Numerous vulnerabilities have been discovered in the Adobe Flash Player. CVE-2006-3311 CVE-2007-0071 … Forcibly direct victims to site that host phishing and drive-by download attacks Malvertisement
Another obfuscation ActionScript 3.0 method Loader.loadBytes
Evasion(cont.) Malformed Flash Files Use the lack of validation in certain resources contained within the Flash file ○ Jump action The instruction pointer is simply a byte offset from the start of the Flash file. Defeat flasm and flare ○ Invalid tags Will be silently ignored
Design and Implementation Static Analysis For tags designed to contain image data ○ Use javax.imageio.ImageIO library to validate For Out-of-bound jump action ○ Parse all ActionScript action for jump action For CVE-2007-0071( Integer Overflow ) ○ Examine DefineSceneAndFrameLabelData SceneCount ○ X86 shellcode detection sctest tool from the libemu Disassembled by ndisasm
Design and Implementation Loader.loadBytes ○ Using abcdump utility from the Mozilla Tamarin project to disasemble Hex-encoded string ○ Searching for Hex-encoded strings longer than 512 character push instruction inActionScript 3.0 ○ The push instructions have a threshold of 60%
Design and Implementation Dynamic Analysis Creating an execution trace Use a open source project Gnash ○ Support up to ActionScript 2.0(Flash version 8) The collected data Action and Method Summaries ○ Ex: string manipulation made up 95% of total method
Design and Implementation The collected data(cont.) Network Activity ○ Reveal the destination URL Referenced URLs ○ Collecting unused URLs can provide hints about the actions that the Flash file may potentially perform. Environment-Aware Functionality ○ Indicate that the flash’s behavior could be modified depending on its environment.
Design and Implementation In dynamic analysis Malicious code that may otherwise take a matter of seconds to execute may take minutes when using Gnash. It is not unusual for these execution traces to reach sizes of several gigabytes.
Design and Implementation Classification( malicious or benign ) Automatically redirect malicious CVE-2007-0071 exploit Shellcode URLs have known associations with malware ActionScript 3.0 malicious signature
OdoSwiff has made publicly available as part of Wepawet 3,060 Flash applications have been submitted Over 600 of them are malicious System Evaluation
System Evaluation(cont.) Alexa Top 500 Global Sites A crawler views each of these site periodically Separated from non-advertisement Flash ○ A advertisement have some naming convention E.g. 300x250_Product.swf or Company_Product_160x600.swf 2,492 Flash files from 190 sites
Related Work Virus Scanner Malicious flashes that successfully detected by VirusTotal, only an average of 9.8 actually detected HP released its SWFScan in March 2009 Focus on vulnerabilities that may result from coding error
Related Work(cont.) OWASP SWFIntruder was released in 2007 It looks for flaws in Flash that could be utilized to deliver cross-site scripting attacks. Adopstool Not support ActionScript 3.0
Conclusion Provide a new system, OdoSwiff Detection rates were favorable compared to existing systems Can’t dynamically trace ActionScript 3.0 Need to updating of signature