The "CSI:Internet" series was originally published in c't magazine starting with issue 13/2010. For links to other articles in this series please refer to our CSI:Internet HQ page. The code fragments in this article may cause your anti-virus scanner to issue an alert – this is a false alarm.
Episode 4: Attack of the killer videos
by Sergei Shevchenko
"Have you broken the computer again? It won't play this video of the new iPhone!" It's been a long day and I don't really feel like troubleshooting, but when she gets into this sort of mood, the administrator had better jump to it. And at home, the administrator is me.
Somehow I have my doubts that the origin of this problem is to be found on our PC. Maybe it's the video that's broken. In the source code of the still open web site, there's a
<Object> tag containing a link to an SWF file – a video in the Shockwave Flash format which has come to dominate the internet. The URL looks more than a little strange – smelling a rat I download it onto my computer for a closer look.
At 846 bytes, it's pretty small for an SWF file – you certainly can't fit anything meaningful into that. Although it's a multimedia file, as ever I start by taking a quick look with a hex editor. Any strings, especially where you'd expect to see just incomprehensible raw data, can provide useful clues.
I hit the jackpot – what's a reference to Windows library
urlmon.dll doing in a Flash file? This, together with the URL and a file name '
c:\6123t.exe', both of which the hex editor also unmasks, tells pretty much the whole story – or at least it does once you have some experience of analysing malware.
My tiredness is gone; I'm determined to get to the bottom of this. From previous experiments with Flash, I recall getting good mileage out of SWFTools. It doesn't let me down. The command
swfdump -D -d -u exploit.swf
tells me right away that we're looking at a file in Flash 9 format – the current version is version 10. Not that that's necessarily particularly significant; Flash is backwards-compatible and version 9 is still in widespread use. This is followed by tags containing the actual content. Further down, I see that the reference to the library is part of a block designated
DEFINEBITSJPEG. JPEG? as if!
My attention is drawn to the next two data blocks:
 40 SCENEDESCRIPTION
=> 99 b4 8e a0 08 20 20 20 20 20 20 20 20 20 20 20
=> 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
=> 20 20 20 20 20 20 20 43
 12 SCENEDESCRIPTION
=> 01 00 e5 9c ba e6 99 af 20 31 00 00
SCENEDESCRIPTION consisting of a load of 0x20 characters? The data type 0x56 – decimal 86 – doesn't ring any bells, so I pull up a description of the SWF file format which Adobe has kindly made publicly available. Type 86 stands for
DefineSceneAndFrameLabelData and contains "Scene and frame label data for a MovieClip". So we have administrative information for a Flash clip consisting primarily of 0x20 characters. Like, sure. I'm onto something – let's take a closer look.