Well, I am sick again, alone at home, so looking for something to dig in…
And, as it appear to be, there is always something interesting happened.
If You familiar with ExploitKits, You know, that major feature of traffic filter is – PluginDetect.
It is JS script with huge amount of features, provided by legit and respectful authors.
Main usage for malicious purposes – detect an outdated plug-ins to serve “working” exploits for successful infection of a victim.
It also known to be part of malicious applications, and triggered respectively. There are products, that emulate JS, provide fake responses to PluginDetect to bypass it successfully.
Well, bottom line – it’s quite a mess to use it for traffic filtering.
But there are other ways, always…
If You not yet up-to-date, there already more than one service to use Flash in creating drive-by attacks thru advertisement networks.
Here is one of them:
“First of all – it’s drive-by iframe and redirect traffic to the site through the implementation of your code placed it on swf files.
Let’s assume, on victim site a few banners rotate. You download the file (or files) on the local machine. Patch into the file iframe, redirect, or alert the choice, check out a file operation and pour back to the server (not forgetting to change the date). Even an experienced webadmin is not immediately able to understand what was going on, and above all suspicion falls on the advertiser. Swf operability remains entirely. The embedded code block is not appear separately, does not require any additional steps to run. File size not increases, and often reduced. The modified file is not detected by antivirus software and does not require cleansing. Clean profit.”
All other text – payment options, return policy and “cover-my-ass” text about service not responsible for payload that provided by clients.
Idea itself is not new, actually. I saw malicious PDF that redirect You to some site, quite a while.
Kaspersky Lab also published some data about this type of attack last year, but – in Russian.
Bottom line – banner generate some output and send it thru POST request back to server, and in some cases – receive response with inject to exploit pack.
Technically, if You look very close to the capabilities of Adobe Flash, You’ll find a Capabilities list of ActionScript – native build-in language for .SWF files.
And, as You may see, there is more… It was matter of time, while someone will realise that it can be used in malicious purposes…
And here we see another service, that among other SWF tricks, provide:
… Flash Banner, that detect OS version, screen resolution, Java\PDF\Flash plugin versions, browser version.
Well, bottom line, it totally replace PluginDetect, and less detectable (at least by now). It is require to add additional code in webpage, something like:
And size of simply banner, or – in this case, empty banner – about 2 Kb.
Result – clean, working traffic filtering, to remove bots and AV sandboxes, that unable to properly emulate Flash.
Can You bypass this type of plugin detect? I hope You will soon.