Static analysis methods for detection of Microsoft Office exploits

Wednesday 2 October 16:30 - 17:00, Red room

Chintan Shah (McAfee)



Despite the recent advances in exploitation strategies and exploit mitigation techniques, fundamental infection vectors still remain the same. It is critical to advance security solutions to inspect the new and known infection vectors to be able to successfully mitigate targeted attacks. Apparently, the use of lure documents has become one of the most favoured attack strategies for infiltrating target organizations. Recently, some of the most high impact attacks using this conventional technique were uncovered by the security community.

In this talk, we present one of the exploit detection tools that we built for a similar purpose. This detection engine employs multiple binary stream analysis techniques for flagging malicious Office documents, supporting static analysis of RTF, Office Open XML and Compound Binary File format [MS-CFB]. The use, by attackers, of lure weaponized documents necessitates deeper inspection of these file formats at the perimeter.

Object Linking and Embedding expose a rich attack surface which had been abused by attackers over the past few years to hide malicious resources. For instance, OOXML files can be used to load the OLE controls which can eventually facilitate Remote Code Execution. Our proposed detection tool is built to extract embedded storage streams, OLE objects, etc. and apply binary stream analysis techniques over it, in addition to inspecting specific file sections and analysing embedded scripts, to identify malicious code. This detection tool had been tested over a wide set of in-the-wild exploits and variants. The results will be shared at the end of the talk.

 

 

Chintan-Shah-web.jpg

Chintan Shah

Chintan Shah is currently working as a lead researcher with the McAfee Intrusion Prevention System team and has over 13 years of experience in the network security industry. He primarily focuses on exploit and vulnerability research, malicious network traffic analysis, building threat intelligence frameworks, reverse engineering techniques and malware analysis. Chintan holds a patent in malicious command-and-control traffic detection and has uncovered multiple targeted and espionage attacks in the past, blogging about them as well. His interests lie in software fuzzing for vulnerability discovery, analysing exploits and translating to product improvement.


   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Thwarting Emotet email conversation thread hijacking with clustering

Pierre-Luc Vaudry (ZEROSPAM Security)
Olivier Coutu (ZEROSPAM Security)

A deep dive into iPhone exploit chains

John Bambenek (University of Illinois at Urbana-Champaign)

Oops! It happened again!

Righard Zwienenberg (ESET)
Eddy Willems (G DATA)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.