14 DAY TRIAL // Microsoft has seen spikes in the number of attacks using SWF malware that embeds malicious JavaScript and warns that this technique might become more prevalent in the near future.
SWF-based malware is not new. It is commonly used to exploit vulnerabilities in Adobe Flash Player in order to install further threats on computers.
The new trojan identified by Microsoft and dubbed Trojan:SWF/Jaswi.A targets CVE-2010-0806, an arbitrary code execution vulnerability in Internet Explorer 6 and 7.
However, what sets it apart is the way in which the JavaScript-based exploit is launched. Most SWF malware use the getURL function to redirect users to malicious websites, but Jaswi.A uses a function called ExternalInterface.call() to initiate the injection.
"This is not a new method after all, but only a few SWF malware take advantage of this technique," notes Microsoft malware researcher, Tim Liu.
If successful, the attack downloads a file called uusee.exe, which is a Chinese password stealer known as PWS:Win32/Lolyda.AU.
Microsoft has seen three spikes in Jaswi.A activity. The first was around Christmas, the second around New Year's Eve and the third in mid-January.
The third wave was the biggest, with almost 6,000 attacks reported by 4,000 computers, most of them from South Korea (89%).
Around 5% of attack attempts were reported in the United States, 2% in Canada and %1 in Japan. Three thirds of the affected South Korean computers were located in Seoul.
"We mentioned the embedded JavaScript technique used in the malicious SWF here because it appears to be a trend and may become a popular method," Mr. Liu wrote on the Microsoft Malware Protection Center blog.
Users are advised to always have an up-to-date antivirus program running and capable of scanning Web traffic. If the browser allows it, enabling options that restrict Flash files from loading unless manually clicked, could also help.