FireEye Releases Open Source Automatic Analysis Tool for Adobe Flash


Adobe is finally deprecating Flash in 2020, but FireEye predicts that the software will be used as an infection vector for a while even after its demise.

Cybersecurity firm FireEye has developed and released a new tool to improve the security of Adobe Flash until its retirement.

According to FireEye, Adobe Flash is one of the most exploited software components of the last decade. It accounts for over 1,000 Common Vulnerabilities and Exposures (CVEs) since 2005, and almost 900 of these vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher.

Adobe is finally deprecating Flash in 2020 and many major browsers have already dropped support for the software.

However, FireEye has cautioned that if organizations do not phase Flash out in time, the security threat may grow beyond Flash’s end of life due to a lack of security patches.

In order to maintain security of Flash until its demise, the company noted that there should be a balance between the need to analyse Flash samples and the correct amount of resources to be spent on a declining product.

To this end, the company on Monday released FLASHMINGO, a framework to automate the analysis of SWF files, to the open source community.

FireEye says FLASHMINGO enables analysts to triage suspicious Flash samples and investigate them further with minimal effort.

“It integrates into various analysis workflows as a stand-alone application or can be used as a powerful library. Users can easily extend the tool’s functionality via custom Python plug-ins,” the company wrote in a blog post.

Tool Architecture

FLASHMINGO leverages the open source SWIFFAS library to parse Flash files. After parsing, all binary data and bytecode are stored in a large object named SWFObject. This object contains all the information about the SWF including a list of tags, information about all methods, strings, constants and embedded binary data.

There are also several useful plug-ins which are included by default which allow FLASHMINGO to find suspicious method names, loops and constants. There is also a separate plug-in that allows users to decompile Flash objects.

“Even though Flash is set to reach its end of life at the end of 2020 and most of the development community has moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while. Legacy technologies are juicy targets for attackers due to the lack of security updates,” warns FireEye.

“FLASHMINGO provides malware analysts a flexible framework to quickly deal with these pesky Flash samples without getting bogged down in the intricacies of the execution environment and file format,” its claims.

Flashmingo is now available for downloaded on GitHub.




Please enter your comment!
Please enter your name here