Application security, Incident Response, TDR

Spammers bypass filters with SWF file redirects

Spammers are stepping up their use of Shockwave Flash (SWF) file redirects to avoid detection, security researchers said this week.

Alex Eckelberry, president of Sunbelt Software, a security software provider, said the SWF files embed a barely visible box that pushes the installment of a trojan.

“Previously what they have done was have a direct link to the trojan,” Eckelberry told on Thursday. “But because those URLs are now blacklisted so rapidly, the spammers needed a way to bypass the filters. They use these little SWF files.”

Like other spammer ploys, the purpose of the SWF redirect is to trick users into installing malicious software.

“In many instances the malicious software that is installed will be fake anti-spyware or fake anti-virus software that has infected the user, tells them they are infected, and suggests they pay for the full version of the product to clean their computer,” Randy Abrams, director of technical education at ESET, a threat protection provider, told

Adam O'Donnell, director of emerging technologies at Cloudmark, a message security company, said Shockwave works because filters are not used to it.

“There are just not as many analysis tools as there are for Javascript or HTML, for example,” he said. “I will be interested in what comes next after Shockwave.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.