A Combined Malicious Documents Detecting Method Based on Emulators

ShellCode injections with malicious JavaScript code in documents are becoming more prevalent and dangerous. However, the existing methods have some limitations in detecting this kind of attacks. In this article, we explore the detections of malicious documents and propose an approach of detecting malicious documents that contains JavaScript ShellCode. In our approach, we provide an impact factor which represents the reliability of the document being malicious. We use both static detections and dynamic detections and then combine the results of the two different methods. Therefore, we can get an acceptable overhead and make the detection immune to obfuscation. We have implemented a proof-of-concept prototype of the detection system on a Linux platform. We also have evaluated the accuracy and the performance overhead on the test platform. The results show that the system reports very few faults with an acceptable overhead.

[1]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[2]  Hsing-Kuo Kenneth Pao,et al.  Multi-view Malicious Document Detection , 2013, 2013 Conference on Technologies and Applications of Artificial Intelligence.

[3]  D. Flannanghan JavaScript: The definitive guide , 1999 .

[4]  Xun Lu,et al.  De-obfuscation and Detection of Malicious PDF Files with High Accuracy , 2013, 2013 46th Hawaii International Conference on System Sciences.

[5]  Evangelos P. Markatos,et al.  STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis , 2005, SEC.

[6]  James C. Foster,et al.  Chapter 11 – Writing Exploits II , 2005 .

[7]  Dong Xuan,et al.  JSGuard: Shellcode Detection in JavaScript , 2012, SecureComm.

[8]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[9]  James C. Foster Sockets, Shellcode, Porting, and Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals , 2005 .

[10]  Elmar Gerhards-Padilla,et al.  PDF Scrutinizer: Detecting JavaScript-based attacks in PDF documents , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[11]  Giorgio Giacinto,et al.  A Pattern Recognition System for Malicious PDF Files Detection , 2012, MLDM.

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Maria Petrou,et al.  Preface - Machine Learning and Data Mining in Pattern Recognition , 2001, Pattern Recognit. Lett..

[14]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.