–CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment *...
Transcript of –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment *...
![Page 1: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/1.jpg)
Shane Hartman –CISSP, GCIA, GREMSuncoast Security Society
![Page 2: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/2.jpg)
Analyzing MalwareWhy Flash MalwareStructure of an SWF FileHistory of Flash ScriptingExploit Example 1: Social EngineeringExploit Example 2: Clipboard HijackExploit Example 3: Multi‐Step RedirectionExploit Example 4: Shell Code Exploit
![Page 3: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/3.jpg)
Flash player is almost everywherePlatform independent – Unix / WindowsIt supports an extensive coding
To run on a victims browserPlace banner adInject links to SWF files via SQL Injection or XSSAsk the user to click on link to SWF file
![Page 4: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/4.jpg)
Malicious Javascript is much easier to detectCompanies like:
Websense BluecoatCheckpoint FW
can analyze the code before its executed.With the introduction of Action Script 3 a highly robust environment* Because it is embedded and executed client side it is much more difficult to analyze, much like Java applets.
![Page 5: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/5.jpg)
Target flash player vulnerabilitiesControl some aspect of the victims environment
ie. The victims clipboard
Redirect victim to malicious sites
![Page 6: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/6.jpg)
Header, version, length, frame, info, etcAdditional details in the FileAttributes tab
Optional in earlier versionsUsed to tell the Flash Player to use the newer VM for AS 3
Definition and control tags, recognized by tag type number, eg‐1 : ShowFrame (displays current frame)‐12: DoAction (defines ActionScript 1 or 2)‐82: DoABC (defines ActionScript 3)
![Page 7: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/7.jpg)
Version 1: Basic geometry and animations onlyVersion 2: Several animation control tagsVersion 3: Support for keyboard and mouse eventsVersion 4: Full scripting implementation via actionsVersion 5‐6: Support for ActionScript 1Version 7‐8: Support for ActionScript 2Version 9+: Support for ActionScript 3 – Different VM
![Page 8: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/8.jpg)
Before analyzing flash lets look at malware analysisBehavior Analysis
Observe what happens when executedCapture and analyze traffic on the networkAttempt to simulate and interact with the program
Code AnalysisCapture the program / code
Decompile / analyzeBreak down each component and follow the road map
![Page 9: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/9.jpg)
To: [email protected]: What Up
Check this out..
http://img361.imageshack.us/img361/7064/zoxdgeysjn6.swf
![Page 10: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/10.jpg)
![Page 11: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/11.jpg)
SwfextractFlareDump Flash
![Page 12: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/12.jpg)
![Page 13: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/13.jpg)
Right‐click on the swf file and select “Decompile” to product a .flr text file
movie ‘c:\Temp\zoxdgeysjn6.swf’ {// flash 6, total frames: 136, frame rate: 12 fps, 1x1, compressed// unknown tag 88 length 78frame 15 {
getURL(‘http://moyapodruzhka.com/?wmid=44&sid44’, ‘ ‘);
}}
![Page 14: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/14.jpg)
![Page 15: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/15.jpg)
Clipboard persistently contains an unfamiliar URLAdding new content to the clipboard seems to have no effect
![Page 16: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/16.jpg)
SwfdumpabcdumpNemo 440
![Page 17: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/17.jpg)
c:\temp\swfdump –Ddu clipboard‐poc.swf > clipboard‐poc.swfdump.txt
![Page 18: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/18.jpg)
c:\temp\abcdump clipboard‐poc.swfnotepad clipboard‐poc.swf.il
![Page 19: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/19.jpg)
![Page 20: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/20.jpg)
Visitors to taringa.net saw the following banner ad.Some were redirected to a site that told them of a spyware problemSo, what was going on? – Much more complicated
![Page 21: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/21.jpg)
![Page 22: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/22.jpg)
Nothing suspicious when loading the SWF file in the browserClicking on the ad shows nothing suspiciousCould it be sensitive to something:
TimeURLParameters, etc.
![Page 23: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/23.jpg)
Decompiled 17113.swf with FlareCode doesn’t reveal much – Looks to be concealed
![Page 24: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/24.jpg)
![Page 25: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/25.jpg)
ActionScript View
P‐Code View
![Page 26: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/26.jpg)
There are encryptors meant to protect your codeThe suggestion is they will protect your intellectual workMalware authors are using these tools to make it more difficult to dissect and understand what the malicious code is trying to do
![Page 27: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/27.jpg)
![Page 28: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/28.jpg)
![Page 29: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/29.jpg)
Open 17113.swf > Debug > List variables
![Page 30: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/30.jpg)
![Page 31: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/31.jpg)
<param name=“movie” value=“swf/gnida.swf?campaign=weidoneous&u=1200066806” />
![Page 32: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/32.jpg)
![Page 33: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/33.jpg)
![Page 34: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/34.jpg)
A vulnerability in Flash Player 9 led to many exploits (CVE‐2007‐0071)A problem with code that processed the scene numberAllowed the execution of arbitrary code via shellcode
![Page 35: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/35.jpg)
![Page 36: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/36.jpg)
You can extract hex values from swfdump outputAn alturnative is to uncompress the SWF file with flashm, then extract with a hex editor
![Page 37: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/37.jpg)
![Page 38: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/38.jpg)
![Page 39: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/39.jpg)
![Page 40: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/40.jpg)
www.mywot.comWOT Security Scorecard
![Page 41: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/41.jpg)
![Page 42: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/42.jpg)
![Page 43: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/43.jpg)
Place code inside and unknown tag and jump therePlace code after the “end” tag and jump thereJump in the middle of the code blockUse and abstraction frameworkUse a commercial protector
![Page 44: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/44.jpg)
Capture as many details from the victim or live site as possible
Note HTTP headers, cookies, etc.
Disassemble and analyze SWF files, retrieving new files as necessaryUnprotect if you can; may be limited to behavioral analysis
![Page 45: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/45.jpg)
Support ActionScript 1 & 2 onlyFlashm, Flare, Dump Flash DecompilerJSwiff, SWF toolkit (swf_dump)
Support ActionScript 3 onlyabcdump, Flex SDK swfdump, Nemo 440
Supports ActionScript 1,2 & 3SWFTools swfdumpCommercial: Sothink SWF, Decompiler Trillix
![Page 46: –CISSP, GCIA, GREM...With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze,](https://reader033.fdocuments.in/reader033/viewer/2022060906/60a11f6f13c2893b565ae44d/html5/thumbnails/46.jpg)
ActionScript 3 AVM2 Overview:http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf
SWF File Format Specification:http://www.adobe.com/devnet/swf
OWASP Paper on Malicious SWFs:http://www.owasp.org/images/1/10/OWASP‐AppSecEU08‐Fukami.pdf
OWASP Flash Security Projecthttp://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
Clickjackinghttp://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117268&source=rss_topic17