Decrypted Nuclear exploit kit Flash exploit encryption-vulnerability warning-the black bar safety net

2015-03-25T00:00:00
ID MYHACK58:62201560317
Type myhack58
Reporter 佚名
Modified 2015-03-25T00:00:00

Description

In recent years, the rise of Exploit Kit the EK collection a variety of exploit tools for a variety of file formats for automated analysis, exploit test. The more famous EK with Blackhole EK, Phoenix EK, Nuclear EK, etc.

Recently we received Nuclear EK new sample, then the VT of the samples were detected, the results as shown:

!

Found only 5 Home Security vendors to check out, so we did further analysis.

Flash file analysis

File basic information

!

Note:

SWF file header consists of a three byte identification, the identification is the following one: •0x46 ,0x57, 0x53(“FWS”): the FWS identifies that this is an uncompressed SWF file •0x43, 0x57, 0x53(“CWS”): the CWS logo indicates that the entire SWF file in the first 8 byte, that is, in the“file length”field, using the ZLIB open standard for the compression. CWS file compression is only permitted in SWF 6 and later versions. •0x5a, 0x57, 0x53(“ZWS”): the ZWS logo indicates that the entire SWF file in the first 8 byte, that is, in the“file length”field, using the LZMA open standard for the compression. ZWS file compression is only permitted in SWF 1 3 and later versions.

[1] [2] [3] [4] [5] next