Author Topic: Flash Malware Analysis  (Read 6115 times)

0 Members and 1 Guest are viewing this topic.

December 30, 2009, 04:03:20 am
Read 6115 times

valkyriex

  • Jr. Member

  • Offline
  • **

  • 13
Hi fellows,

Recently, I have undertaken analysis over several Flash malware. Here are some tools for your reference to analyze Flash malware

SoThink Flash Decompiler - Support ActionScript 2 and 3. (Commercial)

IDA Pro Plugin - Flash Decompiler
http://www.hex-rays.com/contest2009/#2 (but for ActionScript 2)

swfextract -  tool for extracting data out of swf files.
http://www.swftools.org/swfextract.html

swfdump - Prints out various informations about SWFs, like contained images/fonts/sounds, disassembly of contained code as well as cross-reference and bounding box data.
http://www.swftools.org/

EnJoy!

0xdf

December 30, 2009, 11:26:49 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks.

Can anybody recommend a good non-commercial decompiler ?
Ruining the bad guy's day

December 30, 2009, 11:48:46 am
Reply #2

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
I use Flasm, but it doesn't support Flash 9 or 10.

http://flasm.sourceforge.net/

December 30, 2009, 12:49:43 pm
Reply #3

ratsoul

  • Jr. Member

  • Offline
  • **

  • 23
    • inReverse

Another good tool is HP SWFScan:

Quote
HP SWFScan, a free tool developed by HP Web Security Research Group, will automatically find security vulnerabilities in applications built on the Flash platform.

    * Decompiles applications built on the Adobe Flash platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure.
    * Identifies and reports insecure programming and deployment practices and suggests solutions.
    * Enables you to audit third party applications without requiring access to the source code.

download here: https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf&jumpid=go/swfscan.

 - ratsoul

December 30, 2009, 01:34:01 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

Another good tool is HP SWFScan:
l

Is it your experience? Have you tested the tool yourself ? Do you recommend it ?

I know most free flash tools, but I still haven't found a really good one.
Most tools lack features like missing flash 9/10 support in flasm.

That's the reason why I asked for GOOD non-commercial tool.
Ruining the bad guy's day

December 30, 2009, 02:36:42 pm
Reply #5

ratsoul

  • Jr. Member

  • Offline
  • **

  • 23
    • inReverse
Hi SysAdMini,

I use this tool, in my opinion it is one of the best free tools available.
It can handle flash 9 as well as flash 10 files and it also has the feature to locate known vulnerabilities within the flash file quickly. I recommend this tool.

 - ratsoul

December 30, 2009, 03:01:24 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I use this tool, in my opinion it is one of the best free tools available.
It can handle flash 9 as well as flash 10 files and it also has the feature to locate known vulnerabilities within the flash file quickly. I recommend this tool.

I just have tried to decompile some malicious Flashs using this tool.
It doesn't work.

All I get is:
Quote
Decompile failed: The Flash application was malformed : Malformed data in SWF header
Ruining the bad guy's day