Looking Back on Three Years of Flash-based Malware · 2017-05-01 · Looking Back on Three Years of Flash-based Malware Benign vs. Malicious Use AV detections as collective label

Looking Back on Three Years of Flash-based Malware

Christian Wressnegger and Konrad RieckEuroSec 2017

Belgrade, Serbia

Looking Back on Three Years of Flash-based Malware

Malware

◾ Malicious software (Malware)◾ Lasting problem of computer security◾ Omnipresence of Trojans, Bots, Adware, …◾ Increase of targeted attacks using Malware

◾ Flash-based malware◾ Malware targeting the Adobe Flash platform◾ Drive-by-Downloads, malicious redirects, exploits, ...

Looking Back on Three Years of Flash-based Malware

Adobe Flash

◾ Flash is dead!◾ Deployed on 500 million devices across different platforms◾ Used on 25% of the top 1,000 Alexa web sites

◾ Dynamic and multimedia content on web pages◾ Advertisement, video streaming, gaming, …◾ 20 years of deployment◾ Powerful scripting language: ActionScript

Looking Back on Three Years of Flash-based Malware

Adobe Flash Vulnerabilities

◾ Increasing number of CVEs◾ About 1,000 different vulnerabilities in total◾ 2015: 329 new vulnerabilities (86% code execution)◾ 2016: 266 new vulnerabilities ( 73% code execution)

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

Year of occurrence

0

50

100

150

200

250

300

350

Nu

mb

er o

f C

VE

s

Looking Back on Three Years of Flash-based Malware

Retrospective View on Flash-based Malware

◾ 3 Years of Flash-based Malware◾ December 2013 – January 2017◾ 2.3 million unique Flash samples◾ Collected using VirusTotal

◾ Retrospective study only◾ Detection → GORDON (DIMVA 2016)

◾ How well has the malware been detected over the years?

Looking Back on Three Years of Flash-based Malware

Data Stream

◾ VirusTotal: 66 different virus scanners◾ Irregular scan intervals (samples are scanned when submitted)◾ Different number of scans per sample

0 100 200 300 400 500

Number of scans

10-1

100

101

102

103

104

105

106

Num

ber

of s

ampl

es

Looking Back on Three Years of Flash-based Malware

Benign vs. Malicious

◾ Use AV detections as collective label◾ Majority voting

is_malicious = (num_detctions >= t)

◾ Numerous examples in research– Drebin (NDSS 2014), GORDON (DIMVA 2016), MANTIS (CODASPY 2017), …

◾ Drawing a line is tricky◾ Mere thresholds are not enough (Hurier et al, DIMVA 2016)◾ However, detections stabilize over time (Kantchelian et al, AISEC 2015)

◾ Can we put this in concrete terms?

Looking Back on Three Years of Flash-based Malware

Temporal Change of Detection

◾ How badly does it change?◾ A lot in case there are only a few detections◾ Stabilizes over time and towards more consensus

Looking Back on Three Years of Flash-based Malware

ZARKOV Sets

◾ Let’s have a look at “missed” sample, only◾ Not detected at first, but eventually flagged as malicious

– –

◾ Different manifestationsZ-1 Sharp line at 5 detectionsZ-2 Ignore scans with 5-9 detectionsZ-3 Not detected → detected by 10

T=(t 1, t 2)

Z={x|#initial (x)≤t1∧# final(x)≥t2}

T1 =(4,5)

T2 =(4,10)

T3 =(0,10)

Looking Back on Three Years of Flash-based Malware

Slipped Through the Net

◾ Condensed subset comprising (initially) missed malware◾ 2.3 million unique Flash samples

– Z-1: 3,321 → 0.14%– Z-2: 2,904 → 0.12%– Z-3: 814 → 0.04%

◾ That’s nice, but what's that in aid of?◾ Well, insight!◾ Interesting test cases for malware detection (Quality over Quantity?)

Looking Back on Three Years of Flash-based Malware

Temporal Distribution

◾ Broken down by month

◾ Sporadic highs.◾ Particularly noticeable: June/ July 2014◾ CVE-2014-0515 discovered in mid-April

Looking Back on Three Years of Flash-based Malware

Usage of ActionScript

◾ ActionScript used by samples in Z-1, Z-2, Z-3◾ Great majority uses ActionScript (version 3)

Dataset No AS AS-1 AS-2 AS-3

Z-1 0.5% 0.8% 1.4% 97.3%

Z-2 0.2% 0.4% 0.4% 99.0%

Z-3 0.2% 0.0% 0.4% 99.4%

Looking Back on Three Years of Flash-based Malware

Adobe Flash Versions

◾ Almost all platforms are targeted◾ AVM-1 is deprecated for more than 10 years◾ Great majority is targeting version 11.0 & 11.1 (mind the log-scale)

3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.1 10.2 10.3 11.0 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 12.0 13.0 14.0 15.0 16.0 17.0 18.0 19.0 20.0 21.0 22.0 23.0 24.0 25.0

Adobe Flash version number

0.1%

1%

10%

100%

Rel

ativ

e fr

eque

ncy

1996 - 2005(AVM1)

2011 2012 2013 2014 2015 2016

Z-1

Z-2

Z-3

Looking Back on Three Years of Flash-based Malware

Malware characteristics

◾ Other security relevant properties◾ Dynamic code, environment fingerprinting, long hex-strings, …

Looking Back on Three Years of Flash-based Malware

Summary

◾ Large-scale evaluation◾ 3 years of data (December 2013 – January 2017)◾ 2.3 million Flash animations

◾ Retrospective view on Flash-based malware◾ Evolution of detection over time

◾ ZARKOV sets◾ Not detected at first, but flagged as malicious eventually◾ Carving out interesting test cases

Looking Back on Three Years of Flash-based Malware

Institute of System SecurityChristian Wressnegger

@chwress http://sec.tu-bs.de/chris