In recent years, the rise of Exploit Kit the EK collection a variety of exploit tools for a variety of file formats for automated analysis, exploit test. The more famous EK with Blackhole EK, Phoenix EK, Nuclear EK, etc.
Recently we received Nuclear EK new sample, then the VT of the samples were detected, the results as shown:
Found only 5 Home Security vendors to check out, so we did further analysis.
Flash file analysis
File basic information
SWF file header consists of a three byte identification, the identification is the following one: •0x46 ,0x57, 0x53(“FWS”): the FWS identifies that this is an uncompressed SWF file •0x43, 0x57, 0x53(“CWS”): the CWS logo indicates that the entire SWF file in the first 8 byte, that is, in the“file length”field, using the ZLIB open standard for the compression. CWS file compression is only permitted in SWF 6 and later versions. •0x5a, 0x57, 0x53(“ZWS”): the ZWS logo indicates that the entire SWF file in the first 8 byte, that is, in the“file length”field, using the LZMA open standard for the compression. ZWS file compression is only permitted in SWF 1 3 and later versions.