Top

Published in:

2016 | OriginalPaper | Chapter

Comprehensive Analysis and Detection of Flash-Based Malware

Authors : Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, Konrad Rieck

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Adobe Flash is a popular platform for providing dynamic and multimedia content on web pages. Despite being declared dead for years, Flash is still deployed on millions of devices. Unfortunately, the Adobe Flash Player increasingly suffers from vulnerabilities, and attacks using Flash-based malware regularly put users at risk of being remotely attacked. As a remedy, we present Gordon, a method for the comprehensive analysis and detection of Flash-based malware. By analyzing Flash animations at different levels during the interpreter’s loading and execution process, our method is able to spot attacks against the Flash Player as well as malicious functionality embedded in ActionScript code. To achieve this goal, Gordon combines a structural analysis of the container format with guided execution of the contained code, a novel analysis strategy that manipulates the control flow to maximize the coverage of indicative code regions. In an empirical evaluation with 26,600 Flash samples collected over 12 consecutive weeks, Gordon significantly outperforms related approaches when applied to samples shortly after their first occurrence in the wild, demonstrating its ability to provide timely protection for end users.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Towards Vulnerability Discovery Using Staged Program Analysis

next chapter Reviewer Integration and Performance Measurement for Malware Detection

md5: cac794adea27aa54f2e5ac3151050845.

md5: 4f293f0bda8f851525f28466882125b7.

Versions not supported by FlashDetect (version 8 and below) have been excluded.

Adobe Systems Incooperated: ActionScript virtual machine 2 (AVM2) overview. Technical report, Adobe System Incooperated (2007)

Adobe Systems Incooperated: SWF file format specification. Technical report, Adobe System Incooperated (2013)

Aho, A.V., Sethi, R., Ullman, J.D.: Compilers Principles, Techniques, and Tools, 2nd edn. Addison-Wesley, Reading (2006)MATH

Baecher, P., Koetter, M.: libemu - x86 Shellcode Emulation (2008)

Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: Proceedings of International Conference on Machine Learning (ICML) (2012)

Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection, pp. 65–88. Springer, US (2008)CrossRef

Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the International World Wide Web Conference (WWW), pp. 197–206, April 2011

Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)CrossRef

Cavnar, W., Trenkle, J.: N-gram-based text categorization. In: Proceedings of SDAIR, Las Vegas, pp. 161–175, NV, USA, April 1994

10.

Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceedings of Conference on Dependable Systems and Networks (DSN), pp. 177–186 (2008)

11.

Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. MIT Press, Cambridge (2009)MATH

12.

Cova, M., Felmetsger, V., Banks, G., Vigna, G.: Static detection of vulnerabilities in x86 executables. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 269–278 (2006)

13.

Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the International World Wide Web Conference (WWW), pp. 281–290 (2010)

14.

Crandall, J.R., Wassermann, G., Oliveira, D.A.S., Su, Z., Wu, S.F., Chong, F.T.: Temporal search: detecting hidden malware timebombs with virtual machines. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 25–36 (2006)

15.

Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 81–95 (2008)

16.

Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: fast and precise in-browser JavaScript malware detection. In: Proceedings of USENIX Security Symposium, pp. 33–48 (2011)

17.

Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 59–68 (2006)

18.

Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of USENIX Security Symposium, pp. 241–256 (2006)

19.

Ford, S., Cova, M., Kruegel, C., Vigna, G.: Analyzing and detecting malicious flash advertisements. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 363–372 (2009)

20.

gnash. GNU Gnash. https://www.gnu.org/software/gnash. Accessed April 2016

21.

Hirvonen, T.: Dynamic flash instrumentation for fun and profit. In: Proceedings of Black Hat USA (2014)

22.

httparchive. http://www.httparchive.org. Accessed April 2016

23.

Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I.P., Tygar, J.D.: Adversarial machine learning. In: Proceedings of ACM Workshop on Artificial Intelligence and Security (AISEC), pp. 43–58 (2011)

24.

Jang, J., Agrawal, A., Brumley, D.: ReDeBug: finding unpatched code clones in entire os distributions. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 48–62 (2012)

25.

Johns, M., Lekies, S.: Biting the hand that serves you: a closer look at client-side flash proxies for cross-domain requests. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 85–103. Springer, Heidelberg (2011)CrossRef

26.

Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of USENIX Security Symposium, pp. 637–651, August 2013

27.

Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 443–457 (2012)

28.

Laskov, P., Šrndić, N.: Static detection of malicious javascript-bearing PDF documents. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 373–382 (2011)

29.

Louw, M.T., Thotta, K., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisments. In: Proceedings of USENIX Security Symposium, pp. 371–388 (2010)

30.

Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 231–245 (2007)

31.

Nair, S.K., Simpson, P.N.D., Crispo, B., Tanenbaum, A.S.: A virtual machine based information flow control system for policy enforcement. Electron. Notes Theor. Comput. Sci. (ENTCS) 197(1), 3–16 (2008)CrossRef

32.

Özkan, S.: CVE Details. http://www.cvedetails.com. Accessed April 2016

33.

Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 5(6), 864–881 (2009)CrossRefMATH

34.

Pignotti, A.: Lightspark. https://github.com/lightspark. Accessed April 2016

35.

Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: a defense against heap-spraying code injection attacks. In: Proceedings of USENIX Security Symposium, pp. 169–186 (2009)

36.

Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 513–528 (2010)

37.

Schölkopf, B., Smola, A.J.: Learning with Kernels. MIT Press, Cambridge (2002)MATH

38.

Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley, Boston (2011)

39.

Shafiq, M.Z., Khayam, S.A., Farooq, M.: Embedded malware detection using markov n-grams. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 88–107. Springer, Heidelberg (2008)CrossRef

40.

Stolfo, S.J., Wang, K., Li, W.-J.: Towards stealthy malware detection. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection, pp. 231–249. Springer, USA (2007)CrossRef

41.

Suen, C.: N-gram statistics for natural language understanding, text processing. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 164–172 (1979)CrossRef

42.

Systems, A.: Adobe Flash runtimes: Statistics. http://www.adobe.com/products/flashruntimes/statistics.html. Accessed April 2016

43.

van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2012)

44.

Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: actionscript 3 malware detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 274–293. Springer, Heidelberg (2012)CrossRef

45.

Šrndić, N., Laskov, P.: Detection of malicious PDF files based on hierarchical document structure. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2013)

46.

Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 255–264 (2002)

47.

Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)CrossRef

48.

Wilhelm, J., Chiueh, T.: A forced sampled execution approach to kernel rootkit identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)CrossRef

49.

Wook Oh, J.: AVM inception - how we can use AVM instrumentation in a beneficial way. In: Shmoocon (2012)

50.

Wressnegger, C., Boldewin, F., Rieck, K.: Deobfuscating embedded malware using probable-plaintext attacks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 164–183. Springer, Heidelberg (2013)CrossRef

Title: Comprehensive Analysis and Detection of Flash-Based Malware
Authors: Christian Wressnegger
Fabian Yamaguchi
Daniel Arp
Konrad Rieck
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-40666-4

Electronic ISBN: 978-3-319-40667-1

Copyright Year: 2016
DOI: https://doi.org/10.1007/978-3-319-40667-1_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner