Analyzing and Detecting Malicious Falsh Advertisement

Download Report

Transcript Analyzing and Detecting Malicious Falsh Advertisement 

Sean Ford, Macro Cova,
Christopher Kruegel, Giovanni Vigna
University of California, Santa Barbara
ACSAC 2009
Outline
About Flash
 An Attack Sample
 Evasion
 Design and Implementation
 System Evaluation
 Related Work
 Conclusion

About Flash

Created by Macromedia in 1996
Malvertisement

Numerous vulnerabilities have been
discovered in the Adobe Flash Player.
 CVE-2006-3311
 CVE-2007-0071
…

Forcibly direct victims to site that host
phishing and drive-by download attacks
Flash File

ActionScript
 DoInitAction
 DoAction

Extend from
ECMAScript
ActionScript bytecode
An Attack Sample

Activation Date

Time Zone Check
An Attack Sample(cont.)

Domain Name Check
An Attack Sample(cont.)

Flash Shared Object
=25 hours
An Attack Sample(cont.)

Force redirect
MovieClip.getURL
Evasion

Obfuscation
Unicode->char
Evasion(cont.)
Evasion(cont.)

Another obfuscation
 ActionScript 3.0 method Loader.loadBytes
Evasion(cont.)

Malformed Flash Files
 Use the lack of validation in certain
resources contained within the Flash file
○ Jump action
 The instruction pointer is simply a byte offset from the
start of the Flash file.
 Defeat flasm and flare
○ Invalid tags
 Will be silently ignored
Design and Implementation

Static Analysis
 For tags designed to contain image data
○ Use javax.imageio.ImageIO library to validate
 For Out-of-bound jump action
○ Parse all ActionScript action for jump action
 For CVE-2007-0071( Integer Overflow )
○ Examine
DefineSceneAndFrameLabelDataSceneCount
○ X86 shellcode detection
 sctest tool from the libemu
 Disassembled by ndisasm
Design and Implementation
 Loader.loadBytes
○ Using abcdump utility from the Mozilla
Tamarin project to disasemble
 Hex-encoded string
○ Searching for Hex-encoded strings longer
than 512 character
 push instruction inActionScript 3.0
○ The push instructions have a threshold of 60%
Design and Implementation

Dynamic Analysis
 Creating an execution trace
 Use a open source project Gnash
○ Support up to ActionScript 2.0(Flash version 8)

The collected data
 Action and Method Summaries
○ Ex: string manipulation made up 95% of total
method
Design and Implementation

The collected data(cont.)
 Network Activity
○ Reveal the destination URL
 Referenced URLs
○ Collecting unused URLs can provide hints about
the actions that the Flash file may potentially
perform.
 Environment-Aware Functionality
○ Indicate that the flash’s behavior could be modified
depending on its environment.
Design and Implementation

In dynamic analysis
 Malicious code that may otherwise take a
matter of seconds to execute may take
minutes when using Gnash.
 It is not unusual for these execution traces
to reach sizes of several gigabytes.
Design and Implementation

Classification( malicious or benign )
 Automatically redirect  malicious
 CVE-2007-0071 exploit
 Shellcode
 URLs have known associations with
malware
 ActionScript 3.0 malicious signature
System Evaluation

OdoSwiff has made publicly available as
part of Wepawet

3,060 Flash applications have been
submitted
 Over 600 of them are malicious
System Evaluation(cont.)

Alexa Top 500 Global Sites
 A crawler views each of these site
periodically
 Separated from non-advertisement Flash
○ A advertisement have some naming
convention
 E.g. 300x250_Product.swf or
Company_Product_160x600.swf
 2,492 Flash files from 190 sites
System Evaluation(cont.)
System Evaluation(cont.)

VirusTotal
 Using 40 different virus scanners
 If any scanner has detected  malicious
System Evaluation(cont.)

Adopstool
 Benign or malicious
System Evaluation(cont.)
100
10
False Positive
Malicious
71
1
1
4
3
1
OdoSwiff
VirousTotal
adopstool
System Evaluation(cont.)

Other types of flash exploits
 CVE-2007-0071
 Utilize to ActionScript 3.0 for exploits
 305 malicious Flash were collected from
Wepawet
System Evaluation(cont.)
200
180
179
174
151
160
140
126
126
126
120
ActionScript 3.0
CVE-2007-0071
100
80
60
40
21
20
0
0
Real
OdoSwiff VirusTotal adopstools
Related Work

Virus Scanner
 Malicious flashes that successfully detected
by VirusTotal, only an average of 9.8 actually
detected

HP released its SWFScan in March
2009
 Focus on vulnerabilities that may result from
coding error
Related Work(cont.)

OWASP SWFIntruder was released in
2007
 It looks for flaws in Flash that could be
utilized to deliver cross-site scripting attacks.

Adopstool
 Not support ActionScript 3.0
Conclusion

Provide a new system, OdoSwiff
 Detection rates were favorable compared to
existing systems

Can’t dynamically trace ActionScript 3.0

Need to updating of signature