[ISN] New virus first to infect Macromedia Flash

From: InfoSec News (isnat_private)
Date: Wed Jan 09 2002 - 03:59:00 PST

  • Next message: InfoSec News: "Re: [ISN] Perspectives: Time to make Pittsburgh cybersecurity center"

    By Robert Lemos
    Staff Writer, CNET News.com 
    January 8, 2002, 3:05 p.m. PT 
    Antivirus companies warned PC users Tuesday that future Macromedia
    Flash movies could carry malicious viruses and worms.
    The caution came after an unknown virus writer sent just such an
    infectious program to U.K. antivirus company Sophos. Dubbed
    SWF/LFM-926, the new program does little but infect Flash files on a
    PC when the movie is played.
    "It's really a proof of concept, as opposed to something that you
    should lie awake at night worrying about," said Graham Cluley, senior
    technology consultant for the Abingdon, England-based company. "But
    whenever a new vulnerability like this is found, other copycats tend
    to create more malicious variants."
    The SWF/LFM-926 should mainly be a concern to Web site designers who
    use Flash animations to add pizzazz to their sites, Cluley said. Flash
    technology, created by digital media company Macromedia, is typically
    used on sites to add interactive user interfaces and multimedia
    Macromedia went even further, calling the vulnerability through which
    the virus spread "not that serious."
    "Ninety-nine-point-nine percent of the time, people play Flash movies
    from the Web in their browser," said Pete Santangeli, vice president
    of engineering for Flash at the San Francisco company. "That's
    completely safe."
    It's only when a Flash file or movie is played on a PC through a
    standalone player included with Macromedia's authoring tools for Web
    designers that this type of virus can actually infect a PC.
    When the infected Flash movie is played, the virus displays the
    message "Loading.Flash.Movie..." and drops a 926-byte DOS file onto
    the PC. This file--named V.COM--is run by the virus and infects all
    other Flash files in the current directory. The SWF/LFM-926 virus'
    name is derived from the abbreviation for Shockwave Flash, as
    Macromedia Flash used to be known, the displayed message and the size
    of the file.
    The virus will infect only Windows NT, Windows 2000 and Windows XP
    systems, but has not yet been seen circulating the Internet. Moreover,
    since the virus doesn't have a way to spread quickly, it's unlikely to
    infect a large number of PCs in its current form, said Craig Schmugar,
    virus research engineer for security-software maker Network
    "It won't be a very effective spreading method if they only use
    Shockwave Flash," he said, citing NAI tests that confirmed the virus
    will not spread when the Macromedia Flash is played in a Web browser.
    "It is a double-edged sword," he said. "They have given their
    authoring community an ability to create increased functionality. For
    the most part, Macromedia has been strict about security; it would
    have been difficult for them to see this coming."
    The virus is not the first to try to fool those PC users with a
    weakness for Flash movies. In December 1999, the ProLin worm spread
    through e-mail by posing as a Flash movie, but in reality it was a
    simple Windows program file.
    SWF/LFM-926 is a pure virus, meaning the program infects files and can
    only spread when the compromised file is moved to another system.
    Macromedia will release a workaround to disable the file association
    between Flash files and the local Flash player within a couple of
    days, Macromedia's Santangeli said. In addition, the company plans to
    close the hole in the player by the next version.
    For the time being, e-mail users will have to add the SWF file format
    to their list of attachments of which to be wary.
    "Just as we have seen a first Adobe Acrobat file infector and the
    first AutoCAD file infector, this is just a new way to get into the
    PC," Sophos' Cluley said. "It does show that the virus writers are
    always looking for new battlegrounds."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:50:39 PST