sean ford, macro cova, christopher kruegel, giovanni vigna university of california, santa barbara...
TRANSCRIPT
Analyzing and Detecting Malicious Flash Advertisements
Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna
University of California, Santa Barbara
ACSAC 2009
Outline
About Flash An Attack Sample Evasion Design and Implementation System Evaluation Related Work Conclusion
Numerous vulnerabilities have been discovered in the Adobe Flash Player.CVE-2006-3311CVE-2007-0071…
Forcibly direct victims to site that host phishing and drive-by download attacks
Malvertisement
Evasion(cont.)
Malformed Flash FilesUse the lack of validation in certain
resources contained within the Flash file○ Jump action
The instruction pointer is simply a byte offset from the start of the Flash file.
Defeat flasm and flare
○ Invalid tagsWill be silently ignored
Design and Implementation
Static AnalysisFor tags designed to contain image data
○ Use javax.imageio.ImageIO library to validate
For Out-of-bound jump action○ Parse all ActionScript action for jump action
For CVE-2007-0071( Integer Overflow )○ Examine DefineSceneAndFrameLabelDataSceneCount
○ X86 shellcode detectionsctest tool from the libemuDisassembled by ndisasm
Design and Implementation
Loader.loadBytes○ Using abcdump utility from the Mozilla
Tamarin project to disasemble
Hex-encoded string○ Searching for Hex-encoded strings longer
than 512 character
push instruction inActionScript 3.0○ The push instructions have a threshold of 60%
Design and Implementation
Dynamic AnalysisCreating an execution traceUse a open source project Gnash
○ Support up to ActionScript 2.0(Flash version 8)
The collected dataAction and Method Summaries
○ Ex: string manipulation made up 95% of total method
Design and Implementation
The collected data(cont.)Network Activity
○ Reveal the destination URL
Referenced URLs○ Collecting unused URLs can provide hints about
the actions that the Flash file may potentially perform.
Environment-Aware Functionality○ Indicate that the flash’s behavior could be modified
depending on its environment.
Design and Implementation
In dynamic analysisMalicious code that may otherwise take a
matter of seconds to execute may take minutes when using Gnash.
It is not unusual for these execution traces to reach sizes of several gigabytes.
Design and Implementation
Classification( malicious or benign )Automatically redirect maliciousCVE-2007-0071 exploitShellcodeURLs have known associations with
malwareActionScript 3.0 malicious signature
OdoSwiff has made publicly available as part of Wepawet
3,060 Flash applications have been submittedOver 600 of them are malicious
System Evaluation
System Evaluation(cont.)
Alexa Top 500 Global SitesA crawler views each of these site
periodicallySeparated from non-advertisement Flash
○ A advertisement have some naming conventionE.g. 300x250_Product.swf or
Company_Product_160x600.swf
2,492 Flash files from 190 sites
System Evaluation(cont.)
VirusTotalUsing 40 different virus scannersIf any scanner has detected malicious
System Evaluation(cont.)
Other types of flash exploitsCVE-2007-0071Utilize to ActionScript 3.0 for exploits305 malicious Flash were collected from
Wepawet
System Evaluation(cont.)
Real OdoSwiff VirusTotal adopstools0
20
40
60
80
100
120
140
160
180
200179 174
151
0
126 126 126
21
ActionScript 3.0CVE-2007-0071
Related Work
Virus ScannerMalicious flashes that successfully detected
by VirusTotal, only an average of 9.8 actually detected
HP released its SWFScan in March 2009Focus on vulnerabilities that may result from
coding error
Related Work(cont.)
OWASP SWFIntruder was released in 2007It looks for flaws in Flash that could be
utilized to deliver cross-site scripting attacks.
AdopstoolNot support ActionScript 3.0
Conclusion
Provide a new system, OdoSwiffDetection rates were favorable compared to
existing systems
Can’t dynamically trace ActionScript 3.0
Need to updating of signature