In association with heise online

04 August 2010, 10:50

The "CSI:Internet" series was originally published in c't magazine starting with issue 13/2010. For links to other articles in this series please refer to our CSI:Internet HQ page. The code fragments in this article may cause your anti-virus scanner to issue an alert – this is a false alarm.


Episode 4: Attack of the killer videos

by Sergei Shevchenko

"Have you broken the computer again? It won't play this video of the new iPhone!" It's been a long day and I don't really feel like troubleshooting, but when she gets into this sort of mood, the administrator had better jump to it. And at home, the administrator is me.

Somehow I have my doubts that the origin of this problem is to be found on our PC. Maybe it's the video that's broken. In the source code of the still open web site, there's a <Object> tag containing a link to an SWF file – a video in the Shockwave Flash format which has come to dominate the internet. The URL looks more than a little strange – smelling a rat I download it onto my computer for a closer look.

At 846 bytes, it's pretty small for an SWF file – you certainly can't fit anything meaningful into that. Although it's a multimedia file, as ever I start by taking a quick look with a hex editor. Any strings, especially where you'd expect to see just incomprehensible raw data, can provide useful clues.


I hit the jackpot – what's a reference to Windows library urlmon.dll doing in a Flash file? This, together with the URL and a file name 'c:\6123t.exe', both of which the hex editor also unmasks, tells pretty much the whole story – or at least it does once you have some experience of analysing malware.

My tiredness is gone; I'm determined to get to the bottom of this. From previous experiments with Flash, I recall getting good mileage out of SWFTools. It doesn't let me down. The command

swfdump -D -d -u exploit.swf 

tells me right away that we're looking at a file in Flash 9 format – the current version is version 10. Not that that's necessarily particularly significant; Flash is backwards-compatible and version 9 is still in widespread use. This is followed by tags containing the actual content. Further down, I see that the reference to the library is part of a block designated DEFINEBITSJPEG. JPEG? as if!

My attention is drawn to the next two data blocks:

=> 99 b4 8e a0 08 20 20 20 20 20 20 20 20 20 20 20
=> 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
=> 20 20 20 20 20 20 20 43
=> 01 00 e5 9c ba e6 99 af 20 31 00 00

A SCENEDESCRIPTION consisting of a load of 0x20 characters? The data type 0x56 – decimal 86 – doesn't ring any bells, so I pull up a description of the SWF file formatPDF which Adobe has kindly made publicly available. Type 86 stands for DefineSceneAndFrameLabelData and contains "Scene and frame label data for a MovieClip". So we have administrative information for a Flash clip consisting primarily of 0x20 characters. Like, sure. I'm onto something – let's take a closer look.

Next: Bit Shoveller

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit