FCScan: A New Lightweight and Effective Approach for Detecting Malicious Content in Electronic Documents

Electronic documents, such as PDF and Microsoft Office documents, have become an ubiquitous attack vector in recent years, especially in complex attacks performed by Advanced Persistent Threats. Current security measures are not effective in protecting users and endpoints, either because they are based on static checks and analysis that attackers can bypass and circumvent, or because they require CPUintensive analysis that is usually off-loaded on external systems, which cannot replicate all of the actual parameters of the intended victim. We present a lightweight analysis system that can perform effective detection of malware in electronic documents in real-time and at the endpoint. To show the effectiveness of our approach, we have implemented and tested a prototype based on the ubiquitous Adobe Acrobat Reader.

[1]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[2]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[4]  Muhammad Zubair Shafiq,et al.  Embedded Malware Detection Using Markov n-Grams , 2008, DIMVA.

[5]  Pavel Laskov,et al.  Static detection of malicious JavaScript-bearing PDF documents , 2011, ACSAC '11.

[6]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[7]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[8]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[9]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[10]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[11]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[12]  Aishwarya Iyer,et al.  Vulnerability scanning for buffer overflow , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[13]  Peng Li,et al.  Understanding integer overflow in C/C++ , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[14]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[15]  Sandro Etalle,et al.  Boosting Web Intrusion Detection Systems by Inferring Positive Signatures , 2008, OTM Conferences.

[16]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[17]  Bypassing Windows Hardware-enforced Data Execution Prevention , 2022 .

[18]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[19]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[20]  George L Stefanek Anatomy of an attack , 2002 .

[21]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[22]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[23]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[24]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[25]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[26]  Emery D. Berger,et al.  A locality-improving dynamic memory allocator , 2005, MSP '05.

[27]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[28]  James R. Larus,et al.  Righting software , 2004, IEEE Software.

[29]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[30]  Susan Young,et al.  Anatomy of an Attack , 2003 .

[31]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[32]  Krste Asanovic,et al.  Controlling program execution through binary instrumentation , 2005, CARN.

[33]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[34]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[35]  Evangelos P. Markatos,et al.  Network-level polymorphic shellcode detection using emulation , 2006, Journal in Computer Virology.

[36]  Salvatore J. Stolfo,et al.  A Study of Malcode-Bearing Documents , 2007, DIMVA.

[37]  George M. Mohay,et al.  Network-Based Buffer Overflow Detection by Exploit Code Analysis , 2004 .

[38]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[39]  Levente Buttyán,et al.  Duqu: A Stuxnet-like malware found in the wild , 2011 .

[40]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[41]  Evangelos P. Markatos,et al.  Comprehensive shellcode detection using runtime heuristics , 2010, ACSAC '10.

[42]  Herbert Bos,et al.  Body Armor for Binaries: Preventing Buffer Overflows Without Recompilation , 2012, USENIX Annual Technical Conference.

[43]  Evangelos P. Markatos,et al.  Combining static and dynamic analysis for the detection of malicious documents , 2011, EUROSEC '11.

[44]  Angelos D. Keromytis,et al.  ROP payload detection using speculative code execution , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[45]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[46]  Emery D. Berger,et al.  Archipelago: trading address space for reliability and security , 2008, ASPLOS.

[47]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[48]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[49]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[50]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.