TY - GEN
T1 - Shellcode detector for malicious document hunting
AU - Chen, Chong Kuan
AU - Lan, Shen Chieh
AU - Shieh, Shiuhpyng
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/10/18
Y1 - 2017/10/18
N2 - Advanced Persistent Threat (APT) attacks became a major network threat in recent years. Among APT attack techniques, sending a phishing email with malicious documents attached is considered one of the most effective ones. Although many users have the impression that documents are harmless, a malicious document may in fact contain shellcode to attack victims. To cope with the problem, we design and implement a malicious document detector called Forensor to differentiate malicious documents. Forensor integrates several open-source tools and methods. It first introspects file format to retrieve objects inside the documents, and then automatically decrypts simple encryption methods, e.g., XOR, rot and shift, commonly used in malware to discover potential shellcode. The emulator is used to verify the presence of shellcode. If shellcode is discovered, the file is considered malicious. The experiment used 9,000 benign files and more than 10,000 malware samples from a well-known sample sharing website. The result shows no false negative and only 2 false positives.
AB - Advanced Persistent Threat (APT) attacks became a major network threat in recent years. Among APT attack techniques, sending a phishing email with malicious documents attached is considered one of the most effective ones. Although many users have the impression that documents are harmless, a malicious document may in fact contain shellcode to attack victims. To cope with the problem, we design and implement a malicious document detector called Forensor to differentiate malicious documents. Forensor integrates several open-source tools and methods. It first introspects file format to retrieve objects inside the documents, and then automatically decrypts simple encryption methods, e.g., XOR, rot and shift, commonly used in malware to discover potential shellcode. The emulator is used to verify the presence of shellcode. If shellcode is discovered, the file is considered malicious. The experiment used 9,000 benign files and more than 10,000 malware samples from a well-known sample sharing website. The result shows no false negative and only 2 false positives.
KW - Malicious documents
KW - Malware
KW - Shellcode
UR - http://www.scopus.com/inward/record.url?scp=85039918627&partnerID=8YFLogxK
U2 - 10.1109/DESEC.2017.8073875
DO - 10.1109/DESEC.2017.8073875
M3 - Conference contribution
AN - SCOPUS:85039918627
T3 - 2017 IEEE Conference on Dependable and Secure Computing
SP - 527
EP - 528
BT - 2017 IEEE Conference on Dependable and Secure Computing
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2017 IEEE Conference on Dependable and Secure Computing
Y2 - 7 August 2017 through 10 August 2017
ER -