Shockwave for Director plugin downloads an exe
Posted: Fri May 28, 2010 5:54 am
I was attempting to confirm a problem another user was having with the Shockwave for Director plugin aka Adobe Shockwave Player on hxxp://www.zeronews-fr.com/flash/pandapang.php. I've broken the link because it causes a file to be downloaded and executed. I can't tell that the link is malicious: my guess is that the plugin is confused and is attempting to update itself. I did my testing in a sandbox so it wouldn't make any changes to the rest of my system. Here the topic I was helping in: http://forums.mozillazine.org/viewtopic ... 9#p9421649
I'll leave the details to last, but here's a summary. Apparently the Shockwave Player plugin decided to update itself. It started up the Shockwave Download Module (SWDNLD.EXE) and downloaded an installation file, setup.exe, to my temp directory. It then executed setup.exe, which installed an old version of Shockwave Player. I wouldn't have known that any of this had happened if my firewall hadn't notified me that SWDNLD.EXE and setup.exe were trying to connect to the Internet or if the software installer hadn't asked for permission to download and install some additional Norton stuff. (Gotta love these third-party ride alongs, eh?) The person I was helping dismissed the installation popup as a bug in Fx 3.6.4 beta build 5 instead of realizing it was a problem with the site's use of Shockwave Player.
My concern is that the Shockwave Player plugin called by Firefox downloaded and installed a program -- an older version of itself -- without my knowledge or permission. (If it hadn't been for my software firewall and a confusing popup, that is.)
Here's are the details of what happened:
I ran Fx 3.6.3 in a clean, sandboxed profile that has no extensions installed. I enabled the Shockwave for Director plugin in the Add-ons > Plugins window. I'm using the lastest version of Adobe Shockwave Player, version 11.5.7r609.
- I loaded hxxp://www.zeronews-fr.com/flash/pandapang.php. The page has a white square with "Adobe Shockwave Player" in the middle of it. My firewall popped up a dialog telling me that Shockwave Download Module (SWDNLD.EXE) at D:\WINDOWS\system32\Adobe\Director\SWDNLD.EXE was trying to connect to pinger.macromedia.com.
- I responded OK. It downloaded the following:
File Version : 10.4.1.29
File Description : Adobe Shockwave Player (setup.exe)
File Path : D:\Sandbox\<username>\DefaultBox\user\current\Local Settings\Temp\{F774DF64-AE49-4936-94CA-353CA3AF3555}\setup.exe
It then executed setup.exe. Apparently setup.exe installed an old version of the Shockwave Player. Secunia PSI notified me that the following had just been installed:
Version Detected: 10.4.1.29
Installation Path: D:\Sandbox\<username>\DefaultBox\drive\D\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
setup.exe also tried to connect to stats.norton.com -- which I did not allow -- and popped up a dialog titled "Installing Shockwave Player" asking me if I would like to Include Norton Security Scan (checked by default).
- I unchecked the box and clicked the Next button at the bottom of the dialog. The dialog went away and nothing further happened.
- I clicked the reload toolbar button. The site then played the game.
If it hadn't been for my software firewall, I merely would have observed the same thing as the person I was helping. i.e. the software popped up a seemingly bogus software installation dialog but played the game OK when the reload button was clicked.
I'll leave the details to last, but here's a summary. Apparently the Shockwave Player plugin decided to update itself. It started up the Shockwave Download Module (SWDNLD.EXE) and downloaded an installation file, setup.exe, to my temp directory. It then executed setup.exe, which installed an old version of Shockwave Player. I wouldn't have known that any of this had happened if my firewall hadn't notified me that SWDNLD.EXE and setup.exe were trying to connect to the Internet or if the software installer hadn't asked for permission to download and install some additional Norton stuff. (Gotta love these third-party ride alongs, eh?) The person I was helping dismissed the installation popup as a bug in Fx 3.6.4 beta build 5 instead of realizing it was a problem with the site's use of Shockwave Player.
My concern is that the Shockwave Player plugin called by Firefox downloaded and installed a program -- an older version of itself -- without my knowledge or permission. (If it hadn't been for my software firewall and a confusing popup, that is.)
Here's are the details of what happened:
I ran Fx 3.6.3 in a clean, sandboxed profile that has no extensions installed. I enabled the Shockwave for Director plugin in the Add-ons > Plugins window. I'm using the lastest version of Adobe Shockwave Player, version 11.5.7r609.
- I loaded hxxp://www.zeronews-fr.com/flash/pandapang.php. The page has a white square with "Adobe Shockwave Player" in the middle of it. My firewall popped up a dialog telling me that Shockwave Download Module (SWDNLD.EXE) at D:\WINDOWS\system32\Adobe\Director\SWDNLD.EXE was trying to connect to pinger.macromedia.com.
- I responded OK. It downloaded the following:
File Version : 10.4.1.29
File Description : Adobe Shockwave Player (setup.exe)
File Path : D:\Sandbox\<username>\DefaultBox\user\current\Local Settings\Temp\{F774DF64-AE49-4936-94CA-353CA3AF3555}\setup.exe
It then executed setup.exe. Apparently setup.exe installed an old version of the Shockwave Player. Secunia PSI notified me that the following had just been installed:
Version Detected: 10.4.1.29
Installation Path: D:\Sandbox\<username>\DefaultBox\drive\D\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
setup.exe also tried to connect to stats.norton.com -- which I did not allow -- and popped up a dialog titled "Installing Shockwave Player" asking me if I would like to Include Norton Security Scan (checked by default).
- I unchecked the box and clicked the Next button at the bottom of the dialog. The dialog went away and nothing further happened.
- I clicked the reload toolbar button. The site then played the game.
If it hadn't been for my software firewall, I merely would have observed the same thing as the person I was helping. i.e. the software popped up a seemingly bogus software installation dialog but played the game OK when the reload button was clicked.
