Security company FireEye this week announced the release of an open source tool designed to automate the analysis of Adobe Flash files in order to identify malware and prevent infections.
Dubbed FLASHMINGO, the framework integrates with analysis workflows as a stand-alone application, but can also be used as a library, and allows for an expansion of its functionality via custom Python plug-ins.
FLASHMINGO takes advantage of the open SWIFFAS library for the parsing of SWF (Flash) files. It uses a large object named SWFObject to store information about the SWF, including a list of tags, information about methods, strings, constants and embedded binary data, and more.
“It is essentially a representation of the SWF file in an easily queryable format. FLASHMINGO is a collection of plug-ins that operate on the SWFObject and extract interesting information,” FireEye explains.
Plugins included in the framework allow for the identification of suspicious method names, constants, and loops, as well as for the retrieval of all embedded data. The tool also packs a decompiler plugin that uses the FFDEC Flash Decompiler.
Extending FLASHMINGO is easy, courtesy of a template plugin provided to those interested in building their own plugins, the security company says. Every plugin resides in its own directory in a plugins folder, and the tool searches these directories for manifest files and registers them if marked as active.
Adobe is on track to completely kill Flash in 2020, but that doesn’t mean that the multimedia plugin is a thing of the past. Companies are likely to fail eliminating Flash from their environments before it reaches end of support, FireEye says.
Although most of the development community has moved away from Flash a long time ago, Flash exploits continue to be used within malware samples, and the company predicts that the plugin will continue to be used as an infection vector for a while.
“Legacy technologies are juicy targets for attackers due to the lack of security updates. FLASHMINGO provides malware analysts a flexible framework to quickly deal with these pesky Flash samples without getting bogged down in the intricacies of the execution environment and file format,” FireEye concludes.