ZWS File Magic Inclusion

Hello all:

I needed to extract from PCAP a malicious SWF that was compressed using LZMA, and thusly gave the SWF a ‘ZWS’ header instead of the normal ‘CWS’ you typically observe in a compressed SWF.

While the general.sig file has signatures for CWS and FWS magic for SWF files, I did not see the presence of ZWF. I went ahead and created the following entry in libmagic.sig.

signature file-magic-swf-zws {
file-mime “application/x-shockwave-flash/lzma”, 60
file-magic /(ZWS)/

Then ran bro along side my extraction script on the PCAP and out the LZMA compressed SWF came. Just wanted to pass this along. It might be worth adding it to the sig files for a future release possibly?


That was added a while ago and is queued up for inclusion into 2.4...

signature file-swf {
  file-magic /^(F|C|Z)WS/
  file-mime "application/x-shockwave-flash", 60

2.4 has a ton of updates to file type identification and it looks like there are going to be some more updates before the release too.