Christian Wressnegger
Konrad Rieck
ABSTRACT
Adobe Flash is about to be replaced by alternative technologies, yet Flash-based malware appears to be more common then ever. In this paper we inspect the properties and temporal distribution of this class of malware over a period of three consecutive years and 2.3 million unique Flash animations. In particular, we focus on initially undetected malware and thus look at a subset for which traditional methods have failed to provide timely detection. We analyze the prevalence of these samples and characterize their nature.
- Adobe Systems. Flash, HTML5 and open web standards. https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html, visited March 2017.Google Scholar
- Adobe Systems. Adobe Flash runtimes: Statistics. http://www.adobe.com/products/flashruntimes/statistics.html, visited March 2017.Google Scholar
- D. Caselden, C. Souffrant, and G. Jiang. Flash in 2015. https://www.fireeye.com/blog/threat-research/2015/03/flash_in_2015.html, visited March 2017.Google Scholar
- S. Ford, M. Cova, C. Kruegel, and G. Vigna. Analyzing and detecting malicious flash advertisements. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2009. Google ScholarDigital Library
- T. Hirvonen. Dynamic instrumentation tool for adobe flash player built on intel pin. https://github.com/F-Secure/Sulo, visited March 2017.Google Scholar
- HTTP Archive. http://www.httparchive.org.Google Scholar
- M. Hurier, K. Allix, T. F. Bissyandé, J. Klein, and Y. L. Traon. On the lack of consensus in anti-virus decisions: Metrics and insights on building ground truths of android malware. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.Google ScholarDigital Library
- A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Better malware ground truth: Techniques for weighting anti-virus vendor labels. In Proc. of ACM Workshop on Artificial Intelligence and Security (AISEC), 2015. Google ScholarDigital Library
- KINDI Software. secureSWF: Protect, encrypt, and optimize swf flash. http://www.kindi.com, visited March 2017.Google Scholar
- A. LaForge. Flash and chrome. https://blog.google/products/chrome/flash-and-chrome, visited March 2017.Google Scholar
- Z. Li, K. Zhang, Y. Xie, F. You, and X. Wang. Knowing your enemy: Understanding and detecting malicious web advertising. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
- F. Lindner. Preventing Adobe Flash exploitation - Blitzableiter - a signature-less protection tool. In Proc. of Black Hat USA, 2010.Google Scholar
- C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2003. Google ScholarDigital Library
- F. Maggi, A. Bellini, G. Salvaneschi, and S. Zanero. Finding non-trivial malware naming inconsistencies. In Proc. of International Conference on Information Systems Security (ICISS), 2011. Google ScholarDigital Library
- B. Miller, A. Kantchelian, M. C. Tschantz, S. Afroz, R. Bachwani, R. Faizullabhoy, L. Huang, V. Shankar, T. Wu, G. Yiu, A. D. Joseph, and J. D. Tygar. Reviewer integration and performance measurement for malware detection. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016. Google ScholarDigital Library
- A. Mohaisen and O. Alrawi. AV-Meter: an evaluation of antivirus scans and labels. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2014.Google ScholarCross Ref
- S. Özkan. CVE Details. http://www.cvedetails.com, visited March 2017.Google Scholar
- M. Sebastián, R. Rivera, P. Kotzias, and J. Caballero. AVclass: A tool for massive malware labeling. In Proc. of International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2016. Google ScholarCross Ref
- SWFLock.com. SWFLock: Online encryption software for flash. http://www.swflock.com, visited March 2017.Google Scholar
- Trustwave Holdings, Inc. Trustwave global security report. Technical report, Trustwave Holdings, Inc., 2016.Google Scholar
- T. van Overveldt, C. Kruegel, and G. Vigna. FlashDetect: ActionScript 3 malware detection. In Proc. of International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2012. Google ScholarDigital Library
- C. Wressnegger, F. Yamaguchi, D. Arp, and K. Rieck. Comprehensive analysis and detection of flash-based malware. In Proc. of Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016. Google ScholarDigital Library
- Yushi High Technology Ltd. DoSWF -- professional flash swf encryptor. http://doswf.org, visited March 2017.Google Scholar
- V. Zakorzhevsky. New Flash Player 0-day (CVE-2014-0515) Used in Watering-hole Attacks. https://securelist.com/blog/incidents/59399/new-flash-player-0-daycve-2014-0515-used-in-watering-hole-attacks/, visited March 2017.Google Scholar
- Looking Back on Three Years of Flash-based Malware
Recommendations
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Enhancing malware detection: clients deserve more protection
Sophisticated malware is designed to spread over the network and infect as many connected client machines as possible before being detected. Network security engineers have always been challenged to detect and track down such malware before infecting ...
Comments