Malicious malvertizement versus clean ... let's take a look at good versus bad, and the use of Fuse Kit

As I have said before, the criminals who are creating malvertizements are inherently lazy.  If they can take shortcuts (such as taking a pre-existing "good" advertisement then manipulating it to add their own malicious code) then they will.  For example, let's look at the cardstore.com malvertizement recently featured on this blog.

The author of the bad malvertizement used Fuse - the clean advertisement (sourced from bannersonline.com) shows no sign of Fuse.

Good advert:
image

Bad advert:
image

 

Good advert - opening script:
image

 

Bad advert - opening script:
image

 

         Bad advert:                                                              Good advert:

image

You will note that there are additional bits within the malicious advertisement, an important one being "Dynamic text 4".  It is here that the bad guys are, apparently, hiding nasty stuff.  There are also three additional scripts and four Sprites.  The "Dynamic text 4" text is:

 

image
                         image

 

Now, I don't pretend to understand exactly how "Dynamic Text 4" is being misused - in no way can I claim to be a coder - heck, I can't even claim to be the person who spotted the problem with "Dynamic Text 4" (it was Kimberley who saw that) but what I can say is that *something* is going on.  The script for the clean ad is tiny (heck, even I can understand it) - the script for the bad ad is far longer (check out the scroll bars) but there is no way I can grok it, or distill it down to a behavioral description that all of us can understand.  Would anybody like to be guest blogger for a day and explain the "what, why and how" for my long-suffering readers?

image    image

Published Tue, Aug 19 2008 19:13 by sandi
Filed under: ,

Comments

# re: Malicious malvertizement versus clean ... let's take a look at good versus bad, and the use of Fuse Kit

Tuesday, August 19, 2008 10:40 AM by Calvin

Encoded URL? Try XORing it, malware authors usually do that to obfuscate URLs.

Wonder what those sprites are for...

# re: Malicious malvertizement versus clean ... let's take a look at good versus bad, and the use of Fuse Kit

Friday, August 22, 2008 11:32 AM by Samuel Loirat

More info about the malware process with fuse

Step 1: Define the dynamic Text with the malware code.

DefineEditText(id: 37, length: 1190)

* Character id: 14

  Font id: 13

  Font height: 0 (in twips)

  Text color: #000000 FF

  Align: Left

  Left margin: 0

  Right margin: 0

  Indent: 0

  Variable:

  Initial text: u'"wtt${v...uqpqu"!|

Step 2: Place the Object into the flash animation

PlaceObject2(id: 26, length: 14)

  HasActions : 0

  Depth : 12

* Character id : 14

* Name : id

Step 3: Reading of the dynamic text info

     com.mosesSupposes.fuse.FuseItem = function(id, o, fuseID){

     com.mosesSupposes.fuse.FuseItem._ZigoEngine = _global.com.mosesSupposes.fuse.ZigoEngine;

*    this._nItemID = id;

     this._nFuseID = fuseID;

Step 4: running the add-on class with the triggerEvent function.

The malware code written in the dynamic text is also different in each files that I've seen so far, so the signature is more harder to find.