Conference Paper

A Study of Malcode-Bearing Documents.

DOI: 10.1007/978-3-540-73614-1_14 Conference: Detection of Intrusions and Malware, and Vulnerability Assessment, 4th International Conference, DIMVA 2007, Lucerne, Switzerland, July 12-13, 2007, Proceedings
Source: DBLP

ABSTRACT By exploiting the object-oriented dynamic composability of modern document applications and formats, malcode hidden in otherwise inconspicuous documents can reach third-party applications that may harbor exploitable vulnerabilities otherwise unreachable by network-level service attacks. Such attacks can be very selective and dicult to detect compared to the typical network worm threat, owing to the complex- ity of these applications and data formats, as well as the multitude of document-exchange vectors. As a case study, this paper focuses on Mi- crosoft Word documents as malcode carriers. We investigate the pos- sibility of detecting embedded malcode in Word documents using two techniques: static content analysis using statistical models of typical doc- ument content, and run-time dynamic tests on diverse platforms. The experiments demonstrate these approaches can not only detect known malware, but also most zero-day attacks. We identify several problems with both approaches, representing both challenges in addressing the problem and opportunities for future research.

  • [Show abstract] [Hide abstract]
    ABSTRACT: Law enforcement employs an investigative approach based on marked money bills to track illegal drug dealers. In this paper we discuss research that aims at providing law enforcement with the cyber counterpart of that approach in order to track perpetrators that operate botnets. We have devised a novel steganographic approach that generates a watermark hidden within a honey token, i.e. A decoy Word document. The covert bits that comprise the watermark are carried via secret interpretation of object properties in the honey token. The encoding and decoding of object properties into covert bits follow a scheme based on bijective functions generated via a chaotic logistic map. The watermark is retrievable via a secret cryptographic key, which is generated and held by law enforcement. The honey token is leaked to a botmaster via a honey net. In the paper, we elaborate on possible means by which law enforcement can track the leaked honey token to the IP address of a botmaster's machine.
    2014 28th International Conference on Advanced Information Networking and Applications Workshops (WAINA); 05/2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper proposes a new feature-goodness criterion named class-wise information gain (CIG). The CIG is able to measure the goodness of a feature for recognizing a specific class, and further helps to select the features with the highest information content for a specific class. In order to confirm the effectiveness of the CIG, a CIG-based malware detection method is proposed. Eight groups of experiments on three public malware datasets are carried out to evaluate the performance of the proposed CIG-based malware detection method through cross-validation. Comprehensive experimental results suggest that the CIG is an effective feature-goodness criterion, and the proposed CIG-based malware detection method is effective to detect malware loaders and infected executables. This method outperforms the information gain (IG)-based malware detection method for about 26% in detecting infected executables, without decrease in detecting malware loaders, while its memory requirement is about 60% less than that of the IG-based malware detection method empirically.
    2013 IEEE Third International Conference on Information Science and Technology (ICIST); 03/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose a method for the dynamic analysis of malicious documents that can exploit various types of vulnerability in applications. Static analysis of a document can be used to identify the type of vulnerability involved. However, it can be difficult to identify unknown vulnerabilities, and the application may not be available even if we could identify the vulnerability. In fact, malicious code that is executed after the exploitation may not have a relationship with the type of vulnerability in many cases. In this paper, we propose a method that extracts and executes “shellcode” to analyze malicious documents without requiring identification of the vulnerability or the application. Our system extracts shellcode by executing byte sequences to observe the features of a document file in a priority order decided on the basis of entropy. Our system was used to analyze 88 malware samples and was able to extract shellcode from 74 samples. Of these, 51 extracted shellcodes behaved as malicious software according to dynamic analysis.
    Proceedings of the 4th International Conference on Security Science and Technology (ICSST2015); 01/2015

Full-text (2 Sources)

Available from
May 22, 2014