Skip to main content
SpringerLink
Log in

Comprehensive Analysis and Detection of Flash-Based Malware

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9721))

Abstract

Adobe Flash is a popular platform for providing dynamic and multimedia content on web pages. Despite being declared dead for years, Flash is still deployed on millions of devices. Unfortunately, the Adobe Flash Player increasingly suffers from vulnerabilities, and attacks using Flash-based malware regularly put users at risk of being remotely attacked. As a remedy, we present Gordon, a method for the comprehensive analysis and detection of Flash-based malware. By analyzing Flash animations at different levels during the interpreter’s loading and execution process, our method is able to spot attacks against the Flash Player as well as malicious functionality embedded in ActionScript code. To achieve this goal, Gordon combines a structural analysis of the container format with guided execution of the contained code, a novel analysis strategy that manipulates the control flow to maximize the coverage of indicative code regions. In an empirical evaluation with 26,600 Flash samples collected over 12 consecutive weeks, Gordon significantly outperforms related approaches when applied to samples shortly after their first occurrence in the wild, demonstrating its ability to provide timely protection for end users.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    md5: cac794adea27aa54f2e5ac3151050845.

  2. 2.

    md5: 4f293f0bda8f851525f28466882125b7.

  3. 3.

    Versions not supported by FlashDetect (version 8 and below) have been excluded.

References

  1. Adobe Systems Incooperated: ActionScript virtual machine 2 (AVM2) overview. Technical report, Adobe System Incooperated (2007)

    Google Scholar 

  2. Adobe Systems Incooperated: SWF file format specification. Technical report, Adobe System Incooperated (2013)

    Google Scholar 

  3. Aho, A.V., Sethi, R., Ullman, J.D.: Compilers Principles, Techniques, and Tools, 2nd edn. Addison-Wesley, Reading (2006)

    MATH  Google Scholar 

  4. Baecher, P., Koetter, M.: libemu - x86 Shellcode Emulation (2008)

    Google Scholar 

  5. Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: Proceedings of International Conference on Machine Learning (ICML) (2012)

    Google Scholar 

  6. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection, pp. 65–88. Springer, US (2008)

    Chapter  Google Scholar 

  7. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the International World Wide Web Conference (WWW), pp. 197–206, April 2011

    Google Scholar 

  8. Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Cavnar, W., Trenkle, J.: N-gram-based text categorization. In: Proceedings of SDAIR, Las Vegas, pp. 161–175, NV, USA, April 1994

    Google Scholar 

  10. Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceedings of Conference on Dependable Systems and Networks (DSN), pp. 177–186 (2008)

    Google Scholar 

  11. Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. MIT Press, Cambridge (2009)

    MATH  Google Scholar 

  12. Cova, M., Felmetsger, V., Banks, G., Vigna, G.: Static detection of vulnerabilities in x86 executables. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 269–278 (2006)

    Google Scholar 

  13. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the International World Wide Web Conference (WWW), pp. 281–290 (2010)

    Google Scholar 

  14. Crandall, J.R., Wassermann, G., Oliveira, D.A.S., Su, Z., Wu, S.F., Chong, F.T.: Temporal search: detecting hidden malware timebombs with virtual machines. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 25–36 (2006)

    Google Scholar 

  15. Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 81–95 (2008)

    Google Scholar 

  16. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: fast and precise in-browser JavaScript malware detection. In: Proceedings of USENIX Security Symposium, pp. 33–48 (2011)

    Google Scholar 

  17. Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 59–68 (2006)

    Google Scholar 

  18. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of USENIX Security Symposium, pp. 241–256 (2006)

    Google Scholar 

  19. Ford, S., Cova, M., Kruegel, C., Vigna, G.: Analyzing and detecting malicious flash advertisements. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 363–372 (2009)

    Google Scholar 

  20. gnash. GNU Gnash. https://www.gnu.org/software/gnash. Accessed April 2016

  21. Hirvonen, T.: Dynamic flash instrumentation for fun and profit. In: Proceedings of Black Hat USA (2014)

    Google Scholar 

  22. httparchive. http://www.httparchive.org. Accessed April 2016

  23. Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I.P., Tygar, J.D.: Adversarial machine learning. In: Proceedings of ACM Workshop on Artificial Intelligence and Security (AISEC), pp. 43–58 (2011)

    Google Scholar 

  24. Jang, J., Agrawal, A., Brumley, D.: ReDeBug: finding unpatched code clones in entire os distributions. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 48–62 (2012)

    Google Scholar 

  25. Johns, M., Lekies, S.: Biting the hand that serves you: a closer look at client-side flash proxies for cross-domain requests. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 85–103. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  26. Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of USENIX Security Symposium, pp. 637–651, August 2013

    Google Scholar 

  27. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 443–457 (2012)

    Google Scholar 

  28. Laskov, P., Šrndić, N.: Static detection of malicious javascript-bearing PDF documents. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 373–382 (2011)

    Google Scholar 

  29. Louw, M.T., Thotta, K., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisments. In: Proceedings of USENIX Security Symposium, pp. 371–388 (2010)

    Google Scholar 

  30. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 231–245 (2007)

    Google Scholar 

  31. Nair, S.K., Simpson, P.N.D., Crispo, B., Tanenbaum, A.S.: A virtual machine based information flow control system for policy enforcement. Electron. Notes Theor. Comput. Sci. (ENTCS) 197(1), 3–16 (2008)

    Article  Google Scholar 

  32. Özkan, S.: CVE Details. http://www.cvedetails.com. Accessed April 2016

  33. Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 5(6), 864–881 (2009)

    Article  MATH  Google Scholar 

  34. Pignotti, A.: Lightspark. https://github.com/lightspark. Accessed April 2016

  35. Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: a defense against heap-spraying code injection attacks. In: Proceedings of USENIX Security Symposium, pp. 169–186 (2009)

    Google Scholar 

  36. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 513–528 (2010)

    Google Scholar 

  37. Schölkopf, B., Smola, A.J.: Learning with Kernels. MIT Press, Cambridge (2002)

    MATH  Google Scholar 

  38. Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley, Boston (2011)

    Google Scholar 

  39. Shafiq, M.Z., Khayam, S.A., Farooq, M.: Embedded malware detection using markov n-grams. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 88–107. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  40. Stolfo, S.J., Wang, K., Li, W.-J.: Towards stealthy malware detection. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection, pp. 231–249. Springer, USA (2007)

    Chapter  Google Scholar 

  41. Suen, C.: N-gram statistics for natural language understanding, text processing. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 164–172 (1979)

    Article  Google Scholar 

  42. Systems, A.: Adobe Flash runtimes: Statistics. http://www.adobe.com/products/flashruntimes/statistics.html. Accessed April 2016

  43. van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2012)

    Google Scholar 

  44. Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: actionscript 3 malware detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 274–293. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  45. Šrndić, N., Laskov, P.: Detection of malicious PDF files based on hierarchical document structure. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

  46. Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 255–264 (2002)

    Google Scholar 

  47. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  48. Wilhelm, J., Chiueh, T.: A forced sampled execution approach to kernel rootkit identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  49. Wook Oh, J.: AVM inception - how we can use AVM instrumentation in a beneficial way. In: Shmoocon (2012)

    Google Scholar 

  50. Wressnegger, C., Boldewin, F., Rieck, K.: Deobfuscating embedded malware using probable-plaintext attacks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 164–183. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors would like to thank Emiliano Martinez of VirusTotal for supporting the acquisition of malicious Flash files. Furthermore, we gratefully acknowledge funding from the German Federal Ministry of Education and Research (BMBF) under the projects APT-Sweeper (FKZ 16KIS0307) and INDI (FKZ 16KIS0154K) as well as the German Research Foundation (DFG) under project DEVIL (RI 2469/1-1).

Author information

Authors and Affiliations

  1. Institute of System Security, TU Braunschweig, Braunschweig, Germany

    Christian Wressnegger, Fabian Yamaguchi, Daniel Arp & Konrad Rieck

Authors
  1. Christian Wressnegger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabian Yamaguchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Arp
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Konrad Rieck
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Wressnegger .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Pozuelo de Alarcón, Madrid, Spain

    Juan Caballero

  2. Mondragon University, Arrasate, Guipúzcoa, Spain

    Urko Zurutuza

  3. Universidad de Zaragoza, Zaragoza, Spain

    Ricardo J. Rodríguez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Wressnegger, C., Yamaguchi, F., Arp, D., Rieck, K. (2016). Comprehensive Analysis and Detection of Flash-Based Malware. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40667-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40666-4

  • Online ISBN: 978-3-319-40667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation