论文信息 - A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation

A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation

We propose a method for the dynamic analysis of malicious documents that can exploit various types of vulnerability in applications. Static analysis of a document can be used to identify the type of vulnerability involved. However, it can be difficult to identify unknown vulnerabilities, and the application may not be available even if we could identify the vulnerability. In fact, malicious code that is executed after the exploitation may not have a relationship with the type of vulnerability in many cases. In this paper, we propose a method that extracts and executes "shellcode" to analyze malicious documents without requiring identification of the vulnerability or the application. Our system extracts shellcode by executing byte sequences to observe the features of a document file in a priority order decided on the basis of entropy.Our system was used to analyze 88 malware samples and was able to extract shellcode from 74 samples. of these, 51 extracted shellcodes behaved as malicious software according to dynamic analysis. Index Terms—Malware, shellcode, entropy, dynamic analysis, vulnerability.

Katsumi Wasaki | Kazuki Iwamoto

[1] Christopher Krügel,et al. Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[2] Hiroki Nogawa,et al. Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation , 2009, IEICE Trans. Inf. Syst..

[3] Christopher Krügel,et al. Shellzer: A Tool for the Dynamic Analysis of Malicious Shellcode , 2011, RAID.

[4] Koji Nakao,et al. Malware Behavior Analysis in Isolated Miniature Network for Revealing Malware's Network Activity , 2008, 2008 IEEE International Conference on Communications.

[5] Koji Nakao,et al. Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities , 2009, IEICE Trans. Inf. Syst..

[6] Ricardo J. Rodríguez,et al. Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[7] Salvatore J. Stolfo,et al. A Study of Malcode-Bearing Documents , 2007, DIMVA.

[8] Evangelos P. Markatos,et al. Network-level polymorphic shellcode detection using emulation , 2006, Journal in Computer Virology.

[9] Marco Ramilli,et al. Return-Oriented Programming , 2012, IEEE Security & Privacy.