Adobe Flash Language Used to Hide Malicious Code

In a new report, M86 Security observed a new trend of attackers abusing Adobe's ActionScript to obfuscate malicious code. ActionScript is the programming language of the Adobe Flash platform.

New research has found attackers are abusing Adobe System's ActionScript programming language to dodge anti-malware defenses.

ActionScript is the programming language of the Adobe Flash platform. In a recap of the threat landscape for the first six months of 2010, M86 Security reported observing attackers combining JavaScript with ActionScript in a bid to obfuscate malicious code.

"Due to the widespread adoption of Adobe Flash across the Web, Flash continues to remain a popular choice for developers, particularly in the realm of Web development," the researchers wrote. "What is less known is that ActionScript has a handy interface with JavaScript on the parent page. This little known fact is exactly the feature being abused by attackers today."

Using the predefined functionality in ActionScript for "ExternalInterface," attackers can produce a two-way communication between Flash and JavaScript, the report explains.

"To analyze the code in this case we need both the ActionScript and JavaScript together," the report states. "Having only one part of the system is insufficient for the correct analysis. Dividing the function between the two types of script hinders most of the new, proactive detection mechanisms."

Adobe has faced a number of challenges in the area of security during the past year, as hackers have increasingly honed in on some of its most popular products, in particular Adobe Flash, Reader and Acrobat. Of the 15 most exploited vulnerabilities observed by M86, four involved Adobe Reader. The report also (PDF) found that Java-based exploits are on the rise.

The most common attack scenario, the researcher wrote, is as follows: an IFrame or JavaScript is injected into a Web page of a legitimate site that redirects the browser to a malicious Web page that includes an embedded, malicious Java applet.

"Over the past few months, a number of Java related exploits have been actively used in the wild," according to the report. "The most popular of these Java vulnerabilities are CVE-2010-0842, CVE-2009- 3867, CVE-2008-5353, CVE-2010-1423...With this kind of success, we expect Java-based exploits to continue to remain a popular weapon of choice for attacks in the wild."

"Traditional methods such as spambots and dynamic code obfuscation are still very much in use," said Bradley Anstis, vice president of technology strategy at M86, in a statement. "However the first half of 2010 has also seen the emergence of new advanced methods as seen in the new combined attacks. Cybercriminals continue to try and outsmart even the latest Internet security protection mechanisms."