Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.

Published byJazmyn Flury Modified over 9 years ago

Similar presentations

Presentation on theme: "Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009."— Presentation transcript:

1 Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009

2 Outline  About Flash  An Attack Sample  Evasion  Design and Implementation  System Evaluation  Related Work  Conclusion

3 About Flash  Created by Macromedia in 1996

4  Numerous vulnerabilities have been discovered in the Adobe Flash Player. CVE-2006-3311 CVE-2007-0071 …  Forcibly direct victims to site that host phishing and drive-by download attacks Malvertisement

5 Flash File  ActionScript DoInitAction DoAction  Extend from ECMAScript

6 ActionScript bytecode

7 An Attack Sample  Activation Date  Time Zone Check

8 An Attack Sample(cont.)  Domain Name Check

9 An Attack Sample(cont.)  Flash Shared Object =25 hours

10 An Attack Sample(cont.)  Force redirect MovieClip.getURL

11 Evasion  Obfuscation Unicode->char

12 Evasion(cont.)

13  Another obfuscation ActionScript 3.0 method Loader.loadBytes

14 Evasion(cont.)  Malformed Flash Files Use the lack of validation in certain resources contained within the Flash file ○ Jump action The instruction pointer is simply a byte offset from the start of the Flash file. Defeat flasm and flare ○ Invalid tags Will be silently ignored

15 Design and Implementation  Static Analysis For tags designed to contain image data ○ Use javax.imageio.ImageIO library to validate For Out-of-bound jump action ○ Parse all ActionScript action for jump action For CVE-2007-0071( Integer Overflow ) ○ Examine DefineSceneAndFrameLabelData  SceneCount ○ X86 shellcode detection sctest tool from the libemu Disassembled by ndisasm

16 Design and Implementation Loader.loadBytes ○ Using abcdump utility from the Mozilla Tamarin project to disasemble Hex-encoded string ○ Searching for Hex-encoded strings longer than 512 character push instruction inActionScript 3.0 ○ The push instructions have a threshold of 60%

17 Design and Implementation  Dynamic Analysis Creating an execution trace Use a open source project Gnash ○ Support up to ActionScript 2.0(Flash version 8)  The collected data Action and Method Summaries ○ Ex: string manipulation made up 95% of total method

18 Design and Implementation  The collected data(cont.) Network Activity ○ Reveal the destination URL Referenced URLs ○ Collecting unused URLs can provide hints about the actions that the Flash file may potentially perform. Environment-Aware Functionality ○ Indicate that the flash’s behavior could be modified depending on its environment.

19 Design and Implementation  In dynamic analysis Malicious code that may otherwise take a matter of seconds to execute may take minutes when using Gnash. It is not unusual for these execution traces to reach sizes of several gigabytes.

20 Design and Implementation  Classification( malicious or benign ) Automatically redirect  malicious CVE-2007-0071 exploit Shellcode URLs have known associations with malware ActionScript 3.0 malicious signature

21  OdoSwiff has made publicly available as part of Wepawet  3,060 Flash applications have been submitted Over 600 of them are malicious System Evaluation

22 System Evaluation(cont.)  Alexa Top 500 Global Sites A crawler views each of these site periodically Separated from non-advertisement Flash ○ A advertisement have some naming convention E.g. 300x250_Product.swf or Company_Product_160x600.swf 2,492 Flash files from 190 sites

23 System Evaluation(cont.)

24  VirusTotal Using 40 different virus scanners If any scanner has detected  malicious

25 System Evaluation(cont.)  Adopstool Benign or malicious

26 System Evaluation(cont.)

27  Other types of flash exploits CVE-2007-0071 Utilize to ActionScript 3.0 for exploits 305 malicious Flash were collected from Wepawet

28 System Evaluation(cont.)

29 Related Work  Virus Scanner Malicious flashes that successfully detected by VirusTotal, only an average of 9.8 actually detected  HP released its SWFScan in March 2009 Focus on vulnerabilities that may result from coding error

30 Related Work(cont.)  OWASP SWFIntruder was released in 2007 It looks for flaws in Flash that could be utilized to deliver cross-site scripting attacks.  Adopstool Not support ActionScript 3.0

31 Conclusion  Provide a new system, OdoSwiff Detection rates were favorable compared to existing systems  Can’t dynamically trace ActionScript 3.0  Need to updating of signature

32

Download ppt "Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009."

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin.

Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara

Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google