malicious pdf detection is important
play

Malicious PDF Detection is important! 129 Adobe Reader CVE's in 2015 - PowerPoint PPT Presentation

Nov 07, 2023 •133 likes •628 views

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors Curtis Carmony, Mu Zhang, Xunchao Hu, Abhishek Vasisht Bhaskar, and Heng Yin Department of EECS, Syracuse University College of Engineering L.C.Smith and Computer Science Malicious

  1. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors Curtis Carmony, Mu Zhang, Xunchao Hu, Abhishek Vasisht Bhaskar, and Heng Yin Department of EECS, Syracuse University College of Engineering L.C.Smith and Computer Science

  2. Malicious PDF Detection is important! • 129 Adobe Reader CVE's in 2015 • Up from 44 in 2014 • Existing detection techniques have limitations • Malicious PDF detection is difficult: • The PDF format is very complex and evolving • Adobe Reader with often process PDFs deviating from the specification in an attempt to “just work” 2

  3. Existing Malicious PDF Detection Methods Technique Detectors Detection Parser Evasion Capability Requirement Techniques Signature-based AV Scanners Varies Low - Medium Malware Shafiq et al. Polymorphism PDF Malware Slayer Medium Medium Mimicry Attack Metadata & Structure -based PDFrate Reverse Mimicry Š rndi ć and Laskov Attack JavaScript-based Liu et al. Varies High MDScan PJScan 3

  4. Parsing Matters • We need to actually look for malicious content • JavaScript based detection methods are most likely to detect modern threats, but have highest parser requirements • Successful malicious PDF detection depends on accurate and reliable parsing 4

  5. Hypotheses • Significant parsing discrepancies between detectors and Adobe Reader likely exist • By improving the parser and removing these discrepancies existing detection methods can be improved 5

  6. The Reference Extractor • To evaluate our hypotheses we need to know: • Which files Adobe Reader will actually open and those which it will not • Precisely the JS Adobe Reader executes • We can modify Adobe Reader to produce this information – “reference extractor” • Each reference extractor is specific to a version of Adobe Reader • We need a technique which is robust and repeatable • Mostly-automatic/low level of manual effort 6

  7. Development of the Reference Extractor • Identify “tap points” – locations in Adobe Reader binary where we can extract information: • processing termination – indicates Adobe Reader has finished initial processing of file • processing error – indicates Adobe Reader has encountered an error during initial processing • JavaScript extraction – yields a reference to all executed JavaScript 7

  8. Development of the Reference Extractor 8

  9. Tap Point Identification • Processing Error/Processing Termination tap points: • Compare execution traces to identify basic-blocks executed precisely when the conditions for each tap point are met • JavaScript extraction tap point: • Group memory accesses into contiguous memory operations • Look for JavaScript which we know was executed • Based on existing technique (Dolan-Gavitt et al. ’13) • Full details are in paper 9

  10. Reference Extractor Deployment 10

  11. Data Set • Collected 163,306 PDF’s from VT, no restrictions • Ran them through two reference extractors and four open source tools • 5,267 were identified as containing JavaScript by any single tool • 1,453 of the samples we consider malicious with 15 or more VT detections 11

  12. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 12

  13. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 13

  14. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 14

  15. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 15

  16. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 16

  17. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 17

  18. Differential Analysis Results Version 9.5.0 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4397 4625 5053 4508 4398 Matches - 3940 4247 3863 3721 Invalid (ben./mal.) - 7(7/0) 26(10/16) 23(0/23) - Zero (ben./mal.) - 450(20/430) 124(113/11) 511(76/435) 676(253/423) Inconclusive - 356 500 318 677 Version 11.0.08 Reference Extractor libpfjs jsunpack-n Origami PDFiD Total 4704 4625 5053 4508 4398 Matches - 4269 4537 4167 3904 Invalid (ben./mal.) - 0(0/0) 16(0/16) 23(0/23) - Zero (ben./mal.) - 435(6/429) 151(140/11) 514(80/434) 800(377/423) Inconclusive - 356 500 318 494 18

  19. Failings and Limitations Affected Extractors libpdfjs jsunpack-n Origami û û ü Comment in trailer û ü ü Comment in dictionary û ü û Trailing whitespace in stream data Security handler revision 5 hex encoded encryption Implementation bugs û ü û data parsing Security handler revision 3, 4 encryption key û ü û computation û ü û Hexadecimal string literal in encoded objects û ü ü Use of orphaned encryption objects Design Errors Security handler revision 5 encryption key û ü û computation without encrypted metadata ü û û No XFA support Omissions ü û û No security handler revision 5 support ü û û No security handler revision 6 support No cross-reference table and invalid object Ambiguities û û ü keywords 19

  20. Failings and Limitations Affected Extractors libpdfjs jsunpack-n Origami û û ü Comment in trailer û ü ü Comment in dictionary û ü û Trailing whitespace in stream data Security handler revision 5 hex encoded encryption Implementation bugs û ü û data parsing Security handler revision 3, 4 encryption key û ü û computation û ü û Hexadecimal string literal in encoded objects û ü ü Use of orphaned encryption objects Design Errors Security handler revision 5 encryption key û ü û computation without encrypted metadata ü û û No XFA support Omissions ü û û No security handler revision 5 support ü û û No security handler revision 6 support No cross-reference table and invalid object Ambiguities û û ü keywords 20

  21. Failings and Limitations Affected Extractors libpdfjs jsunpack-n Origami û û ü Comment in trailer û ü ü Comment in dictionary û ü û Trailing whitespace in stream data Security handler revision 5 hex encoded encryption Implementation bugs û ü û data parsing Security handler revision 3, 4 encryption key û ü û computation û ü û Hexadecimal string literal in encoded objects û ü ü Use of orphaned encryption objects Design Errors Security handler revision 5 encryption key û ü û computation without encrypted metadata ü û û No XFA support Omissions ü û û No security handler revision 5 support ü û û No security handler revision 6 support No cross-reference table and invalid object Ambiguities û û ü keywords 21

Recommend

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of) malicious activities without having to read logs Logs are boring, reading them takes a lot of time Graphic visualisation is more effective, fast

855 views • 30 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
Accounting and Controls for Timely Detection of a Malicious Act IAEA Headquarters, Vienna,

Accounting and Controls for Timely Detection of a Malicious Act IAEA Headquarters, Vienna,

International Conference on Physical Protection of Nuclear Material and Nuclear Facilities Accounting and Controls for Timely Detection of a Malicious Act IAEA Headquarters, Vienna, Austria 13-17 November 2017 Robert K. Larsen, Division of

511 views • 26 slides
Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali Ikinci ali[at]ikinci.info 9. July 2007 Head of Department: Prof. Dr. Felix Freiling Supervisor: Dipl.-Inform. Thorsten Holz Laboratory for Dependable

665 views • 32 slides
Malicious behavior detection based on CyberArk PAS logs through string matching and genetic

Malicious behavior detection based on CyberArk PAS logs through string matching and genetic

RP2 Mike Slotboom and Ivar Slotboom Malicious behavior detection based on CyberArk PAS logs UvA/SNE Malicious behavior detection based on CyberArk PAS logs through string matching and genetic neural networks Presenters: Ivar Slotboom and Mike

334 views • 29 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Caffeine Monkey Automated Collection, Detection and Analysis of Malicious JavaScript Ben

Caffeine Monkey Automated Collection, Detection and Analysis of Malicious JavaScript Ben

Caffeine Monkey Automated Collection, Detection and Analysis of Malicious JavaScript Ben Feinstein, CISSP Daniel Peck SecureWorks, Inc. Feinstein & Peck Black Hat USA 2007 1 Introductions Welcome to Black Hat USA 2007! Who are

533 views • 31 slides
faster c&c detection - strategies for finding algorithmically generated domain names

faster c&c detection - strategies for finding algorithmically generated domain names

. Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection

1.38k views • 99 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views • 69 slides
A2:$Analog$Malicious$Hardware$ Kaiyuan$Yang,$Ma8hew$Hicks,$Qing$Dong,$Todd$Aus>n,$and$Dennis$

A2:$Analog$Malicious$Hardware$ Kaiyuan$Yang,$Ma8hew$Hicks,$Qing$Dong,$Todd$Aus>n,$and$Dennis$

A2:$Analog$Malicious$Hardware$ Kaiyuan$Yang,$Ma8hew$Hicks,$Qing$Dong,$Todd$Aus>n,$and$Dennis$ Sylvester$ $ University$of$Michigan$ Founda>ons$are$important$ 2$ Applica5ons) Opera5ng)System) Weakened$hardware$ Hypervisor)

507 views • 38 slides
Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

335 views • 30 slides
EDDIE: EM-Based Detection of Deviations in Program Execution Published at ISCA 2017 Alireza

EDDIE: EM-Based Detection of Deviations in Program Execution Published at ISCA 2017 Alireza

EDDIE: EM-Based Detection of Deviations in Program Execution Published at ISCA 2017 Alireza Nazari, Nader Sehatbakhsh, Monjur Alam, Alenka Zajic, Milos Prvulovic EECS 573 Presented by Janarthanan and Vivek 1 Goal Detect Malicious changes to

3.21k views • 28 slides
A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

Stephan Chenette Principal Security Researcher Websense Labs FIRESHARK A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web Communities Malicious Web Communities Mass Injection Analysis Redirection

1.49k views • 99 slides
Why is gas detection important ? 3 basic types of atmospheric hazards Oxygen (deficiency and

Why is gas detection important ? 3 basic types of atmospheric hazards Oxygen (deficiency and

Why is gas detection important ? 3 basic types of atmospheric hazards Oxygen (deficiency and enrichment) Flammable gases and vapors Toxic contaminants 2 Composition of fresh air 78.1 % Nitrogen 20.9 % Oxygen 0.9 % Argon

592 views • 43 slides
Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me

Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me

Malicious Domain Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94 Research Question Is it possible to detect ma malic iciou ious do domain

455 views • 45 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides

More recommend