>> >> Michael Scheidell wrote: >> > just saw this one in email. terra.com/ spamcop.com./br are hosting >> > trojans. >> > but this email uses flash to load this: >> > >> > <param name=movie value="http://www.terra.com.br/cartoes/datas/amor.swf";> >> > (which redirects to http://cartoes.terra.com.br/datas/amor.swf ) >> > >> > than trys to load a binary: >> > >> > ref="http://www.spamcom.com.br/CartadeAmor.exe"; >> > >> > both files still exist on the hosts, and neither was identified by >> > clamav, and neither triggered any ET (snort) rules, SA didn't trigger >> > any rules except these: >> > >> > HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809, >> > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957, >> > >> > (and my private rule, looking for a uri ending in .exe) >> > >> > email that tries to get you to load these here: >> > >> > http://pastebin.com/m2fcbe7b5 >> > >> > >> > >> >> >> Oh lovely! >> >> We've seen flash ad based driveby attacks on websites for a year or so - >> this is the first time I've seen them inserted into an email (although >> I'm sure it's been happening for a while). >> >> I don't know what bright spark at Adobe thought it would be a good idea >> for the Flash API to have the functionality to download and execute >> remote arbitrary code, but it should be easy enough to write a SA rule >> to detect embedded flash-based content and score it. >> >> Thanks for posting the example. >> Hi,
well, realistically, there is a harmless flash inside a html page (those who do not like flash may score it, but it does not indicate spamminess or malicious content) There is also a plain link "click here to find out..." inside the html. So SA, or some malware defense, should probably detect that link to an exe file The bad news: flash can redirect to a new webpage - any webpage, even one that tries to download malware via javascripts. It is pretty much like a meta refresh or a javascript call in a html page, just that a normal scanner would not detect that Wolfgang Hamann
