Dynamic Flash Instrumentation for Fun and Profit

Presented at Black Hat USA 2014, Aug. 6, 2014, 3:30 p.m. (60 minutes).

Many of the latest Flash exploits seen in the wild (CVE-2013-5329, CVE-2013-5330, CVE-2014-0497, etc) are protected with commercial tools like DoSWF and secureSWF. Malicious Flash redirectors are also utilizing the same tools. Static analysis of protected Flash objects is slow and frustrating: you need to identify the encryption algorithm and the key, implement the decryption routine, and extract the encrypted data from the Flash object. Code obfuscation techniques can also be a real pain in the *** when static analysis is the only option. If only there were a decent tool for dynamic analysis Flash files... In this presentation, we will release and demonstrate the first tool that enables dynamic analysis of malicious Flash files. There is no need for decompilation - the tool utilizes binary instrumentation to log the interesting method calls. This approach not only significantly speeds up the analysis of individual files but also enables detailed automatic analysis of malicious Flash files.

Presenters:

  • Timo Hirvonen - F-Secure
    Timo Hirvonen, Senior Researcher for the Security Response Team, has been working closely with F-Secure's proprietary behavior-based DeepGuard technology for over three years. Timo is an expert in exploit analysis with an emphasis in malicious Java, Flash, and PDF files. Timo has presented at T2 Infosec Conference, CARO 2013, Scandinavian Cybercrime Conference, and Microsoft Digital Crimes Consortium. Timo's mission is to keep the good guys safe by studying the latest tricks the bad guys use.

Links:

Similar Presentations: