Analyzing and Detecting Malicious Flash Advertisements

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna

University of California, Santa Barbara

ACSAC 2009

Outline

About Flash An Attack Sample Evasion Design and Implementation System Evaluation Related Work Conclusion

About Flash

Created by Macromedia in 1996

Numerous vulnerabilities have been discovered in the Adobe Flash Player.CVE-2006-3311CVE-2007-0071…

Forcibly direct victims to site that host phishing and drive-by download attacks

Malvertisement

Flash File

ActionScriptDoInitActionDoAction

Extend fromECMAScript

ActionScript bytecode

An Attack Sample

Activation Date

Time Zone Check

An Attack Sample(cont.)

Domain Name Check

An Attack Sample(cont.)

Flash Shared Object

=25 hours

An Attack Sample(cont.)

Force redirect

MovieClip.getURL

Evasion

Obfuscation

Unicode->char

Evasion(cont.)

Evasion(cont.)

Another obfuscationActionScript 3.0 method Loader.loadBytes

Evasion(cont.)

Malformed Flash FilesUse the lack of validation in certain

resources contained within the Flash file○ Jump action

The instruction pointer is simply a byte offset from the start of the Flash file.

Defeat flasm and flare

○ Invalid tagsWill be silently ignored

Design and Implementation

Static AnalysisFor tags designed to contain image data

○ Use javax.imageio.ImageIO library to validate

For Out-of-bound jump action○ Parse all ActionScript action for jump action

For CVE-2007-0071( Integer Overflow )○ Examine DefineSceneAndFrameLabelDataSceneCount

○ X86 shellcode detectionsctest tool from the libemuDisassembled by ndisasm

Design and Implementation

Loader.loadBytes○ Using abcdump utility from the Mozilla

Tamarin project to disasemble

Hex-encoded string○ Searching for Hex-encoded strings longer

than 512 character

push instruction inActionScript 3.0○ The push instructions have a threshold of 60%

Design and Implementation

Dynamic AnalysisCreating an execution traceUse a open source project Gnash

○ Support up to ActionScript 2.0(Flash version 8)

The collected dataAction and Method Summaries

○ Ex: string manipulation made up 95% of total method

Design and Implementation

The collected data(cont.)Network Activity

○ Reveal the destination URL

Referenced URLs○ Collecting unused URLs can provide hints about

the actions that the Flash file may potentially perform.

Environment-Aware Functionality○ Indicate that the flash’s behavior could be modified

depending on its environment.

Design and Implementation

In dynamic analysisMalicious code that may otherwise take a

matter of seconds to execute may take minutes when using Gnash.

It is not unusual for these execution traces to reach sizes of several gigabytes.

Design and Implementation

Classification( malicious or benign )Automatically redirect maliciousCVE-2007-0071 exploitShellcodeURLs have known associations with

malwareActionScript 3.0 malicious signature

OdoSwiff has made publicly available as part of Wepawet

3,060 Flash applications have been submittedOver 600 of them are malicious

System Evaluation

System Evaluation(cont.)

Alexa Top 500 Global SitesA crawler views each of these site

periodicallySeparated from non-advertisement Flash

○ A advertisement have some naming conventionE.g. 300x250_Product.swf or

Company_Product_160x600.swf

2,492 Flash files from 190 sites

System Evaluation(cont.)

System Evaluation(cont.)

VirusTotalUsing 40 different virus scannersIf any scanner has detected malicious

System Evaluation(cont.)

AdopstoolBenign or malicious

System Evaluation(cont.)

OdoSwiff VirousTotal adopstool1

10

100

4 3

1

71

1

False PositiveMalicious

System Evaluation(cont.)

Other types of flash exploitsCVE-2007-0071Utilize to ActionScript 3.0 for exploits305 malicious Flash were collected from

Wepawet

System Evaluation(cont.)

Real OdoSwiff VirusTotal adopstools0

20

40

60

80

100

120

140

160

180

200179 174

151

0

126 126 126

21

ActionScript 3.0CVE-2007-0071

Related Work

Virus ScannerMalicious flashes that successfully detected

by VirusTotal, only an average of 9.8 actually detected

HP released its SWFScan in March 2009Focus on vulnerabilities that may result from

coding error

Related Work(cont.)

OWASP SWFIntruder was released in 2007It looks for flaws in Flash that could be

utilized to deliver cross-site scripting attacks.

AdopstoolNot support ActionScript 3.0

Conclusion

Provide a new system, OdoSwiffDetection rates were favorable compared to

existing systems

Can’t dynamically trace ActionScript 3.0

Need to updating of signature

Question?