Evolving shell code

Masaki Suenega Symantec Security Response

This paper deals with the shell code seen in data files, such as image files that exploit certain vulnerabilities. At first the shell code used in these files was not difficult to analyse, with most cases having easily resolved API calls. However, gradually the code has become more difficult to analyse, with API calls obfuscated and instructions encrypted.

Some shell code, which we've seen in Microsoft Word documents, destroy their host data files after execution. Other shell codes are represented only by ASCII characters, which look just like benign text. These techniques and others will be discussed in this paper.

 del.icio.us  digg this! digg this

Quick Links

Poll
The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Yes
No
I don't know
Leave a comment
View 11 comments

99 Subscription Promo

Virus Bulletin
In this month's magazine:
  • Living the meme
  • If Svar is the answer...
  • Static analysis of mobile malware
  • And the devil is six: the security consequences of the switch to IPv6
  • Behind enemy lines: reporting from the CCC 28C3 Congress
Virus Bulletin 02 2012
Subscribe now!

Virus Bulletin currently has 224,240 registered users.