Hello all:
I needed to extract from PCAP a malicious SWF that was compressed using LZMA, and thusly gave the SWF a ‘ZWS’ header instead of the normal ‘CWS’ you typically observe in a compressed SWF.
While the general.sig file has signatures for CWS and FWS magic for SWF files, I did not see the presence of ZWF. I went ahead and created the following entry in libmagic.sig.
signature file-magic-swf-zws {
file-mime “application/x-shockwave-flash/lzma”, 60
file-magic /(ZWS)/
}
Then ran bro along side my extraction script on the PCAP and out the LZMA compressed SWF came. Just wanted to pass this along. It might be worth adding it to the sig files for a future release possibly?
Thanks,
Jason