Looking at the bag is not enough to find the bomb: An evasion of structural methods for malicious PDF files detection

ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

Volumn , Issue , 2013, Pages 119-129

  Maiorca, Davide ^a   Corona, Igino ^a   Giacinto, Giorgio ^a  

^a UNIVERSITY OF CAGLIARI   (Italy)

Author keywords

detection evasion; machine learning; pdf malware detection; reverse mimicry

Indexed keywords

LOGICAL STRUCTURE; MALICIOUS PDF; MALWARE DETECTION; PDF FILES; PROTECTION MECHANISMS; REAL SAMPLES; REVERSE MIMICRY; STRUCTURAL METHODS;

COMPUTER CRIME; DETECTORS; LEARNING SYSTEMS;

SECURITY OF DATA;

EID: 84877998967     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2484313.2484327     Document Type: Conference Paper

References (42)

1. Contagio. http://contagiodump.blogspot.it.
2. Malware tracker. http://www.malwaretracker.com/pdfthreat.php.
3. Metasploit framework. Http://www.metasploit.com/.
4. Origami framework. Http://esec-lab.sogeti.com/pages/Origami.
5. Pdf tools. http://blog.didierstevens.com/programs/pdf-tools/.
6. Pdfrate. http://pdfrate.com.
7. Peepdf. Http://eternal-todo.com/tools/peepdf-pdf-analysis-tool.
8. Pypdf. http://pybrary.net/pyPdf/.
9. Social engineering toolkit. Https://www.secmaniac.com/.
10. Wepawet. Http://wepawet.iseclab.org/index.php.
11. PDF Reference. Adobe Portable Document Format Version 1.7. Adobe, November 2006.
12. Adobe Supplement to ISO 32000. Adobe, June 2008.
13. Foxit reader stack overflow exploit. http://www.exploit-db.com/foxit- reader-stack-overflow-exploit-egghunter/, November 2010.
14. Add javascript to existing pdf files (python). http://blog.rsmoorthy.net/ 2012/01/add-javascript-to-existing-pdf-files.html, 2012.
15. Internet Security Threat Reports. 2011 Trends. Symantec, April 2012.
16. P. Bania. Jit spraying and mitigations. CoRR, http://www.piotrbania.com/ all/articles/pbania-jit-mitigations2010.pdf, 2010.
17. E. Buchanan, R. Roemer, S. Sevage, and H. Shacham. Return-oriented programming: Exploitation without code injection. In Black Hat '08, 2008.
18. D. Canali, M. Cova, G. Vigna, and C. Kruegel. Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th international conference on World wide web, WWW '11, pages 197-206, New York, NY, USA, 2011. ACM.
19. M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th international conference on World wide web, WWW '10, pages 281-290, New York, NY, USA, 2010. ACM.
20. J. S. Cross and M. A. Munson. Deep pdf parsing to extract features for detecting embedded malware. Technical report, Sandia National Laboratories, 2011.
21. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: fast and precise in-browser javascript malware detection. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 3-3, Berkeley, CA, USA, 2011. USENIX Association.
22. M. Engleberth, C. Willems, and T. Holz. Detecting malicious documents with combined static and dynamic analysis. Technical report, Virus Bulletin, 2009.
23. S. Jana and V. Shmatikov. Abusing file processing in malware detectors for fun and profit. In IEEE Symposium on Security and Privacy, pages 80-94, 2012.
24. P. Laskov and N. Šrndić. Static detection of malicious javascript-bearing pdf documents. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 373-382, New York, NY, USA, 2011. ACM.
25. W.-J. Li, S. Stolfo, A. Stavrou, E. Androulaki, and A. D. Keromytis. A study of malcode-bearing documents. In Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '07, pages 231-250, Berlin, Heidelberg, 2007. Springer-Verlag.
26. D. Maiorca, G. Giacinto, and I. Corona. A pattern recognition system for malicious pdf files detection. In Proceedings of the 8th international conference on Machine Learning and Data Mining in Pattern Recognition, MLDM'12, pages 510-524, Berlin, Heidelberg, 2012. Springer-Verlag.
27. S. Porst. A brief analysis of a malicious pdf file which exploits this week's flash 0-day. http://blog.zynamics.com/, 2010.
28. M. A. Rahman. Getting owned by malicious pdf - analysis. Technical report, SANS Institute, 2008.
29. P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: a defense against heap-spraying code injection attacks. In Proceedings of the 18th conference on USENIX security symposium, SSYM'09, pages 169-186, Berkeley, CA, USA, 2009. USENIX Association.
30. K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, pages 108-125, Berlin, Heidelberg, 2008. Springer-Verlag.
31. K. Rieck, T. Krueger, and A. Dewald. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 31-39, New York, NY, USA, 2010. ACM.
32. M. Z. Shafiq, S. A. Khayam, and M. Farooq. Embedded malware detection using markov n-grams. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, pages 88-107, Berlin, Heidelberg, 2008. Springer-Verlag.
33. C. Smutz and A. Stavrou. Malicious pdf detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, 2012.
34. K. Z. Snow, S. Krishnan, F. Monrose, and N. Provos. Shellos: enabling fast detection and forensic analysis of code injection attacks. In Proceedings of the 20th USENIX conference on Security, SEC'11, 2011.
35. D. Stevens. Escape from pdf. http://blog.didierstevens.com/2010/03/29/ escape-from-pdf/, 2010.
36. D. Stevens. Free Malicious PDF Analysis. http://didierstevens.com/files/ data/malicious-pdf-analysis-ebook.zip, 2010.
37. D. Stevens. Malicious pdf documents explained. IEEE Security and Privacy, 9(1):80-82, Jan. 2011.
38. S. M. Tabish, M. Z. Shafiq, and M. Farooq. Malware detection using statistical analysis of byte-level file content. In Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD '09, pages 23-31, New York, NY, USA, 2009. ACM.
39. Z. Tzermias, G. Sykiotakis, M. Polychronakis, and E. P. Markatos. Combining static and dynamic analysis for the detection of malicious documents. In Proceedings of the Fourth European Workshop on System Security, EUROSEC '11, pages 4:1-4:6, New York, NY, USA, 2011. ACM.
40. N. Šrndić and P. Laskov. Detection of malicious pdf files based on hierarchical document structure. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013.
41. C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy, 5(2), March 2007.
42. Yahoo. Search api. http://developer.yahoo.com, December 2012.