skip to main content
10.1145/3065913.3065921acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Looking Back on Three Years of Flash-based Malware

Published: 23 April 2017 Publication History

Abstract

Adobe Flash is about to be replaced by alternative technologies, yet Flash-based malware appears to be more common then ever. In this paper we inspect the properties and temporal distribution of this class of malware over a period of three consecutive years and 2.3 million unique Flash animations. In particular, we focus on initially undetected malware and thus look at a subset for which traditional methods have failed to provide timely detection. We analyze the prevalence of these samples and characterize their nature.

References

[1]
Adobe Systems. Flash, HTML5 and open web standards. https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html, visited March 2017.
[2]
Adobe Systems. Adobe Flash runtimes: Statistics. http://www.adobe.com/products/flashruntimes/statistics.html, visited March 2017.
[3]
D. Caselden, C. Souffrant, and G. Jiang. Flash in 2015. https://www.fireeye.com/blog/threat-research/2015/03/flash_in_2015.html, visited March 2017.
[4]
S. Ford, M. Cova, C. Kruegel, and G. Vigna. Analyzing and detecting malicious flash advertisements. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2009.
[5]
T. Hirvonen. Dynamic instrumentation tool for adobe flash player built on intel pin. https://github.com/F-Secure/Sulo, visited March 2017.
[6]
HTTP Archive. http://www.httparchive.org.
[7]
M. Hurier, K. Allix, T. F. Bissyandé, J. Klein, and Y. L. Traon. On the lack of consensus in anti-virus decisions: Metrics and insights on building ground truths of android malware. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.
[8]
A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Better malware ground truth: Techniques for weighting anti-virus vendor labels. In Proc. of ACM Workshop on Artificial Intelligence and Security (AISEC), 2015.
[9]
KINDI Software. secureSWF: Protect, encrypt, and optimize swf flash. http://www.kindi.com, visited March 2017.
[10]
A. LaForge. Flash and chrome. https://blog.google/products/chrome/flash-and-chrome, visited March 2017.
[11]
Z. Li, K. Zhang, Y. Xie, F. You, and X. Wang. Knowing your enemy: Understanding and detecting malicious web advertising. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2012.
[12]
F. Lindner. Preventing Adobe Flash exploitation - Blitzableiter - a signature-less protection tool. In Proc. of Black Hat USA, 2010.
[13]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2003.
[14]
F. Maggi, A. Bellini, G. Salvaneschi, and S. Zanero. Finding non-trivial malware naming inconsistencies. In Proc. of International Conference on Information Systems Security (ICISS), 2011.
[15]
B. Miller, A. Kantchelian, M. C. Tschantz, S. Afroz, R. Bachwani, R. Faizullabhoy, L. Huang, V. Shankar, T. Wu, G. Yiu, A. D. Joseph, and J. D. Tygar. Reviewer integration and performance measurement for malware detection. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.
[16]
A. Mohaisen and O. Alrawi. AV-Meter: an evaluation of antivirus scans and labels. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2014.
[17]
S. Özkan. CVE Details. http://www.cvedetails.com, visited March 2017.
[18]
M. Sebastián, R. Rivera, P. Kotzias, and J. Caballero. AVclass: A tool for massive malware labeling. In Proc. of International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2016.
[19]
SWFLock.com. SWFLock: Online encryption software for flash. http://www.swflock.com, visited March 2017.
[20]
Trustwave Holdings, Inc. Trustwave global security report. Technical report, Trustwave Holdings, Inc., 2016.
[21]
T. van Overveldt, C. Kruegel, and G. Vigna. FlashDetect: ActionScript 3 malware detection. In Proc. of International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2012.
[22]
C. Wressnegger, F. Yamaguchi, D. Arp, and K. Rieck. Comprehensive analysis and detection of flash-based malware. In Proc. of Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.
[23]
Yushi High Technology Ltd. DoSWF -- professional flash swf encryptor. http://doswf.org, visited March 2017.
[24]
V. Zakorzhevsky. New Flash Player 0-day (CVE-2014-0515) Used in Watering-hole Attacks. https://securelist.com/blog/incidents/59399/new-flash-player-0-daycve-2014-0515-used-in-watering-hole-attacks/, visited March 2017.

Cited By

View all
  • (2023)Impact Diffusion Among Cybersecurity Providers: Insights from Malware Analysis2023 International Conference on Intelligent Computing, Communication & Convergence (ICI3C)10.1109/ICI3C60830.2023.00047(202-213)Online publication date: 16-Dec-2023
  • (2020)Measuring and modeling the label dynamics of online anti-malware enginesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489345(2361-2378)Online publication date: 12-Aug-2020
  • (2020)Efficient machine learning for attack detectionit - Information Technology10.1515/itit-2020-001562:5-6(279-286)Online publication date: 10-Nov-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EuroSec'17: Proceedings of the 10th European Workshop on Systems Security
April 2017
65 pages
ISBN:9781450349352
DOI:10.1145/3065913
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2017

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

EuroSys '17
Sponsor:
EuroSys '17: Twelfth EuroSys Conference 2017
April 23 - 26, 2017
Belgrade, Serbia

Acceptance Rates

EuroSec'17 Paper Acceptance Rate 10 of 24 submissions, 42%;
Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25
Twentieth European Conference on Computer Systems
March 30 - April 3, 2025
Rotterdam , Netherlands

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)0
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Impact Diffusion Among Cybersecurity Providers: Insights from Malware Analysis2023 International Conference on Intelligent Computing, Communication & Convergence (ICI3C)10.1109/ICI3C60830.2023.00047(202-213)Online publication date: 16-Dec-2023
  • (2020)Measuring and modeling the label dynamics of online anti-malware enginesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489345(2361-2378)Online publication date: 12-Aug-2020
  • (2020)Efficient machine learning for attack detectionit - Information Technology10.1515/itit-2020-001562:5-6(279-286)Online publication date: 10-Nov-2020
  • (2019)An Illegal Billboard Advertisement Detection Framework Based on Machine LearningProceedings of the 2nd International Conference on Big Data Technologies10.1145/3358528.3358549(159-164)Online publication date: 28-Aug-2019
  • (2019)A Comparison of Machine Learning Attributes for Detecting Malicious Websites2019 11th International Conference on Communication Systems & Networks (COMSNETS)10.1109/COMSNETS.2019.8711133(352-358)Online publication date: Jan-2019

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media