Many of the latest Flash exploits seen in the wild (CVE-2013-5329, CVE-2013-5330, CVE-2014-0497, etc) are protected with commercial tools like DoSWF and secureSWF. Malicious Flash redirectors are also utilizing the same tools. Static analysis of protected Flash objects is slow and frustrating: you need to identify the encryption algorithm and the key, implement the decryption routine, and extract the encrypted data from the Flash object. Code obfuscation techniques can also be a real pain in the *** when static analysis is the only option. If only there were a decent tool for dynamic analysis Flash files...
In this presentation, we will release and demonstrate the first tool that enables dynamic analysis of malicious Flash files. There is no need for decompilation - the tool utilizes binary instrumentation to log the interesting method calls. This approach not only significantly speeds up the analysis of individual files but also enables detailed automatic analysis of malicious Flash files.