Evolving shell code

Masaki Suenega Symantec Security Response

This paper deals with the shell code seen in data files, such as image files that exploit certain vulnerabilities. At first the shell code used in these files was not difficult to analyse, with most cases having easily resolved API calls. However, gradually the code has become more difficult to analyse, with API calls obfuscated and instructions encrypted.

Some shell code, which we've seen in Microsoft Word documents, destroy their host data files after execution. Other shell codes are represented only by ASCII characters, which look just like benign text. These techniques and others will be discussed in this paper.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The whole conference was superb. Not enough superlatives to describe it.’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

VB2010

VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada. Early bird discount available until 15th June 2010.

Virus Bulletin currently has 190,258 registered users.

Fighting malware and spam