Virus Profile: Exploit-SWF.x

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/16/2015
Date Added: 5/16/2015
Origin: Unknown
Length: Varies
Type: Hoax
Subtype: Exploit
DAT Required: 7592
   
 
   

Virus Characteristics

“Exploit-SWF.x “is a generic detection for a Trojan that are part of the Angler Exploit Kit

The files are highly obfuscated and won't run as they are since they are part of an infection chain created by Angler when the user access a web page compromised by it (known as "landing page")

The big string passed as parameter to the page is a Base-64 encoded data, which is converted to the string below:

Subject=Ping&key=AFC095B821F238B75D827C52804B8C907BC1E546ED8FF102104C4A1061553FCD&addr=1JPkUqnjooe6GEgq8dWkJZwTmyujamkcXR&files=0&size=0&version=0.4.0&OS=7601&ID=76&subid=0&gate=G0&is_admin=0&is_64=0&ip=210.141.159.134

We can see several fields with information about the infected machine, and the fields ADDR and KEY. These are probably parameters passed to the server to be used in creating a unique exploit for that machine, which will only run on that specific system. This is possible what is used by the HTML page to load and decrypt the javascript in it, which in turn must be used to load the SWF file.

The SWF file itself is also obfuscated with many ActionScript functions that seems harmless. It has functions to send and receive data from network, and to read and write files to disk. Not much else could be seen in the code due to obfuscation.

The SWF file exploits the vulnerability cve-2015-0336, which is related to Adobe Flash Player. More information about this vulnerability can be found on CVT home page:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0336

The .BIN file present in the escalation seems to be the final payload after the infection, or the binary executable that will be installed on the machine. It is encrypted, possibly by an 8-byte XOR key. Once the payload is decrypted, it is directly injected into the memory of some privileged process (svchost, explorer, winlogon) and never written to disk. After that installation, the payload may perform other operations that depend on the type of malware it is.

Indication of Infection

Presence of above mentioned activities

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95