A technical paper by Fraser Howard, SophosLabs, UK
Despite this, the rate at which we have seen the Flash content modified has been significantly (orders of magnitude) less than the HTML, JS and PDF contents. Even when modification has been observed, it is normally fairly minor and insufficient to evade existing generic detection. There are several possibilities to explain this:
- Attackers are not concerned about the Flash components being reliably detected (unlikely)
- Attackers do not bother to check detections of the Flash components (unlikely given the fact that Blackhole incorporates AV checking functionality)
- Building Flash content dynamically on the web server is a lot more complicated than for other components
The latter two points probably provide the best explanation for our observations.