Spammers Evading Filters Using Maliciously Designed SWF Files

In efforts to bypass detection, spammers are increasingly using SWF (Shockwave Flash) file redirects, Security Experts at Sunbelt Software, the vendor for security software, have said in the last week of August 2008.

The company said that similar to other spamming tricks, the objective of the SWF redirect related to encouraging users to install malware and this works, as filters were not accustom to it. Also, there aren't many tools for analysis as one can find for HTML or JavaScript. Meanwhile, the links included in the spam mails can be displayed as plain text or in html format, while in both the instances, the browsers would easily be able to open the URLs and run the SWF files.

Moreover, the SWF files' action script code contains a redirect designed to lead users onto Websites that serve malware directly or indirectly. Furthermore, in many cases, the malicious program loaded from the Website is a fake anti-virus or anti-spyware software that infects the end-user and informs him/her about the infection. Then, it demands a price to get a particular cleaning software for his/her infected computer.

According to Alex Eckelberry, President, Sunbelt Software, the SWF files contains a hardly visible box crafted to initiate loading of a Trojan. Previously, the attackers used links that directly led to the Trojan. But since those URLs have been recently blacklisted, the spammers had to find a method to get past the filters. Therefore, they are using the SWF files, as reported by SCMagazineUS on August 28, 2008.

Meantime, these spam mails are attempting to trick users into clicking on a link through various ways like claiming to offer Vista security updates, interesting videos or security software free of cost. A server that is frequently used to host the SWF files is ImageShack, an extremely popular online service that hosts media content for no charge.

However, this is not the first time when SWF redirects are being used. Since long, it has been used in malvertizements, advertisements delivering malicious content. Furthermore, the first blast of spam mails using SWF redirects started in July end 2008.

Related article: Spammers Continue their Campaigns Successfully

» SPAMfighter News - 9/9/2008