marco
blog
Menu:
Analyzing and detecting malcious flash advertisements
December 10, 2009
Today, Sean Ford is going to present our paper Analyzing and Detecting Malicious Flash Advertisements at the ACSAC Conference.
The paper describes some of the techniques we use to detect malicious Flash files. More precisely, we focused on two main threats:
Flash-based malvertisements that automatically redirect victims to malicious or questionable pages. This type of malware essentially exploits a design flaw in the current advertisement technology: the Flash language and its run time, as implemented in today's browsers, are too powerful and too unrestricted. To put it more plainly, why should an advertisement be able to hijack the browser?
A possible solution here (which we do not explore in the paper) would be to identify a secure subset of Flash and restrict Flash-based advertisement to this subset. Of course, similar work has already been done in the JavaScript camp, see ADSafe or Caja for example, so many lessons could probably be reused.Malformed Flash files that exploit vulnerabilities in common Flash players, typically, Adobe's player. This type of malware exploits classic implementation problems (buffer overflows, integer overflows, etc.).
The paper also describes in some detail a number techniques that are used in malicious Flash files to evade detection (trigger-based behavior, timezone checks, etc.) and obfuscate the malicious code.
Here is the abstract:
The amount of dynamic content on the web has been steadily increasing, and sites now offer user experiences that come close to those found when running local native applications. Advanced scripting languages such as JavaScript and Adobe's Flash have been instrumental in delivering dynamic content on the Internet. Dynamic content has also become popular in advertising, where Flash has achieved success allowing the creation of rich, interactive ads that are displayed on hundreds of millions of computers per day. The success of Flash-based applications and advertisements attracted the attention of malware authors who use Flash to deliver attacks through advertising networks. This paper presents a novel approach whose goal is to automate the analysis of Flash content to identify malicious behavior. We designed and implemented a tool based on the approach, we made it available to the world, and we tested it on a large corpus of real-world Flash ads. The results show that our tool is able to reliably detect malicious Flash ads with very limited false positives.
