Hold fire on Fuse Kit....
Moses Gunesch, the author of Fuse Kit, has posted a comment to my blog here:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/17/1644872.aspx#1644983
I may have to eat an awful lot of humble-pie if I have misunderstood the capabilities and features of Fuse. I always hate, with a passion, getting things wrong. My understanding was that Fuse can be used to animate *and encrypt*, and it is encryption of the malicious SWFs that is causing problems - if you can't break an encryption you can't see the true code. If you can't see the true code, you can't assess risk.
Anyways, here is Moses's comment - he deserves full right of reply:
Hi Sandi,
I'm the author of the Fuse Kit. Your article is entirely misleading; Fuse Kit is simply an animation system for Flash that is entirely free, open and transparent. There is nothing in the code that can trigger malicious actions. Fuse is very simple, it can make things move around on the screen and create animation – It doesn't have a single network-enabled feature that can even call another website. That stuff is done using the Flash Player, which should probably be the target of your attacks.
I do not doubt that this banner creator used Fuse, it is even possible that they may have laced their own malicious code into their custom animation sequences (I don't write people's animation code for them), but in essence Fuse itself is just a fancy animation timer. The GetURL actions you mention – or any other network connectivity they used is part of Flash's native coding language (ActionScript), and absolutely does not rely on Fuse (or any other system) to operate.
To state clearly, I absolutely oppose malware myself, and would never think of writing code that enabled any such thing! I hope that you, Kimberly and the others will retract these implications that Fuse is somehow responsible for things it is not even capable of. It is damaging to my name as an Open Source developer who works for the good of the Flash coding community. (So you know, I'm a pretty above-board kind of guy: a published author, I speak at conferences and am generally considered a positive contributor in the Flash world. I really hope that your game is not just to tarnish people's reputations without just cause!)
You are in the business of trying to identify legitimate online threats, which I applaud. I would guess that your credibility must partially hinge on where you point the finger. The author of that banner should surely be excoriated (if you track them down please let me know, I would like to tell 'em a thing or two...), but their use of my animation kit is incidental at best.
Again, Fuse is an entirely open, free, and transparent open source code library. There is nothing scary or mysterious about it. I'll be happy to help explain it to you in more detail if you'd like! :-) But, this strong recommendation you've made against it is misguided and damaging, and I would very kindly ask you to reconsider!
Addendum:
This situation is proving to be quite an intellectual, and moral, struggle for me. Notwithstanding my possibly having to eat humble pie, I cannot ignore the reality that Fuse has been used with every 'undetectable' malvertizement that I have seen. That fact alone - the use of Fuse as a common denominator - can be seen as sufficient reason to advise that all such creatives be treated with extreme caution - especially when we are playing for such high stakes (trying to ensure the safety of web users and avoid seemingly 'undetectable' malvertizements) and we are struggling to find other reliable indicators of potential trouble (the visual content of the malverts changes as does the domains used by the pushers of the malverts, but the apparent use of Fuse is consistent, and we have been seeing such use for a while now).
I must emphasise, very strongly, that there is a subtle, but important, distinction between saying that [1]Fuse is being used with lots of malvertizements, or saying that [2]Fuse is bad. I have been saying the former[1], not the latter[2].