Masaki Suenega Symantec Security Response
This paper deals with the shell code seen in data files, such as image files that exploit certain vulnerabilities. At first the shell code used in these files was not difficult to analyse, with most cases having easily resolved API calls. However, gradually the code has become more difficult to analyse, with API calls obfuscated and instructions encrypted.
Some shell code, which we've seen in Microsoft Word documents, destroy their host data files after execution. Other shell codes are represented only by ASCII characters, which look just like benign text. These techniques and others will be discussed in this paper.