Abstract
Adobe Flash is present on nearly every PC, and it is increasingly being targeted by malware authors. Despite this, research into methods for detecting malicious Flash files has been limited. Similarly, there is very little documentation available about the techniques commonly used by Flash malware. Instead, most research has focused on JavaScript malware.
This paper discusses common techniques such as heap spraying, JIT spraying, and type confusion exploitation in the context of Flash malware. Where applicable, these techniques are compared to those used in malicious JavaScript. Subsequently, FlashDetect is presented, an offline Flash file analyzer that uses both dynamic and static analysis, and that can detect malicious Flash files using ActionScript 3. FlashDetect classifies submitted files using a naive Bayesian classifier based on a set of predefined features. Our experiments show that FlashDetect has high classification accuracy, and that its efficacy is comparable with that of commercial anti-virus products.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Adobe: Statistics: PC penetration, http://www.adobe.com/products/flashplatformruntimes/statistics.edu.html (accessed on June 15, 2012)
Blazakis, D.: Interpreter exploitation: Pointer inference and JIT spraying (2010), http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf (accessed on June 15, 2012)
Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the World Wide Web Conference (WWW), Raleigh, NC (April 2010)
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static JavaScript malware detection. In: Proceedings of the Usenix Security Symposium (August 2011)
DoSWF.com: DoSWF - Flash encryption, http://www.doswf.com/doswf (accessed on June 15, 2012)
Ford, S., Cova, M., Kruegel, C., Vigna, G.: Analyzing and detecting malicious flash advertisements. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 363–372. IEEE Computer Society, Washington, DC, USA (2009)
Ikinci, A., Holz, T., Freiling, F.: Monkey-spider: Detecting malicious websites with low-interaction honeyclients. In: Proceedings of Sicherheit, Schutz und Zuverlässigkeit (2008)
JavaScript-Source.com: JavaScript obfuscator, http://javascript-source.com (accessed on June 15, 2012)
Joly, N.: Technical Analysis and Advanced Exploitation of Adobe Flash 0-Day, CVE-2011-0609 (2011), http://www.vupen.com/blog/20110326.Technical_Analysis_and_Win7_Exploitation_Adobe_Flash_0Day_CVE-2011-0609.php (accessed on June 15, 2012)
Keizer, G.: Attackers exploit latest Flash bug on large scale, says researcher, http://www.computerworld.com/s/article/9217758/Attackers_exploit_latest_Flash_bug_on_large_scale_says_researcher (accessed on June 15, 2012)
Kindi: secureSWF, http://www.kindi.com (accessed on June 15, 2012)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking internet malware. In: IEEE Symposium on Security and Privacy (May 2012)
Li, H.: Understanding and Exploiting Flash ActionScript Vulnerabilities. In: CanSecWest 2011 (2011), http://www.fortiguard.com/sites/default/files/CanSecWest2011_Flash_ActionScript.pdf (accessed on June 15, 2012)
Liu, B.: Flash mob episode II: Attack of the clones (2009), http://blog.fortinet.com/flash-mob-episode-ii-attack-of-the-clones/ (accessed on June 15, 2012)
MITRE Corporation: Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org (accessed on June 15, 2012)
Moshchuk, A., Bragin, T., Deville, D., Gribble, S.D., Levy, H.M.: Spyproxy: execution-based detection of malicious web content. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, pp. 3:1–3:16. USENIX Association, Berkeley (2007), http://dl.acm.org/citation.cfm?id=1362903.1362906
Moshchuk, E., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web (2006)
Paget, F.: McAfee Blog: Surrounded by Malicious PDFs, http://blogs.mcafee.com/mcafee-labs/surrounded-by-malicious-pdfs (accessed on June 15, 2012)
Alessandro, P., et al.: Lightspark flash player, http://lightspark.github.com (accessed on June 15, 2012)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 1–15. USENIX Association, Berkeley (2008), http://dl.acm.org/citation.cfm?id=1496711.1496712
Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. In: Proceedings of the Usenix Security Symposium (August 2009)
The HoneyNet Project: CaptureHPC, https://projects.honeynet.org/capture-hpc (accessed on June 15, 2012)
Tung, L.: Flash exploits increase 40 fold in (2011), http://www.cso.com.au/article/403805/flash_exploits_increase_40_fold_2011 (accessed on June 15, 2012)
VirusTotal: VirusTotal service, https://www.virustotal.com (accessed on June 15, 2012)
Wang, Y.M., Beck, D., Jiang, X., Roussev, R.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: IN NDSS (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Van Overveldt, T., Kruegel, C., Vigna, G. (2012). FlashDetect: ActionScript 3 Malware Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-33338-5_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33337-8
Online ISBN: 978-3-642-33338-5
eBook Packages: Computer ScienceComputer Science (R0)