Adobe Flash is a popular platform for providing dynamic and multimedia
content on web pages. Despite being declared dead for years, Flash still
is deployed on millions of devices. Unfortunately, the Adobe Flash
Player increasingly suffers from vulnerabilities, and attacks using
Flash-based malware regularly put users at risk of being remotely
attacked. We present Gordon, a method for the comprehensive analysis and
detection of Flash-based malware. By analyzing Flash animations at
different levels during the interpreter’s loading and execution process,
our method is able to spot attacks against the Flash Player as well as
malicious functionality embedded in ActionScript code. To achieve this
goal, Gordon combines a structural analysis of the container format with
guided execution of the contained code—a novel analysis strategy that
manipulates the control flow to maximize the coverage of indicative code
regions. In doing so, Gordon significantly outperforms related
approaches when applied to samples shortly after their first occurrence
in the wild, demonstrating its ability to provide timely protection for
end users.
