TracNav menu
-
Definitions
-
Terms
- honeyclient
- internal network
- firewall
- host
- dmz network
- remote resource
-
Components
- HoneyClient::Agent
- HoneyClient::Manager
- HoneyClient::Util
-
FAQ
- General
- Licensing
- Troubleshooting
- Related Work
-
User Guide
- Setup Host
- Setup Firewall VM
- Setup Honeyclient VM
- Setup Drone
- Startup
- Notes
- Troubleshooting
-
Developer Guide
- Repository Layout
- Code Stability Status
- Anonymous Checkout
- Authenticated Checkout
- Committing Code
- Packaging
-
Methodologies
- Lockdown VM Guide
- Registry Parsing
- Scanning Active Content
- Scoring HTML Links
Flash Active Content
Flash refers to several different entities created and formerly owned by Macromedia (now Adobe). A Flash movie is a form of active content used to display an animation that can contain vector graphics, scripts, sounds, and videos. It is embedded in a web page as an HTML object that gets displayed by a web browser via the Flash Player, a virtual machine plugin.
There is also a Flash integrated development environment (IDE) that is used to create Flash movies. Flash source files, called FLA files, have an .fla extension, and can be read by the IDE. When a movie is ready to be deployed, it is "published" (i.e., compiled) into a .swf file, commonly referred to as SWF ("swiff") files. SWF files are an open binary format. For more information about the SWF file format, see Alexis' SWF Reference.
The scripting language used for Flash movies is called ActionScript, and is similar in form to JavaScript.
Decompilation
Our goal for the Flash subtask is to be able to extract URLs from Flash movies. There are several tools, both free and commercial, available that can decompile an SWF file into an FLA source. The FLA source may or may not be exactly the same as the original FLA, but it should be logically equivalent (i.e., variable and function names may differ).
Free Tools
|
Commercial Tools
After careful review of the tools available to us, we decided to go with Flare/Flasm, which are both written by the same author. That author actually recommended us to use Flasm, as it is newer and better suited our licensing and source control requirements. We make calls to the flasm executable as follows (on Windows):
flasm.exe -d movie.swf
In this example, movie.swf is a hypothetical Flash movie file that a HoneyClient downloaded in the process of scouring a web page. We use the output of Flasm to recover the URLs for links contained in the SWF file. Here is a snippet of some sample flasm output showing a relative URL that was contained in the SWF movie:
defineButton 24
on overDownToOverUp
getURL 'intro.html' ''
end
end // of defineButton 24
Output
The Flash active content module returns a hash containing all the URLs found as keys, and values set to 1, where the values represent the link scoring weights for each URL (currently set to the default).
Log file entries are also made if URLs were detected but could not be extracted. Cases like this arise when URLs are created dynamically in the ActionScript code for a Flash object in a movie, as opposed to being statically coded into the object. While we attempt to handle a subset of such cases, there are times when our parsing logic may fail to recover the actual URLs. For those instances, log file messages note the SWF file of interest so that a human analyst can review it later.
Obfuscation
Due to the growth in tools that can extract the resources from a Flash movie, a market has emerged for tools that can prevent the decompilers from working properly. These tools claim to do various things, and to various extents, to protect the content of a Flash movie. In general, the makers of these tools concede that it is nigh impossible to protect content such as grpahics, sounds, or videos in a movie. Thus much of their focus has been on protecting the ActionScript contained in Flash movies.
The most common form of ActionScript protection is obfuscation. The simplest forms merely change the names of variables, functions, and objects to random character sequences so that their purpose is not immediately manifest. More advanced forms of obfuscation introduce spurious code segments and use metamorphic techniques to change the semantics of the script.
Here are some of the tools that claim to be able to obfuscate SWF:
Only the last tool on the list claims to do something more than just obfuscation. It claims it can encrypt an SWF file to provide stronger protection. However, this claim may be dubious, as evidenced by the remarks some people have made in the responses to this blog post.
Our Flash module currently does not deal well with obfuscated SWF files, but support for them is being added.
