Skip to main content
SpringerLink
Log in

FlashDetect: ActionScript 3 Malware Detection

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7462))

Included in the following conference series:

Abstract

Adobe Flash is present on nearly every PC, and it is increasingly being targeted by malware authors. Despite this, research into methods for detecting malicious Flash files has been limited. Similarly, there is very little documentation available about the techniques commonly used by Flash malware. Instead, most research has focused on JavaScript malware.

This paper discusses common techniques such as heap spraying, JIT spraying, and type confusion exploitation in the context of Flash malware. Where applicable, these techniques are compared to those used in malicious JavaScript. Subsequently, FlashDetect is presented, an offline Flash file analyzer that uses both dynamic and static analysis, and that can detect malicious Flash files using ActionScript 3. FlashDetect classifies submitted files using a naive Bayesian classifier based on a set of predefined features. Our experiments show that FlashDetect has high classification accuracy, and that its efficacy is comparable with that of commercial anti-virus products.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Adobe: Statistics: PC penetration, http://www.adobe.com/products/flashplatformruntimes/statistics.edu.html (accessed on June 15, 2012)

  2. Blazakis, D.: Interpreter exploitation: Pointer inference and JIT spraying (2010), http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf (accessed on June 15, 2012)

  3. Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the World Wide Web Conference (WWW), Raleigh, NC (April 2010)

    Google Scholar 

  4. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static JavaScript malware detection. In: Proceedings of the Usenix Security Symposium (August 2011)

    Google Scholar 

  5. DoSWF.com: DoSWF - Flash encryption, http://www.doswf.com/doswf (accessed on June 15, 2012)

  6. Ford, S., Cova, M., Kruegel, C., Vigna, G.: Analyzing and detecting malicious flash advertisements. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 363–372. IEEE Computer Society, Washington, DC, USA (2009)

    Chapter  Google Scholar 

  7. Ikinci, A., Holz, T., Freiling, F.: Monkey-spider: Detecting malicious websites with low-interaction honeyclients. In: Proceedings of Sicherheit, Schutz und Zuverlässigkeit (2008)

    Google Scholar 

  8. JavaScript-Source.com: JavaScript obfuscator, http://javascript-source.com (accessed on June 15, 2012)

  9. Joly, N.: Technical Analysis and Advanced Exploitation of Adobe Flash 0-Day, CVE-2011-0609 (2011), http://www.vupen.com/blog/20110326.Technical_Analysis_and_Win7_Exploitation_Adobe_Flash_0Day_CVE-2011-0609.php (accessed on June 15, 2012)

  10. Keizer, G.: Attackers exploit latest Flash bug on large scale, says researcher, http://www.computerworld.com/s/article/9217758/Attackers_exploit_latest_Flash_bug_on_large_scale_says_researcher (accessed on June 15, 2012)

  11. Kindi: secureSWF, http://www.kindi.com (accessed on June 15, 2012)

  12. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking internet malware. In: IEEE Symposium on Security and Privacy (May 2012)

    Google Scholar 

  13. Li, H.: Understanding and Exploiting Flash ActionScript Vulnerabilities. In: CanSecWest 2011 (2011), http://www.fortiguard.com/sites/default/files/CanSecWest2011_Flash_ActionScript.pdf (accessed on June 15, 2012)

  14. Liu, B.: Flash mob episode II: Attack of the clones (2009), http://blog.fortinet.com/flash-mob-episode-ii-attack-of-the-clones/ (accessed on June 15, 2012)

  15. MITRE Corporation: Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org (accessed on June 15, 2012)

  16. Moshchuk, A., Bragin, T., Deville, D., Gribble, S.D., Levy, H.M.: Spyproxy: execution-based detection of malicious web content. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, pp. 3:1–3:16. USENIX Association, Berkeley (2007), http://dl.acm.org/citation.cfm?id=1362903.1362906

    Google Scholar 

  17. Moshchuk, E., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web (2006)

    Google Scholar 

  18. Paget, F.: McAfee Blog: Surrounded by Malicious PDFs, http://blogs.mcafee.com/mcafee-labs/surrounded-by-malicious-pdfs (accessed on June 15, 2012)

  19. Alessandro, P., et al.: Lightspark flash player, http://lightspark.github.com (accessed on June 15, 2012)

  20. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 1–15. USENIX Association, Berkeley (2008), http://dl.acm.org/citation.cfm?id=1496711.1496712

    Google Scholar 

  21. Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. In: Proceedings of the Usenix Security Symposium (August 2009)

    Google Scholar 

  22. The HoneyNet Project: CaptureHPC, https://projects.honeynet.org/capture-hpc (accessed on June 15, 2012)

  23. Tung, L.: Flash exploits increase 40 fold in (2011), http://www.cso.com.au/article/403805/flash_exploits_increase_40_fold_2011 (accessed on June 15, 2012)

  24. VirusTotal: VirusTotal service, https://www.virustotal.com (accessed on June 15, 2012)

  25. Wang, Y.M., Beck, D., Jiang, X., Roussev, R.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: IN NDSS (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Katholieke Universiteit Leuven, Belgium

    Timon Van Overveldt

  2. University of California, Santa Barbara, USA

    Christopher Kruegel & Giovanni Vigna

  3. Lastline, Inc., USA

    Christopher Kruegel & Giovanni Vigna

Authors
  1. Timon Van Overveldt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia Antipolis Cedex, France

    Davide Balzarotti

  2. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Salvatore J. Stolfo

  3. School of Computer Science, University of Birmingham, B15 2TT, Edgbaston, Birmingham, UK

    Marco Cova

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Van Overveldt, T., Kruegel, C., Vigna, G. (2012). FlashDetect: ActionScript 3 Malware Detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation