[clamav-users] Swf.Exploit.CVE_2015_3102 FP

Al Varnell alvarnell at mac.com
Tue Aug 18 01:32:51 EDT 2015


I’ve had three users report browser cache files indicating Swf.Exploit.CVE_2015_3102 infection.  All were logging into PayPal at the time.
<https://www.paypal.com/us/cgi-bin/webscr?cmd=_account>
ClamXav Forum topic: <https://www.clamxav.com/BB/viewtopic.php?f=1&t=4169>

Since I was unable to replicate it with my setup I asked one of them to submit the file to VirusTotal
<https://www.virustotal.com/en/file/c9d1856cfddc24fc3c51e5cc023c2cb4575b38a2140a39123438276d18b8561e/analysis/1439865575/>
where only ClamAV identified it as infected and the file details indicate:
> Commonly abused SWF properties
> - The studied SWF file makes use of ActionScript3, some exploits have been found in the past targeting the ActionScript Virtual Machine. ActionScript has also been used to force unwanted redirections and other badness. Note that many legitimate flash files may also use it to implement rich content and animations.
> - The flash file uses methods of the ExternalInterface class to communicate with the external host of the Flash plugin, such as the web browser.
> - The flash file seems to embed javascript code. In combination with the ExternalInterface class usage, this code might be trying to modify the DOM of the parent URL embedding the file.

They also uploaded it to your "Report False Positive" page.  The MD5 should have been 5d024cc615e2b1c35ce9b2cce77ef481

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20150817/339fcd15/attachment.bin>


More information about the clamav-users mailing list