Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.

Similar presentations

Presentation on theme: "Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009."— Presentation transcript:

1 Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009

2 Outline  About Flash  An Attack Sample  Evasion  Design and Implementation  System Evaluation  Related Work  Conclusion

3 About Flash  Created by Macromedia in 1996

4  Numerous vulnerabilities have been discovered in the Adobe Flash Player. CVE-2006-3311 CVE-2007-0071 …  Forcibly direct victims to site that host phishing and drive-by download attacks Malvertisement

5 Flash File  ActionScript DoInitAction DoAction  Extend from ECMAScript

6 ActionScript bytecode

7 An Attack Sample  Activation Date  Time Zone Check

8 An Attack Sample(cont.)  Domain Name Check

9 An Attack Sample(cont.)  Flash Shared Object =25 hours

10 An Attack Sample(cont.)  Force redirect MovieClip.getURL

11 Evasion  Obfuscation Unicode->char

12 Evasion(cont.)

13  Another obfuscation ActionScript 3.0 method Loader.loadBytes

14 Evasion(cont.)  Malformed Flash Files Use the lack of validation in certain resources contained within the Flash file ○ Jump action The instruction pointer is simply a byte offset from the start of the Flash file. Defeat flasm and flare ○ Invalid tags Will be silently ignored

15 Design and Implementation  Static Analysis For tags designed to contain image data ○ Use javax.imageio.ImageIO library to validate For Out-of-bound jump action ○ Parse all ActionScript action for jump action For CVE-2007-0071( Integer Overflow ) ○ Examine DefineSceneAndFrameLabelData  SceneCount ○ X86 shellcode detection sctest tool from the libemu Disassembled by ndisasm

16 Design and Implementation Loader.loadBytes ○ Using abcdump utility from the Mozilla Tamarin project to disasemble Hex-encoded string ○ Searching for Hex-encoded strings longer than 512 character push instruction inActionScript 3.0 ○ The push instructions have a threshold of 60%

17 Design and Implementation  Dynamic Analysis Creating an execution trace Use a open source project Gnash ○ Support up to ActionScript 2.0(Flash version 8)  The collected data Action and Method Summaries ○ Ex: string manipulation made up 95% of total method

18 Design and Implementation  The collected data(cont.) Network Activity ○ Reveal the destination URL Referenced URLs ○ Collecting unused URLs can provide hints about the actions that the Flash file may potentially perform. Environment-Aware Functionality ○ Indicate that the flash’s behavior could be modified depending on its environment.

19 Design and Implementation  In dynamic analysis Malicious code that may otherwise take a matter of seconds to execute may take minutes when using Gnash. It is not unusual for these execution traces to reach sizes of several gigabytes.

20 Design and Implementation  Classification( malicious or benign ) Automatically redirect  malicious CVE-2007-0071 exploit Shellcode URLs have known associations with malware ActionScript 3.0 malicious signature

21  OdoSwiff has made publicly available as part of Wepawet  3,060 Flash applications have been submitted Over 600 of them are malicious System Evaluation

22 System Evaluation(cont.)  Alexa Top 500 Global Sites A crawler views each of these site periodically Separated from non-advertisement Flash ○ A advertisement have some naming convention E.g. 300x250_Product.swf or Company_Product_160x600.swf 2,492 Flash files from 190 sites

23 System Evaluation(cont.)

24  VirusTotal Using 40 different virus scanners If any scanner has detected  malicious

25 System Evaluation(cont.)  Adopstool Benign or malicious

26 System Evaluation(cont.)

27  Other types of flash exploits CVE-2007-0071 Utilize to ActionScript 3.0 for exploits 305 malicious Flash were collected from Wepawet

28 System Evaluation(cont.)

29 Related Work  Virus Scanner Malicious flashes that successfully detected by VirusTotal, only an average of 9.8 actually detected  HP released its SWFScan in March 2009 Focus on vulnerabilities that may result from coding error

30 Related Work(cont.)  OWASP SWFIntruder was released in 2007 It looks for flaws in Flash that could be utilized to deliver cross-site scripting attacks.  Adopstool Not support ActionScript 3.0

31 Conclusion  Provide a new system, OdoSwiff Detection rates were favorable compared to existing systems  Can’t dynamically trace ActionScript 3.0  Need to updating of signature


Download ppt "Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009."

Similar presentations

Ads by Google