shane hartman – cissp, gcia, grem suncoast security society
TRANSCRIPT
![Page 1: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/1.jpg)
Shane Hartman –CISSP, GCIA, GREMSuncoast Security Society
![Page 2: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/2.jpg)
Analyzing MalwareWhy Flash MalwareStructure of an SWF FileHistory of Flash ScriptingExploit Example 1: Social EngineeringExploit Example 2: Clipboard HijackExploit Example 3: Multi‐Step RedirectionExploit Example 4: Shell Code Exploit
![Page 3: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/3.jpg)
Flash player is almost everywherePlatform independent – Unix / WindowsIt supports an extensive coding
To run on a victims browserPlace banner adInject links to SWF files via SQL Injection or XSSAsk the user to click on link to SWF file
![Page 4: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/4.jpg)
Malicious Javascript is much easier to detectCompanies like:
Websense BluecoatCheckpoint FW
can analyze the code before its executed.With the introduction of Action Script 3 a highly robust environment* Because it is embedded and executed client side it is much more difficult to analyze, much like Java applets.
![Page 5: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/5.jpg)
Target flash player vulnerabilitiesControl some aspect of the victims environment
ie. The victims clipboard
Redirect victim to malicious sites
![Page 6: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/6.jpg)
Header, version, length, frame, info, etcAdditional details in the FileAttributes tab
Optional in earlier versionsUsed to tell the Flash Player to use the newer VM for AS 3
Definition and control tags, recognized by tag type number, eg‐1 : ShowFrame (displays current frame)‐12: DoAction (defines ActionScript 1 or 2)‐82: DoABC (defines ActionScript 3)
![Page 7: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/7.jpg)
Version 1: Basic geometry and animations onlyVersion 2: Several animation control tagsVersion 3: Support for keyboard and mouse eventsVersion 4: Full scripting implementation via actionsVersion 5‐6: Support for ActionScript 1Version 7‐8: Support for ActionScript 2Version 9+: Support for ActionScript 3 – Different VM
![Page 8: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/8.jpg)
Before analyzing flash lets look at malware analysisBehavior Analysis
Observe what happens when executedCapture and analyze traffic on the networkAttempt to simulate and interact with the program
Code AnalysisCapture the program / code
Decompile / analyzeBreak down each component and follow the road map
![Page 9: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/9.jpg)
To: [email protected]: What Up
Check this out..
http://img361.imageshack.us/img361/7064/zoxdgeysjn6.swf
![Page 10: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/10.jpg)
![Page 11: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/11.jpg)
SwfextractFlareDump Flash
![Page 12: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/12.jpg)
![Page 13: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/13.jpg)
Right‐click on the swf file and select “Decompile” to product a .flr text file
movie ‘c:\Temp\zoxdgeysjn6.swf’ {// flash 6, total frames: 136, frame rate: 12 fps, 1x1, compressed// unknown tag 88 length 78frame 15 {
getURL(‘http://moyapodruzhka.com/?wmid=44&sid44’, ‘ ‘);
}}
![Page 14: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/14.jpg)
![Page 15: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/15.jpg)
Clipboard persistently contains an unfamiliar URLAdding new content to the clipboard seems to have no effect
![Page 16: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/16.jpg)
SwfdumpabcdumpNemo 440
![Page 17: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/17.jpg)
c:\temp\swfdump –Ddu clipboard‐poc.swf > clipboard‐poc.swfdump.txt
![Page 18: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/18.jpg)
c:\temp\abcdump clipboard‐poc.swfnotepad clipboard‐poc.swf.il
![Page 19: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/19.jpg)
![Page 20: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/20.jpg)
Visitors to taringa.net saw the following banner ad.Some were redirected to a site that told them of a spyware problemSo, what was going on? – Much more complicated
![Page 21: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/21.jpg)
![Page 22: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/22.jpg)
Nothing suspicious when loading the SWF file in the browserClicking on the ad shows nothing suspiciousCould it be sensitive to something:
TimeURLParameters, etc.
![Page 23: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/23.jpg)
Decompiled 17113.swf with FlareCode doesn’t reveal much – Looks to be concealed
![Page 24: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/24.jpg)
![Page 25: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/25.jpg)
ActionScript View
P‐Code View
![Page 26: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/26.jpg)
There are encryptors meant to protect your codeThe suggestion is they will protect your intellectual workMalware authors are using these tools to make it more difficult to dissect and understand what the malicious code is trying to do
![Page 27: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/27.jpg)
![Page 28: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/28.jpg)
![Page 29: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/29.jpg)
Open 17113.swf > Debug > List variables
![Page 30: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/30.jpg)
![Page 31: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/31.jpg)
<param name=“movie” value=“swf/gnida.swf?campaign=weidoneous&u=1200066806” />
![Page 32: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/32.jpg)
![Page 33: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/33.jpg)
![Page 34: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/34.jpg)
A vulnerability in Flash Player 9 led to many exploits (CVE‐2007‐0071)A problem with code that processed the scene numberAllowed the execution of arbitrary code via shellcode
![Page 35: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/35.jpg)
![Page 36: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/36.jpg)
You can extract hex values from swfdump outputAn alturnative is to uncompress the SWF file with flashm, then extract with a hex editor
![Page 37: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/37.jpg)
![Page 38: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/38.jpg)
![Page 39: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/39.jpg)
![Page 40: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/40.jpg)
www.mywot.comWOT Security Scorecard
![Page 41: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/41.jpg)
![Page 42: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/42.jpg)
![Page 43: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/43.jpg)
Place code inside and unknown tag and jump therePlace code after the “end” tag and jump thereJump in the middle of the code blockUse and abstraction frameworkUse a commercial protector
![Page 44: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/44.jpg)
Capture as many details from the victim or live site as possible
Note HTTP headers, cookies, etc.
Disassemble and analyze SWF files, retrieving new files as necessaryUnprotect if you can; may be limited to behavioral analysis
![Page 45: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/45.jpg)
Support ActionScript 1 & 2 onlyFlashm, Flare, Dump Flash DecompilerJSwiff, SWF toolkit (swf_dump)
Support ActionScript 3 onlyabcdump, Flex SDK swfdump, Nemo 440
Supports ActionScript 1,2 & 3SWFTools swfdumpCommercial: Sothink SWF, Decompiler Trillix
![Page 46: Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society](https://reader033.vdocuments.site/reader033/viewer/2022042707/586974891a28abdd708ba142/html5/thumbnails/46.jpg)
ActionScript 3 AVM2 Overview:http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf
SWF File Format Specification:http://www.adobe.com/devnet/swf
OWASP Paper on Malicious SWFs:http://www.owasp.org/images/1/10/OWASP‐AppSecEU08‐Fukami.pdf
OWASP Flash Security Projecthttp://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
Clickjackinghttp://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117268&source=rss_topic17