A Shellcode is a code snippet used as a payload in exploiting software vulnerability. In recent trends of attack, shellcode embedded in documents are one of the widely used vectors for targeted attacks. The significant aspect of these documents are dynamic content, URL access and can be camouflaged easily. Most of the security mechanisms are not accoutered to deal with these weaponised documents. In this paper, we propose a tool to detect and identify the malicious shellcode in documents such as PDF, Word, and PPTs that are readily available over the internet for exchange of data. The tool performs both static and dynamic analysis to detect and analyze the shellcode present. It extracts the features of the document which is used to categorize a malicious document and a benign document, perform code analysis on the suspicious object streams. The JavaScript is de-obfuscated and interpreted using a JavaScript engine. Finally using decision tree algorithm for machine learning, dynamic analysis is performed.
Gladis Brinda : Department of Information Technology, SRM University
SRM Nagar, Potheri, Kattankulathur-603203, Kancheepuram, Tamil Nadu 603203, India.
Geogen George : Assistant Professor, Information Security Research Center, SRM University
SRM Nagar, Potheri, Kattankulathur-603203, Kancheepuram, Tamil Nadu 603203, India.
Malicious documents remain an unaware threat, requiring robust detection and analysis techniques. In this paper, we focus on reviewing the existing tools like Wepawet [2], methods and techniques that requires our significant attention. An intrinsic component of the suggested tool makes sure that the evading detection mechanism in static analysis is significantly reduced. It is also demonstrates the ability of machine learning algorithm to select properties to expose malicious features in documents. The experimental evaluation uses Fault Invariant Classifier. For preliminary analysis that reflects the important aspects of malicious code revealing properties, that can help malware analysts for better understanding the viable threats through documents.
[1] Libemu [2007] http://libemu.carnivore.it
[2] Wepawet [2008] http://wepawet.cs.ucsb.edu
[3] Konrad Rieck, Philipp Trinius, Carsten William, and Thorsten Holz, Automatic Analysis of Malware Behaviors using Machine Learning presented in the Journal of Computer Science, 2011.
[4] Lu,Jianwei Zhuge,Ruoyu Wang, Yan Chen, YinZhi Cao, De-obfuscation and detection of malicious PDF File with high accuracy. Presented at the 46th Hawaii International Conference on System Science, 2013.
[5] Maiorca D, Giacinto G, Corona I., Looking at the bag is not enough to find the bomb: An evasion of structural methods for malicious PDF files detection. Presented at the Proceedings of the 8th ACM SIGSAC Symposium of Information, Computer and Communications Security, 2013.
[6] Pareek H, Eashwari P, Babu NSC, Bangalore C, Entropy and n-gram analysis of malicious PDF documents, 2013.
[7] Schmitt F, Gassen J, Gerhards-Padilla E., PDF Scrutinizer: Detect JavaScript-based attacks in PDF documents. Presented at Privacy, Security and Trust (PST), Tenth Annual International Conference, 2012.
[8] Schreck T, Berger S, Gobel J BISSAM: Automatic vulnerability identification in office documents. In: Detection of intrusions and malware, and vulnerability assessment anonymous, 2013.
[9] Sinha. S, Bailey.M, Andjahanian. F .Shades of grey: On the effectiveness of reputation based blacklists. In Proceedings of the International Conference on Malicious and Unwared Software (Malware), 2008.
[10] Smutz C, Stavrov A, Malicious PDF detection using metadata and structural Features. Presented at proceedings of the 28th Annual Computer Security Applications Conference, 2012.
[11] Srndic N, Laskov P, Detection of malicious PDF files based on hierarchical document structure. Presented at proceeding of the 20th Annual Network & Distributed System Security Symposium, 2013.
[12] Srndic N, Laskov P, Static detection of malicious JavaScript-bearing PDF documents, 2011.
[13] Stevens D, Malicious PDF documents explained. Secur Priv IEEE Jan –Feb 9(1):80-2, 2011.
[14] Tzermias Z, Sykiotakis G, Polychronakis M, Markatos EP, Combining Static and Dynamic analysis for the detection of malicious documents. Presented at Proceedings of the Fourth European Workshop on System Security, 2011.
[15] Ulucenk c, Varadharajan V, Tupakula U, Balakrishnan Venkat., Techniques for Analyzing PDF Malware. Presented at the Proceeding of the 18th Asia-Pacific Software Engineering Conference, 2011.
[16] Yuriy Brun, Software Fault Identification via Dynamic Analysis and Machine Learning, 2003.