–cissp, gcia, grem · version 1: basic geometry and animations only version 2: several animation...
TRANSCRIPT
![Page 1: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/1.jpg)
Shane Hartman –CISSP, GCIA, GREMSuncoast Security Society
![Page 2: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/2.jpg)
Analyzing MalwareWhy Flash MalwareStructure of an SWF FileHistory of Flash ScriptingExploit Example 1: Social EngineeringExploit Example 2: Clipboard HijackExploit Example 3: Multi‐Step RedirectionExploit Example 4: Shell Code Exploit
![Page 3: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/3.jpg)
Flash player is almost everywherePlatform independent – Unix / WindowsIt supports an extensive coding
To run on a victims browserPlace banner adInject links to SWF files via SQL Injection or XSSAsk the user to click on link to SWF file
![Page 4: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/4.jpg)
Malicious Javascript is much easier to detectCompanies like:
Websense BluecoatCheckpoint FW
can analyze the code before its executed.With the introduction of Action Script 3 a highly robust environment* Because it is embedded and executed client side it is much more difficult to analyze, much like Java applets.
![Page 5: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/5.jpg)
Target flash player vulnerabilitiesControl some aspect of the victims environment
ie. The victims clipboard
Redirect victim to malicious sites
![Page 6: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/6.jpg)
Header, version, length, frame, info, etcAdditional details in the FileAttributes tab
Optional in earlier versionsUsed to tell the Flash Player to use the newer VM for AS 3
Definition and control tags, recognized by tag type number, eg‐1 : ShowFrame (displays current frame)‐12: DoAction (defines ActionScript 1 or 2)‐82: DoABC (defines ActionScript 3)
![Page 7: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/7.jpg)
Version 1: Basic geometry and animations onlyVersion 2: Several animation control tagsVersion 3: Support for keyboard and mouse eventsVersion 4: Full scripting implementation via actionsVersion 5‐6: Support for ActionScript 1Version 7‐8: Support for ActionScript 2Version 9+: Support for ActionScript 3 – Different VM
![Page 8: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/8.jpg)
Before analyzing flash lets look at malware analysisBehavior Analysis
Observe what happens when executedCapture and analyze traffic on the networkAttempt to simulate and interact with the program
Code AnalysisCapture the program / code
Decompile / analyzeBreak down each component and follow the road map
![Page 9: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/9.jpg)
To: [email protected]: What Up
Check this out..
http://img361.imageshack.us/img361/7064/zoxdgeysjn6.swf
![Page 10: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/10.jpg)
![Page 11: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/11.jpg)
SwfextractFlareDump Flash
![Page 12: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/12.jpg)
![Page 13: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/13.jpg)
Right‐click on the swf file and select “Decompile” to product a .flr text file
movie ‘c:\Temp\zoxdgeysjn6.swf’ {// flash 6, total frames: 136, frame rate: 12 fps, 1x1, compressed// unknown tag 88 length 78frame 15 {
getURL(‘http://moyapodruzhka.com/?wmid=44&sid44’, ‘ ‘);
}}
![Page 14: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/14.jpg)
![Page 15: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/15.jpg)
Clipboard persistently contains an unfamiliar URLAdding new content to the clipboard seems to have no effect
![Page 16: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/16.jpg)
SwfdumpabcdumpNemo 440
![Page 17: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/17.jpg)
c:\temp\swfdump –Ddu clipboard‐poc.swf > clipboard‐poc.swfdump.txt
![Page 18: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/18.jpg)
c:\temp\abcdump clipboard‐poc.swfnotepad clipboard‐poc.swf.il
![Page 19: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/19.jpg)
![Page 20: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/20.jpg)
Visitors to taringa.net saw the following banner ad.Some were redirected to a site that told them of a spyware problemSo, what was going on? – Much more complicated
![Page 21: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/21.jpg)
![Page 22: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/22.jpg)
Nothing suspicious when loading the SWF file in the browserClicking on the ad shows nothing suspiciousCould it be sensitive to something:
TimeURLParameters, etc.
![Page 23: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/23.jpg)
Decompiled 17113.swf with FlareCode doesn’t reveal much – Looks to be concealed
![Page 24: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/24.jpg)
![Page 25: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/25.jpg)
ActionScript View
P‐Code View
![Page 26: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/26.jpg)
There are encryptors meant to protect your codeThe suggestion is they will protect your intellectual workMalware authors are using these tools to make it more difficult to dissect and understand what the malicious code is trying to do
![Page 27: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/27.jpg)
![Page 28: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/28.jpg)
![Page 29: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/29.jpg)
Open 17113.swf > Debug > List variables
![Page 30: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/30.jpg)
![Page 31: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/31.jpg)
<param name=“movie” value=“swf/gnida.swf?campaign=weidoneous&u=1200066806” />
![Page 32: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/32.jpg)
![Page 33: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/33.jpg)
![Page 34: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/34.jpg)
A vulnerability in Flash Player 9 led to many exploits (CVE‐2007‐0071)A problem with code that processed the scene numberAllowed the execution of arbitrary code via shellcode
![Page 35: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/35.jpg)
![Page 36: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/36.jpg)
You can extract hex values from swfdump outputAn alturnative is to uncompress the SWF file with flashm, then extract with a hex editor
![Page 37: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/37.jpg)
![Page 38: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/38.jpg)
![Page 39: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/39.jpg)
![Page 40: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/40.jpg)
www.mywot.comWOT Security Scorecard
![Page 41: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/41.jpg)
![Page 42: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/42.jpg)
![Page 43: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/43.jpg)
Place code inside and unknown tag and jump therePlace code after the “end” tag and jump thereJump in the middle of the code blockUse and abstraction frameworkUse a commercial protector
![Page 44: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/44.jpg)
Capture as many details from the victim or live site as possible
Note HTTP headers, cookies, etc.
Disassemble and analyze SWF files, retrieving new files as necessaryUnprotect if you can; may be limited to behavioral analysis
![Page 45: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/45.jpg)
Support ActionScript 1 & 2 onlyFlashm, Flare, Dump Flash DecompilerJSwiff, SWF toolkit (swf_dump)
Support ActionScript 3 onlyabcdump, Flex SDK swfdump, Nemo 440
Supports ActionScript 1,2 & 3SWFTools swfdumpCommercial: Sothink SWF, Decompiler Trillix
![Page 46: –CISSP, GCIA, GREM · Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events](https://reader034.vdocuments.net/reader034/viewer/2022042806/5f69e3e2675cd255a86754d4/html5/thumbnails/46.jpg)
ActionScript 3 AVM2 Overview:http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf
SWF File Format Specification:http://www.adobe.com/devnet/swf
OWASP Paper on Malicious SWFs:http://www.owasp.org/images/1/10/OWASP‐AppSecEU08‐Fukami.pdf
OWASP Flash Security Projecthttp://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
Clickjackinghttp://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117268&source=rss_topic17