Looking Back on Three Years of Flash-based Malware Christian Wressnegger and Konrad Rieck EuroSec 2017 Belgrade, Serbia
Looking Back on Three Years of Flash-based Malware
Christian Wressnegger and Konrad RieckEuroSec 2017
Belgrade, Serbia
Looking Back on Three Years of Flash-based Malware
Malware
◾ Malicious software (Malware)◾ Lasting problem of computer security◾ Omnipresence of Trojans, Bots, Adware, …◾ Increase of targeted attacks using Malware
◾ Flash-based malware◾ Malware targeting the Adobe Flash platform◾ Drive-by-Downloads, malicious redirects, exploits, ...
Looking Back on Three Years of Flash-based Malware
Adobe Flash
◾ Flash is dead!◾ Deployed on 500 million devices across different platforms◾ Used on 25% of the top 1,000 Alexa web sites
◾ Dynamic and multimedia content on web pages◾ Advertisement, video streaming, gaming, …◾ 20 years of deployment◾ Powerful scripting language: ActionScript
Looking Back on Three Years of Flash-based Malware
Adobe Flash Vulnerabilities
◾ Increasing number of CVEs◾ About 1,000 different vulnerabilities in total◾ 2015: 329 new vulnerabilities (86% code execution)◾ 2016: 266 new vulnerabilities ( 73% code execution)
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
Year of occurrence
0
50
100
150
200
250
300
350
Nu
mb
er o
f C
VE
s
Looking Back on Three Years of Flash-based Malware
Retrospective View on Flash-based Malware
◾ 3 Years of Flash-based Malware◾ December 2013 – January 2017◾ 2.3 million unique Flash samples◾ Collected using VirusTotal
◾ Retrospective study only◾ Detection → GORDON (DIMVA 2016)
◾ How well has the malware been detected over the years?
Looking Back on Three Years of Flash-based Malware
Data Stream
◾ VirusTotal: 66 different virus scanners◾ Irregular scan intervals (samples are scanned when submitted)◾ Different number of scans per sample
0 100 200 300 400 500
Number of scans
10-1
100
101
102
103
104
105
106
Num
ber
of s
ampl
es
Looking Back on Three Years of Flash-based Malware
Benign vs. Malicious
◾ Use AV detections as collective label◾ Majority voting
is_malicious = (num_detctions >= t)
◾ Numerous examples in research– Drebin (NDSS 2014), GORDON (DIMVA 2016), MANTIS (CODASPY 2017), …
◾ Drawing a line is tricky◾ Mere thresholds are not enough (Hurier et al, DIMVA 2016)◾ However, detections stabilize over time (Kantchelian et al, AISEC 2015)
◾ Can we put this in concrete terms?
Looking Back on Three Years of Flash-based Malware
Temporal Change of Detection
◾ How badly does it change?◾ A lot in case there are only a few detections◾ Stabilizes over time and towards more consensus
Looking Back on Three Years of Flash-based Malware
ZARKOV Sets
◾ Let’s have a look at “missed” sample, only◾ Not detected at first, but eventually flagged as malicious
– –
◾ Different manifestationsZ-1 Sharp line at 5 detectionsZ-2 Ignore scans with 5-9 detectionsZ-3 Not detected → detected by 10
T=(t 1, t 2)
Z={x|#initial (x)≤t1∧# final(x)≥t2}
T1 =(4,5)
T2 =(4,10)
T3 =(0,10)
Looking Back on Three Years of Flash-based Malware
Slipped Through the Net
◾ Condensed subset comprising (initially) missed malware◾ 2.3 million unique Flash samples
– Z-1: 3,321 → 0.14%– Z-2: 2,904 → 0.12%– Z-3: 814 → 0.04%
◾ That’s nice, but what's that in aid of?◾ Well, insight!◾ Interesting test cases for malware detection (Quality over Quantity?)
Looking Back on Three Years of Flash-based Malware
Temporal Distribution
◾ Broken down by month
◾ Sporadic highs.◾ Particularly noticeable: June/ July 2014◾ CVE-2014-0515 discovered in mid-April
Looking Back on Three Years of Flash-based Malware
Usage of ActionScript
◾ ActionScript used by samples in Z-1, Z-2, Z-3◾ Great majority uses ActionScript (version 3)
Dataset No AS AS-1 AS-2 AS-3
Z-1 0.5% 0.8% 1.4% 97.3%
Z-2 0.2% 0.4% 0.4% 99.0%
Z-3 0.2% 0.0% 0.4% 99.4%
Looking Back on Three Years of Flash-based Malware
Adobe Flash Versions
◾ Almost all platforms are targeted◾ AVM-1 is deprecated for more than 10 years◾ Great majority is targeting version 11.0 & 11.1 (mind the log-scale)
3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.1 10.2 10.3 11.0 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 12.0 13.0 14.0 15.0 16.0 17.0 18.0 19.0 20.0 21.0 22.0 23.0 24.0 25.0
Adobe Flash version number
0.1%
1%
10%
100%
Rel
ativ
e fr
eque
ncy
1996 - 2005(AVM1)
2011 2012 2013 2014 2015 2016
Z-1
Z-2
Z-3
Looking Back on Three Years of Flash-based Malware
Malware characteristics
◾ Other security relevant properties◾ Dynamic code, environment fingerprinting, long hex-strings, …
Looking Back on Three Years of Flash-based Malware
Summary
◾ Large-scale evaluation◾ 3 years of data (December 2013 – January 2017)◾ 2.3 million Flash animations
◾ Retrospective view on Flash-based malware◾ Evolution of detection over time
◾ ZARKOV sets◾ Not detected at first, but flagged as malicious eventually◾ Carving out interesting test cases
Looking Back on Three Years of Flash-based Malware
Institute of System SecurityChristian Wressnegger
@chwress http://sec.tu-bs.de/chris