Article

A Study of Malcode-Bearing Documents

Authors:

Salvatore Stolfo,

Angelos Stavrou,

Elli Androulaki,

Angelos D. KeromytisAuthors Info & Claims

DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Pages 231 - 250

https://doi.org/10.1007/978-3-540-73614-1_14

Published: 12 July 2007 Publication History

Abstract

By exploiting the object-oriented dynamic composability of modern document applications and formats, malcode hidden in otherwise inconspicuous documents can reach third-party applications that may harbor exploitable vulnerabilities otherwise unreachable by network-level service attacks. Such attacks can be very selective and difficult to detect compared to the typical network worm threat, owing to the complexity of these applications and data formats, as well as the multitude of document-exchange vectors. As a case study, this paper focuses on Microsoft Word documents as malcode carriers. We investigate the possibility of detecting embedded malcode in Word documents using two techniques: static content analysis using statistical models of typical document content, and run-time dynamic tests on diverse platforms. The experiments demonstrate these approaches can not only detect known malware, but also most zero-day attacks. We identify several problems with both approaches, representing both challenges in addressing the problem and opportunities for future research.

References

[1]

Leyden, J.: Trojan exploits unpatchedWord vulnerability. The Register (May 2006)

[2]

Evers, J.: Zero-day attacks continue to hit Microsoft. News.com (September 2006)

[3]

Kierznowski, D.: Backdooring PDF Files (September 2006)

[4]

Broersma, M.: Wikipedia hijacked by malware. Techworld (November 2006) http://www.techworld.com/news/index.cfm?RSS&NewsID=7254

[5]

Bontchev, V.: Possible Virus Attacks Against Integrity Programs and How to Prevent Them. In: Proc. 2nd Int. Virus Bull. Conf. pp. 131-141 (1992)

[6]

Bontchev, V.: Macro Virus Identification Problems. In: Proc. 7th Int. Virus Bull. Conf. pp. 175-196 (1997)

[7]

Filiol, E., Helenius, M., Zanero, S.: Open Problems in Computer Virology. Journal in Computer Virology, pp. 55-66 (2006)

[8]

Wang, K., Parekh, J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)

[9]

Li, W.-J., Wang, K., Stolfo, S.J., Herzog, B.: Fileprints: Identifying File Types by n-gram Analysis. In: 2005 IEEE Information Assurance Workshop (2005)

[10]

Stolfo, S.J., Wang, K., Li, W.-J.: Towards Stealthy Malware Detection. In: Jha, Christodorescu, Wang (eds.) Malware Detection Book, Springer, Heidelberg (2006)

[11]

Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data Mining Methods for Detection of New Malicious Executables. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)

[12]

Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidan, R.: Detection of New Malicious Code Using N-grams Signatures. In: Proceedings of Second Annual Conference on Privacy, Security and Trust, October 13-15, 2004 (2004)

[13]

Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidan, R.: N-gram-based Detection of New Malicious Code. In: Proceedings of the 28th IEEE Annual International Computer Software and Applications Conference, COMPSAC 2004. Hong Kong. September 28-30, 2004 (2004)

[14]

Karim, M.E., Walenstein, A., Lakhotia, A.: Malware Phylogeny Generation using Permutations of Code. Journal in Computer Virology (2005)

[15]

McDaniel, M., Heydari, M.H.: Content Based File Type Detection Algorithms. In: 6th Annual Hawaii International Conference on System Sciences (HICSS'03) (2003)

[16]

Noga, A.J.: A Visual Data Hash Method. Air Force Research report (October 2004)

[17]

Goel, S.: Kolmogorov Complexity Estimates for Detection of Viruses. Complexity Journal 9(2) (2003)

[18]

Steganalysis http://niels.xtdnet.nl/stego/

[19]

K2. ADMmutate (2001) Available from http://www.ktwo.ca/security.html

[20]

Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003)

[21]

Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. USENIX Security Symposium, Georgia Tech: Vancouver, BC, Canada (2006)

[22]

Shaner: US Patent No. 5, 991, 714 (November 1999)

[23]

Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the Infeasibility of Modeling Polymorphic Shellcode for Signature Detection Tech. report cucs-00707, Columbia University (February 2007)

[24]

Natvig, K.: SandboxII: Internet Norman SandBox Whitepaper (2002)

[25]

Willems, C., Freiling, F., Holz, T.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy Magazine 5(2), 32-39 (2007)

[26]

Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: proceedings of the USENIX 2005 Annual Technical Conference, pp. 41-46 (2005)

[27]

Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML. OSDI, Seattle, WA (2006)

[28]

POIFS: http://jakarta.apache.org/

[29]

Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13(7), 422-426 (1970)

[30]

Wang, K., Cretu, G., Stolfo, S.J.: Anomalous Payload-based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)

[31]

Broder, A., Mitzenmacher, M.: Network Applications of Bloom Filters: A Survey. In: Allerton Conference (2002)

[32]

http://vx.netlux.org/

[33]

Totel, E., Majorczyk, F., Me, L.: COTS: Diversity Intrusion Detection and Application to Web Servers. RAID 2005 (2005)

[34]

Reynolds, J.C., Just, J., Clough, L., Maglich, R.: On-line intrusion detection and attack prevention using diversity, generate-and-test, and generalization. In: Proceedings of the 36th Hawaii International Conference on System Sciences (2003)

[35]

Wang, Y.-M., Beck, D., Jiang, X., Roussev, R.: AutomatedWeb Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: NDSS 2006

Cited By

Saqib MMahdavifar SFung BCharland P(2024)A Comprehensive Analysis of Explainable AI for Malware HuntingACM Computing Surveys10.1145/367737456:12(1-40)Online publication date: 11-Jul-2024
https://dl.acm.org/doi/10.1145/3677374
Liu LHe XLiu LQing LFang YLiu J(2019)Capturing the symptoms of malicious code in electronic documents by file’s entropy signal combined with machine learningApplied Soft Computing10.1016/j.asoc.2019.10559882:COnline publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1016/j.asoc.2019.105598
Perumal ZVeeramachaneni K(2018)Towards Building Active Defense Systems for Software ApplicationsCyber Security Cryptography and Machine Learning10.1007/978-3-319-94147-9_12(144-161)Online publication date: 21-Jun-2018
https://dl.acm.org/doi/10.1007/978-3-319-94147-9_12
Show More Cited By

Recommendations

Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Static detection of malicious JavaScript-bearing PDF documents
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

Despite the recent security improvements in Adobe's PDF viewer, its underlying code base remains vulnerable to novel exploits. A steady flow of rapidly evolving PDF malware observed in the wild substantiates the need for novel protection instruments ...
Detecting botnet by anomalous traffic

Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

July 2007

250 pages

ISBN:9783540736134

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 12 July 2007

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Saqib MMahdavifar SFung BCharland P(2024)A Comprehensive Analysis of Explainable AI for Malware HuntingACM Computing Surveys10.1145/367737456:12(1-40)Online publication date: 11-Jul-2024
https://dl.acm.org/doi/10.1145/3677374
Liu LHe XLiu LQing LFang YLiu J(2019)Capturing the symptoms of malicious code in electronic documents by file’s entropy signal combined with machine learningApplied Soft Computing10.1016/j.asoc.2019.10559882:COnline publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1016/j.asoc.2019.105598
Perumal ZVeeramachaneni K(2018)Towards Building Active Defense Systems for Software ApplicationsCyber Security Cryptography and Machine Learning10.1007/978-3-319-94147-9_12(144-161)Online publication date: 21-Jun-2018
https://dl.acm.org/doi/10.1007/978-3-319-94147-9_12
źRndić NLaskov P(2016)HidostEURASIP Journal on Information Security10.1186/s13635-016-0045-02016:1(1-20)Online publication date: 1-Dec-2016
https://dl.acm.org/doi/10.1186/s13635-016-0045-0
Cohen ANissim NRokach LElovici Y(2016)SFEMExpert Systems with Applications: An International Journal10.1016/j.eswa.2016.07.01063:C(324-343)Online publication date: 30-Nov-2016
https://dl.acm.org/doi/10.1016/j.eswa.2016.07.010
Rrushi J(2016)NIC displays to thwart malware attacks mounted from within the OSComputers and Security10.1016/j.cose.2016.05.00261:C(59-71)Online publication date: 1-Aug-2016
https://dl.acm.org/doi/10.1016/j.cose.2016.05.002
Smutz CStavrou A(2015)Preventing Exploits in Microsoft Office Documents Through Content RandomizationProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_11(225-246)Online publication date: 2-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-319-26362-5_11
Maiorca DCorona IGiacinto GChen KXie QQiu WLi NTzeng W(2013)Looking at the bag is not enough to find the bombProceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security10.1145/2484313.2484327(119-130)Online publication date: 8-May-2013
https://dl.acm.org/doi/10.1145/2484313.2484327
Jerome QMarchal SState REngel T(2013)Advanced Detection Tool for PDF ThreatsRevised Selected Papers of the 8th International Workshop on Data Privacy Management and Autonomous Spontaneous Security - Volume 824710.1007/978-3-642-54568-9_19(300-315)Online publication date: 12-Sep-2013
https://dl.acm.org/doi/10.1007/978-3-642-54568-9_19
Wressnegger CBoldewin FRieck K(2013)Deobfuscating Embedded Malware Using Probable-Plaintext AttacksProceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 814510.1007/978-3-642-41284-4_9(164-183)Online publication date: 23-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-642-41284-4_9
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents