>> 
>> Michael Scheidell wrote:
>> > just saw this one in email.  terra.com/ spamcop.com./br are hosting 
>> > trojans.
>> > but this email uses flash to load this:
>> > 
>> > <param name=movie value="http://www.terra.com.br/cartoes/datas/amor.swf";>
>> > (which redirects to http://cartoes.terra.com.br/datas/amor.swf )
>> > 
>> > than trys to load a binary:
>> > 
>> > ref="http://www.spamcom.com.br/CartadeAmor.exe";
>> > 
>> > both files still exist on the hosts, and neither was identified by 
>> > clamav, and neither triggered any ET (snort) rules, SA didn't trigger 
>> > any  rules except these:
>> > 
>> > HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809,
>> >     HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957,
>> > 
>> > (and my private rule, looking for a uri ending in .exe)
>> > 
>> > email that tries to get you to load these here:
>> > 
>> > http://pastebin.com/m2fcbe7b5
>> > 
>> > 
>> > 
>> 
>> 
>> Oh lovely!
>> 
>> We've seen flash ad based driveby attacks on websites for a year or so - 
>> this is the first time I've seen them inserted into an email (although 
>> I'm sure it's been happening for a while).
>> 
>> I don't know what bright spark at Adobe thought it would be a good idea 
>> for the Flash API to have the functionality to download and execute 
>> remote arbitrary code, but it should be easy enough to write a SA rule 
>> to detect embedded flash-based content and score it.
>> 
>> Thanks for posting the example.
>> 
Hi,

well, realistically, there is a harmless flash inside a html page (those who do 
not like flash may score it,
but it does not indicate spamminess or malicious content)
There is also a plain link "click here to find out..." inside the html.
So SA, or some malware defense, should probably detect that link to an exe file

The bad news: flash can redirect to a new webpage - any webpage, even one that 
tries
to download malware via javascripts. It is pretty much like a meta refresh or a 
javascript
call in a html page, just that a normal scanner would not detect that

Wolfgang Hamann


Reply via email to