Xanda's Blog !~!

Flash Attack Vectors – Cross Site Flashing (XSF)


A few days ago a lot of media wrote about a Flash worm. I managed to get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for the samples).

First of all, while the exploit code contains Flash, it is actually just used as an attack (or, if we stretch it, infection) vector. The worm itself is contained in JavaScript and is very similar to the Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.

The worm was first identified on a popular Chinese social web site (for schools, if I’m not wrong), Renren (http://www.renren.com). This site is in many ways similar to Twitter or Facebook, but much more media intensive and it allows users to share various information, including pictures, movies etc.

[Read more HERE]