SWF files all together unless there are specific signatures for some major threat, or have a payload in plain text. SWF files generally need to be decompiled first before being able to examine what is in them. @Lupius, If you want to look through them yourself though, best to do so in a VM or sandbox of some sort where you don't care about what happens tot he system, either by 1 - decompiling in a VM(ala HP SWF Scanner, or SoFlash's Decompiler, SoFlash uses Active-X and will execute the payload, so do in a VM or Sandbox) or 2, run it against a clean VM snapshot, and compare changes made to the system itself afterwards, monitor new traffic it created with something like Wireshark, etc. There is also http://www.flashprobe.com/ and CWSandbox (I think its now GFI Malware something or other though). Some more info on this sort of attack: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21890 http://news.cnet.com/8301-27080_3-20051071-245.html Edited January 29, 2012 by digip Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 29, 2012 Share Posted January 29, 2012 Finding out if a file is malicious or not, its the hardest part. You can't tell if the file is infected or not just by looking at it. Ways to tell, is by uploading it to virus total as suggested by Sparda Or install a good AV such as Avast, for instance it will alert you and delete the file if it finds to be infected. Quote Link to comment Share on other sites More sharing options...
combatwombat27 Posted January 29, 2012 Share Posted January 29, 2012 Not that you shouldn't check the file for viruses to be safe, but I wouldn't be too worried. You said you couldn't find a legitimate reason a game was imbeded in the excel file. That's the easy part. I just recently worked on the helpdesk at a manufacturing plant for one of the major car companies. People would hide games in the excel files to get away with being able to play them. Since the websites that host the games are blocked they would have to have a local copy. Noone would expect the excel files unless they were named something conspicuous. However, that's not to say it definatly isn't malicious, rather an explination as to why it exists Quote Link to comment Share on other sites More sharing options...
digip Posted January 29, 2012 Share Posted January 29, 2012 Personally, I wouldn't trust any SWF file, embedded in an excel file. Easiest way to know, ask the sender if they even sent you the file. No matter who its from, make sure they are the one who sent you an attachment, and even then, ask them where they got it. Its a know trick for getting past filters in corporate networks, and its also how RSI got hacked last year, so do your homework before running ANYTHING. Quote Link to comment Share on other sites More sharing options...
combatwombat27 Posted January 29, 2012 Share Posted January 29, 2012 Use sandboxie. I love it for untrusted things Quote Link to comment Share on other sites More sharing options...
psydT0ne Posted January 30, 2012 Share Posted January 30, 2012 sandboxie is the way to go. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 30, 2012 Share Posted January 30, 2012 ! agree Sandbox or even a VM will do the job, of preventing the infection from spreading to your computer. That's the best way, to contain the infection or prevent it from spreading to your main system altogether. Quote Link to comment Share on other sites More sharing options...
int0x80 Posted January 30, 2012 Share Posted January 30, 2012 I think most people use either flasm or swftools for analyzing swf. IDA also has a SWF plugin, if you're so inclined. It's pretty easy to analyze SWF malware, though I haven't looked at any for a while. Quote Link to comment Share on other sites More sharing options...
Lupius Posted January 30, 2012 Author Share Posted January 30, 2012 Thanks for all the replies! I did set up a VM and extracted the flash file in it. Decompiled it with Flash Decompiler Trillix and couldn't find anything foul with the scripts in the file (it was all written in Portuguese anyway). I guess the moral of the story is, I'm glad I finally came up with a scare story that will stop my mom from forwarding chain emails. Quote Link to comment Share on other sites More sharing options...
combatwombat27 Posted January 30, 2012 Share Posted January 30, 2012 Does anyone care how the encapsulation of a sandbox actually works or perhapse some suggested documentation? If always found it interesting how something could be contained yet still have access to all the computers various files, dlls and resources. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.