Scribd Logo
Upload

Welcome to Scribd!

  • Malware Analysis of Flash Content

    Uploaded by

    amojm1
    85 views46 pages
    Flash Player is almost everywhere Platform independent - Unix / Windows It supports an extensive coding to run on a victims browser Place banner ad Inject links to swf files via SQL Injection or XSS Ask the user to click on link to swf file Malicious Javascript is much easier to detect Companies like: Websense Bluecoat FW can analyze the code before its executed. With the introduction of Action Script 3 a highly robust environment Because it is embedded and executed client side it is much more difficult

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Flash Player is almost everywhere Platform independent - Unix / Windows It supports an extensive coding to run on a victims browser Place banner ad Inject links to swf files via SQL Injection or XSS Ask the user to click on link to swf file Malicious Javascript is much easier to detect Companies like: Websense Bluecoat FW can analyze the code before its executed. With the introduction of Action Script 3 a highly robust environment Because it is embedded and executed client side it is much more difficult

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    85 views46 pages

    Malware Analysis of Flash Content

    Uploaded by

    amojm1
    Flash Player is almost everywhere Platform independent - Unix / Windows It supports an extensive coding to run on a victims browser Place banner ad Inject links to swf files via SQL Injection or XSS Ask the user to click on link to swf file Malicious Javascript is much easier to detect Companies like: Websense Bluecoat FW can analyze the code before its executed. With the introduction of Action Script 3 a highly robust environment Because it is embedded and executed client side it is much more difficult

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 46

    ShaneHartman CISSP,GCIA,GREM Suncoast SecuritySociety

    AnalyzingMalware WhyFlashMalware StructureofanSWFFile HistoryofFlashScripting ExploitExample1:SocialEngineering ExploitExample2:ClipboardHijack ExploitExample3:MultiStepRedirection ExploitExample4:ShellCodeExploit

    Flashplayerisalmosteverywhere
    Platformindependent Unix/Windows Itsupportsanextensivecoding

    Torunonavictimsbrowser
    Placebannerad InjectlinkstoSWFfilesviaSQLInjectionorXSS AsktheusertoclickonlinktoSWFfile

    MaliciousJavascriptismucheasiertodetect Companieslike:
    Websense Bluecoat CheckpointFW

    cananalyzethecodebeforeitsexecuted. WiththeintroductionofActionScript3ahighly robustenvironment *Becauseitisembeddedandexecutedclient sideitismuchmoredifficulttoanalyze,much likeJavaapplets.

    Targetflashplayervulnerabilities Controlsomeaspectofthevictimsenvironment
    ie.Thevictimsclipboard

    Redirectvictimtomalicioussites

    Header,version,length,frame,info,etc AdditionaldetailsintheFileAttributestab
    Optionalinearlierversions UsedtotelltheFlashPlayertousethenewerVMfor AS3

    Definitionandcontroltags,recognizedbytag typenumber,eg 1:ShowFrame(displayscurrentframe) 12:DoAction(definesActionScript1or2) 82:DoABC(definesActionScript3)

    Version1:Basicgeometryandanimationsonly Version2:Severalanimationcontroltags Version3:Supportforkeyboardandmouseevents Version4:Fullscriptingimplementationviaactions Version56:SupportforActionScript1 Version78:SupportforActionScript2 Version9+:SupportforActionScript3 DifferentVM

    Beforeanalyzingflashletslookatmalwareanalysis BehaviorAnalysis
    Observewhathappenswhenexecuted Captureandanalyzetrafficonthenetwork Attempttosimulateandinteractwiththeprogram

    CodeAnalysis
    Capturetheprogram/code
    Decompile/analyze Breakdowneachcomponentandfollowtheroadmap

    To: victim@example.com Subject:WhatUp Checkthisout.. http://img361.imageshack.us/img361/7064/zoxdgeysjn6.swf

    Swfextract Flare DumpFlash

    RightclickontheswffileandselectDecompile toproducta.flrtextfile

    movie c:\Temp\zoxdgeysjn6.swf { // flash 6, total frames: 136, frame rate: 12 fps, 1x1, compressed // unknown tag 88 length 78 frame 15 { getURL(http://moyapodruzhka.com/?wmid=44&sid44, ); } }

    Clipboardpersistentlycontainsanunfamiliar URL Addingnewcontenttotheclipboardseemsto havenoeffect

    Swfdump abcdump Nemo440

    c:\temp\swfdumpDduclipboardpoc.swf> clipboardpoc.swfdump.txt

    c:\temp\abcdumpclipboardpoc.swf notepadclipboardpoc.swf.il

    Visitorstotaringa.netsawthefollowingbanner ad. Some wereredirectedtoasitethattoldthemofa spywareproblem So,whatwasgoingon? Muchmorecomplicated

    NothingsuspiciouswhenloadingtheSWFfilein thebrowser Clickingontheadshowsnothingsuspicious Coulditbesensitivetosomething:


    Time URL Parameters,etc.

    Decompiled17113.swfwithFlare Codedoesntrevealmuch Lookstobe concealed

    ActionScriptView

    PCodeView

    Thereareencryptorsmeanttoprotectyourcode Thesuggestionistheywillprotectyour intellectualwork Malwareauthorsareusingthesetoolstomakeit moredifficulttodissectandunderstandwhatthe maliciouscodeistryingtodo

    Open17113.swf>Debug>Listvariables

    <paramname=movievalue=swf/gnida.swf?campaign=weidoneous&u=1200066806/>

    AvulnerabilityinFlashPlayer9ledtomany exploits(CVE20070071) Aproblemwithcodethatprocessedthescene number Allowedtheexecutionofarbitrarycodevia shellcode

    Youcanextracthexvaluesfromswfdumpoutput AnalturnativeistouncompresstheSWFfilewith flashm,thenextractwithahexeditor

    www.mywot.com WOTSecurityScorecard

    Placecodeinsideandunknowntagandjump there Placecodeaftertheendtagandjumpthere Jumpinthemiddleofthecodeblock Useandabstractionframework Useacommercialprotector

    Captureasmanydetailsfromthevictimorlive siteaspossible
    NoteHTTPheaders,cookies,etc.

    DisassembleandanalyzeSWFfiles,retrieving newfilesasnecessary Unprotectifyoucan;maybelimitedto behavioralanalysis

    SupportActionScript1&2only
    Flashm,Flare,DumpFlashDecompiler JSwiff,SWFtoolkit(swf_dump)

    SupportActionScript3only
    abcdump,FlexSDKswfdump,Nemo440

    SupportsActionScript1,2&3
    SWFToolsswfdump Commercial:SothinkSWF,DecompilerTrillix

    ActionScript3AVM2Overview:
    http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf

    SWFFileFormatSpecification:
    http://www.adobe.com/devnet/swf

    OWASPPaperonMaliciousSWFs:
    http://www.owasp.org/images/1/10/OWASPAppSecEU08Fukami.pdf

    OWASPFlashSecurityProject
    http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project

    Clickjacking
    http://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/ http://www.computerworld.com/action/article.do?command=viewArticleBasic &articleId=9117268&source=rss_topic17

    You might also like