Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

A Study of Malcode-Bearing Documents

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4579))

  • 1237 Accesses

Abstract

By exploiting the object-oriented dynamic composability of modern document applications and formats, malcode hidden in otherwise inconspicuous documents can reach third-party applications that may harbor exploitable vulnerabilities otherwise unreachable by network-level service attacks. Such attacks can be very selective and difficult to detect compared to the typical network worm threat, owing to the complexity of these applications and data formats, as well as the multitude of document-exchange vectors. As a case study, this paper focuses on Microsoft Word documents as malcode carriers. We investigate the possibility of detecting embedded malcode in Word documents using two techniques: static content analysis using statistical models of typical document content, and run-time dynamic tests on diverse platforms. The experiments demonstrate these approaches can not only detect known malware, but also most zero-day attacks. We identify several problems with both approaches, representing both challenges in addressing the problem and opportunities for future research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Leyden, J.: Trojan exploits unpatched Word vulnerability. The Register (May 2006)

    Google Scholar 

  2. Evers, J.: Zero-day attacks continue to hit Microsoft. News.com (September 2006)

    Google Scholar 

  3. Kierznowski, D.: Backdooring PDF Files (September 2006)

    Google Scholar 

  4. Broersma, M.: Wikipedia hijacked by malware. Techworld (November 2006), http://www.techworld.com/news/index.cfm?RSS&NewsID=7254

  5. Bontchev, V.: Possible Virus Attacks Against Integrity Programs and How to Prevent Them. In: Proc. 2nd Int. Virus Bull. Conf. pp. 131–141 (1992)

    Google Scholar 

  6. Bontchev, V.: Macro Virus Identification Problems. In: Proc. 7th Int. Virus Bull. Conf. pp. 175–196 (1997)

    Google Scholar 

  7. Filiol, E., Helenius, M., Zanero, S.: Open Problems in Computer Virology. Journal in Computer Virology, pp. 55–66 (2006)

    Google Scholar 

  8. Wang, K., Parekh, J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  9. Li, W.-J., Wang, K., Stolfo, S.J., Herzog, B.: Fileprints: Identifying File Types by n-gram Analysis. In: 2005 IEEE Information Assurance Workshop (2005)

    Google Scholar 

  10. Stolfo, S.J., Wang, K., Li, W.-J.: Towards Stealthy Malware Detection. In: Jha, Christodorescu, Wang (eds.) Malware Detection Book, Springer, Heidelberg (2006)

    Google Scholar 

  11. Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data Mining Methods for Detection of New Malicious Executables. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)

    Google Scholar 

  12. Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidan, R.: Detection of New Malicious Code Using N-grams Signatures. In: Proceedings of Second Annual Conference on Privacy, Security and Trust, October 13-15, 2004 (2004)

    Google Scholar 

  13. Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidan, R.: N-gram-based Detection of New Malicious Code. In: Proceedings of the 28th IEEE Annual International Computer Software and Applications Conference, COMPSAC 2004, September 28–30, 2004, Hong Kong (2004)

    Google Scholar 

  14. Karim, M.E., Walenstein, A., Lakhotia, A.: Malware Phylogeny Generation using Permutations of Code. Journal in Computer Virology (2005)

    Google Scholar 

  15. McDaniel, M., Heydari, M.H.: Content Based File Type Detection Algorithms. In: 6th Annual Hawaii International Conference on System Sciences (HICSS 2003) (2003)

    Google Scholar 

  16. Noga, A.J.: A Visual Data Hash Method. Air Force Research report (October 2004)

    Google Scholar 

  17. Goel, S.: Kolmogorov Complexity Estimates for Detection of Viruses. Complexity Journal 9(2) (2003)

    Google Scholar 

  18. Steganalysis http://niels.xtdnet.nl/stego/

  19. K2. ADMmutate (2001) Available from http://www.ktwo.ca/security.html

  20. Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003)

    Google Scholar 

  21. Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. In: USENIX Security Symposium, Georgia Tech: Vancouver, BC, Canada (2006)

    Google Scholar 

  22. Shaner: US Patent No. 5,991,714 (November 1999)

    Google Scholar 

  23. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the Infeasibility of Modeling Polymorphic Shellcode for Signature Detection Tech. report cucs-00707, Columbia University (February 2007)

    Google Scholar 

  24. Natvig, K.: SandboxII: Internet Norman SandBox Whitepaper (2002)

    Google Scholar 

  25. Willems, C., Freiling, F., Holz, T.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy Magazine 5(2), 32–39 (2007)

    Article  Google Scholar 

  26. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: proceedings of the USENIX 2005 Annual Technical Conference, pp. 41–46 (2005)

    Google Scholar 

  27. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML. OSDI, Seattle, WA (2006)

    Google Scholar 

  28. POIFS: http://jakarta.apache.org/

  29. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  30. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous Payload-based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Broder, A., Mitzenmacher, M.: Network Applications of Bloom Filters: A Survey. In: Allerton Conference (2002)

    Google Scholar 

  32. http://vx.netlux.org/

  33. Totel, E., Majorczyk, F., Me, L.: COTS: Diversity Intrusion Detection and Application to Web Servers. In: RAID 2005 (2005)

    Google Scholar 

  34. Reynolds, J.C., Just, J., Clough, L., Maglich, R.: On-line intrusion detection and attack prevention using diversity, generate-and-test, and generalization. In: Proceedings of the 36th Hawaii International Conference on System Sciences (2003)

    Google Scholar 

  35. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: NDSS 2006

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Columbia University,  

    Wei-Jen Li, Salvatore Stolfo, Angelos Stavrou, Elli Androulaki & Angelos D. Keromytis

Authors
  1. Wei-Jen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Salvatore Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elli Androulaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Bernhard M. Hämmerli Robin Sommer

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Li, WJ., Stolfo, S., Stavrou, A., Androulaki, E., Keromytis, A.D. (2007). A Study of Malcode-Bearing Documents. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73614-1_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73613-4

  • Online ISBN: 978-3-540-73614-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation