ZWS File Magic Inclusion

Jason_Batchelor · March 18, 2015, 5:59pm

Hello all:

I needed to extract from PCAP a malicious SWF that was compressed using LZMA, and thusly gave the SWF a ‘ZWS’ header instead of the normal ‘CWS’ you typically observe in a compressed SWF.

While the general.sig file has signatures for CWS and FWS magic for SWF files, I did not see the presence of ZWF. I went ahead and created the following entry in libmagic.sig.

signature file-magic-swf-zws {
file-mime “application/x-shockwave-flash/lzma”, 60
file-magic /(ZWS)/
}

Then ran bro along side my extraction script on the PCAP and out the LZMA compressed SWF came. Just wanted to pass this along. It might be worth adding it to the sig files for a future release possibly?

Thanks,
Jason

Seth_Hall3 · March 18, 2015, 6:12pm

That was added a while ago and is queued up for inclusion into 2.4...

signature file-swf {
file-magic /^(F|C|Z)WS/
file-mime "application/x-shockwave-flash", 60
}

2.4 has a ton of updates to file type identification and it looks like there are going to be some more updates before the release too.

.Seth

Topic		Replies	Views
[JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton Development development	1	90	May 6, 2022
File detection signature - ISO Zeek	2	91	May 6, 2022
Shockwave Flash Analyzer Zeek	2	64	May 6, 2022
libmagic for HTTP Zeek	3	89	May 6, 2022
Using Zeek with SIGMA Zeek	6	134	May 6, 2022

ZWS File Magic Inclusion

Related Topics