malicious pdf detection is important
play

Malicious PDF Detection is important! 129 Adobe Reader CVE's in 2015 - PowerPoint PPT Presentation

Nov 07, 2023 •133 likes •628 views

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors Curtis Carmony, Mu Zhang, Xunchao Hu, Abhishek Vasisht Bhaskar, and Heng Yin Department of EECS, Syracuse University College of Engineering L.C.Smith and Computer Science Malicious

  1. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors Curtis Carmony, Mu Zhang, Xunchao Hu, Abhishek Vasisht Bhaskar, and Heng Yin Department of EECS, Syracuse University College of Engineering L.C.Smith and Computer Science

  2. Malicious PDF Detection is important! • 129 Adobe Reader CVE's in 2015 • Up from 44 in 2014 • Existing detection techniques have limitations • Malicious PDF detection is difficult: • The PDF format is very complex and evolving • Adobe Reader with often process PDFs deviating from the specification in an attempt to “just work” 2

  3. Existing Malicious PDF Detection Methods Technique Detectors Detection Parser Evasion Capability Requirement Techniques Signature-based AV Scanners Varies Low - Medium Malware Shafiq et al. Polymorphism PDF Malware Slayer Medium Medium Mimicry Attack Metadata & Structure -based PDFrate Reverse Mimicry Š rndi ć and Laskov Attack JavaScript-based Liu et al. Varies High MDScan PJScan 3

  4. Parsing Matters • We need to actually look for malicious content • JavaScript based detection methods are most likely to detect modern threats, but have highest parser requirements • Successful malicious PDF detection depends on accurate and reliable parsing 4

  5. Hypotheses • Significant parsing discrepancies between detectors and Adobe Reader likely exist • By improving the parser and removing these discrepancies existing detection methods can be improved 5

  6. The Reference Extractor • To evaluate our hypotheses we need to know: • Which files Adobe Reader will actually open and those which it will not • Precisely the JS Adobe Reader executes • We can modify Adobe Reader to produce this information – “reference extractor” • Each reference extractor is specific to a version of Adobe Reader • We need a technique which is robust and repeatable • Mostly-automatic/low level of manual effort 6

  7. Development of the Reference Extractor • Identify “tap points” – locations in Adobe Reader binary where we can extract information: • processing termination – indicates Adobe Reader has finished initial processing of file • processing error – indicates Adobe Reader has encountered an error during initial processing • JavaScript extraction – yields a reference to all executed JavaScript 7

  8. Development of the Reference Extractor 8

  9. Tap Point Identification • Processing Error/Processing Termination tap points: • Compare execution traces to identify basic-blocks executed precisely when the conditions for each tap point are met • JavaScript extraction tap point: • Group memory accesses into contiguous memory operations • Look for JavaScript which we know was executed • Based on existing technique (Dolan-Gavitt et al. ’13) • Full details are in paper 9

  10. Reference Extractor Deployment 10

  11. Data Set • Collected 163,306 PDF’s from VT, no restrictions • Ran them through two reference extractors and four open source tools • 5,267 were identified as containing JavaScript by any single tool • 1,453 of the samples we consider malicious with 15 or more VT detections 11

  12. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 12

  13. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 13

  14. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 14

  15. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 15

  16. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 16

  17. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 17

  18. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 18

  19. Failings and Limitations Affected Extractors libpdfjs jsunpack-n Origami û û ü Comment in trailer û ü ü Comment in dictionary û ü û Trailing whitespace in stream data Security handler revision 5 hex encoded encryption Implementation bugs û ü û data parsing Security handler revision 3, 4 encryption key û ü û computation û ü û Hexadecimal string literal in encoded objects û ü ü Use of orphaned encryption objects Design Errors Security handler revision 5 encryption key û ü û computation without encrypted metadata ü û û No XFA support Omissions ü û û No security handler revision 5 support ü û û No security handler revision 6 support No cross-reference table and invalid object Ambiguities û û ü keywords 19

  20. Failings and Limitations Affected Extractors libpdfjs jsunpack-n Origami û û ü Comment in trailer û ü ü Comment in dictionary û ü û Trailing whitespace in stream data Security handler revision 5 hex encoded encryption Implementation bugs û ü û data parsing Security handler revision 3, 4 encryption key û ü û computation û ü û Hexadecimal string literal in encoded objects û ü ü Use of orphaned encryption objects Design Errors Security handler revision 5 encryption key û ü û computation without encrypted metadata ü û û No XFA support Omissions ü û û No security handler revision 5 support ü û û No security handler revision 6 support No cross-reference table and invalid object Ambiguities û û ü keywords 20

  21. Failings and Limitations Affected Extractors libpdfjs jsunpack-n Origami û û ü Comment in trailer û ü ü Comment in dictionary û ü û Trailing whitespace in stream data Security handler revision 5 hex encoded encryption Implementation bugs û ü û data parsing Security handler revision 3, 4 encryption key û ü û computation û ü û Hexadecimal string literal in encoded objects û ü ü Use of orphaned encryption objects Design Errors Security handler revision 5 encryption key û ü û computation without encrypted metadata ü û û No XFA support Omissions ü û û No security handler revision 5 support ü û û No security handler revision 6 support No cross-reference table and invalid object Ambiguities û û ü keywords 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of) malicious activities without having to read logs Logs are boring, reading them takes a lot of time Graphic visualisation is more effective, fast

855 views • 30 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
Accounting and Controls for Timely Detection of a Malicious Act IAEA Headquarters, Vienna,

Accounting and Controls for Timely Detection of a Malicious Act IAEA Headquarters, Vienna,

International Conference on Physical Protection of Nuclear Material and Nuclear Facilities Accounting and Controls for Timely Detection of a Malicious Act IAEA Headquarters, Vienna, Austria 13-17 November 2017 Robert K. Larsen, Division of

511 views • 26 slides
Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali Ikinci ali[at]ikinci.info 9. July 2007 Head of Department: Prof. Dr. Felix Freiling Supervisor: Dipl.-Inform. Thorsten Holz Laboratory for Dependable

665 views • 32 slides
Malicious behavior detection based on CyberArk PAS logs through string matching and genetic

Malicious behavior detection based on CyberArk PAS logs through string matching and genetic

RP2 Mike Slotboom and Ivar Slotboom Malicious behavior detection based on CyberArk PAS logs UvA/SNE Malicious behavior detection based on CyberArk PAS logs through string matching and genetic neural networks Presenters: Ivar Slotboom and Mike

334 views • 29 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Caffeine Monkey Automated Collection, Detection and Analysis of Malicious JavaScript Ben

Caffeine Monkey Automated Collection, Detection and Analysis of Malicious JavaScript Ben

Caffeine Monkey Automated Collection, Detection and Analysis of Malicious JavaScript Ben Feinstein, CISSP Daniel Peck SecureWorks, Inc. Feinstein & Peck Black Hat USA 2007 1 Introductions Welcome to Black Hat USA 2007! Who are

533 views • 31 slides
faster c&c detection - strategies for finding algorithmically generated domain names

faster c&c detection - strategies for finding algorithmically generated domain names

. Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection

1.38k views • 99 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security 19 Memory Forensics - Introduction Infected Machine Memory Dump Analysis

648 views • 47 slides
for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID

for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID

Learning to rank adaptively for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID and IST, University of Lisbon Helena Galhardas, INESC-ID and IST, University of Lisbon Luis Gravano, Columbia

682 views • 30 slides
Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto,

Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto,

Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto, Kuniaki Uehara (Kobe University) Takashi Shinozaki (NICT) Kimiaki Shirahama, Marcin Grzegozek (University of Siegen) Our Contribution A method of using

1.07k views • 35 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
Extracting Metadata from Stata Datasets Suzanna Vidmar and Luke Stevens Clinical Epidemiology and

Extracting Metadata from Stata Datasets Suzanna Vidmar and Luke Stevens Clinical Epidemiology and

Extracting Metadata from Stata Datasets Suzanna Vidmar and Luke Stevens Clinical Epidemiology and Biosta;s;cs Unit Murdoch Childrens Research Ins;tute Da Data sharing and s a sharing and storag age e To enable data sharing, the data

704 views • 51 slides
How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo

How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo

How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo Ribeiro Luisa Siniscalchi Ivan Visconti University of Salerno CQT & National University of Singapore Imperial College London University of

782 views • 24 slides
Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong

Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong

Folktales As Classifiable Texts Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong Nguyen and Marit Theune Once upon a time There was

421 views • 23 slides
Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng* Lisa Hua* Miryung Kim + Kathryn S. McKinley The University of Texas at

340 views • 19 slides

More recommend