Professional Documents
Culture Documents
Flashplayerisalmosteverywhere
Platformindependent Unix/Windows Itsupportsanextensivecoding
Torunonavictimsbrowser
Placebannerad InjectlinkstoSWFfilesviaSQLInjectionorXSS AsktheusertoclickonlinktoSWFfile
MaliciousJavascriptismucheasiertodetect Companieslike:
Websense Bluecoat CheckpointFW
Targetflashplayervulnerabilities Controlsomeaspectofthevictimsenvironment
ie.Thevictimsclipboard
Redirectvictimtomalicioussites
Header,version,length,frame,info,etc AdditionaldetailsintheFileAttributestab
Optionalinearlierversions UsedtotelltheFlashPlayertousethenewerVMfor AS3
Beforeanalyzingflashletslookatmalwareanalysis BehaviorAnalysis
Observewhathappenswhenexecuted Captureandanalyzetrafficonthenetwork Attempttosimulateandinteractwiththeprogram
CodeAnalysis
Capturetheprogram/code
Decompile/analyze Breakdowneachcomponentandfollowtheroadmap
RightclickontheswffileandselectDecompile toproducta.flrtextfile
movie c:\Temp\zoxdgeysjn6.swf { // flash 6, total frames: 136, frame rate: 12 fps, 1x1, compressed // unknown tag 88 length 78 frame 15 { getURL(http://moyapodruzhka.com/?wmid=44&sid44, ); } }
c:\temp\swfdumpDduclipboardpoc.swf> clipboardpoc.swfdump.txt
c:\temp\abcdumpclipboardpoc.swf notepadclipboardpoc.swf.il
ActionScriptView
PCodeView
Open17113.swf>Debug>Listvariables
<paramname=movievalue=swf/gnida.swf?campaign=weidoneous&u=1200066806/>
www.mywot.com WOTSecurityScorecard
Captureasmanydetailsfromthevictimorlive siteaspossible
NoteHTTPheaders,cookies,etc.
SupportActionScript1&2only
Flashm,Flare,DumpFlashDecompiler JSwiff,SWFtoolkit(swf_dump)
SupportActionScript3only
abcdump,FlexSDKswfdump,Nemo440
SupportsActionScript1,2&3
SWFToolsswfdump Commercial:SothinkSWF,DecompilerTrillix
ActionScript3AVM2Overview:
http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf
SWFFileFormatSpecification:
http://www.adobe.com/devnet/swf
OWASPPaperonMaliciousSWFs:
http://www.owasp.org/images/1/10/OWASPAppSecEU08Fukami.pdf
OWASPFlashSecurityProject
http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
Clickjacking
http://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/ http://www.computerworld.com/action/article.do?command=viewArticleBasic &articleId=9117268&source=rss_topic17