14:00 - 14:20 Reza Rajabiun COMDOM Software
14:20 - 14:40 Robert Freeman IBM
14:00 - 14:20 Reza Rajabiun. High-speed image part recognition
download slides (PDF)
As anti-spam filters have improved in their capacity to process text-based messages, spammers have learned to 'envelope' their communications in a number of different formats. These envelopes include documents, pdf files and graphical formats. Although it is relatively easy to construct filters that read and process content embedded in some of these envelopes, image spam has challenged the analytical capacity of academic and industry researchers.
The most pressing problem raised by image spam is the large computational power necessary to process incoming content using traditional Optimal Character Recognition (OCR) techniques. For this reason, many network administrators have simply limited the ability of their end users to receive messages containing images. This simple solution has the disadvantage that it limits the usefulness of email as a communication device for business and personal use. Less biased options have been offered more recently by Dredze et al. (2007) who introduce a simple feature selection algorithm resembling ad hoc challenge response methods used in text-based anti-spam products of the late 1990s. Additionally, Wang et al. (2007) extend the standard 'fuzzy signature' method of the mid-2000s for processing text to detecting image spam.
This paper introduces and demonstrates a novel approach to accurate and high-speed processing of image spam that: a) does not suffer from the well known shortcomings of challenge response and signature-based systems, notably their ease of manipulation by spammers, and b) imposes much lower computational costs in terms of hardware than OCR. Image Part Recognition (IPR) decomposes an image into its constituent parts in order to read the characters used to construct spam messages. In combination with a high capacity Bayesian classifier, IPR offers a promising approach to fast and robust processing of image spam. Given the increased importance of sophisticated image spam over the past months, for instance in 'pump and dump' schemes used to manipulate the price of corporate securities, IPR significantly lowers the hardware and end user costs of 'smart spam' enveloped in graphical images.
14:20 - 14:40 Robert Freeman. Novel code obfuscation with COM
download slides (PDF)
In the future, will synergistic relationships between scripting engine extensions and script languages like JavaScript emerge as an obfuscation trend? What detection logic will work and what will not?
Over time, code obfuscation techniques have become increasingly esoteric. Early forms of binary code obfuscation consisted of self-modifying code and junk bytes between instructions. With the advent of executable wrappers, even compression and encryption are reasonably thought of in terms of obfuscation. Later, 'stolen bytes' were cutting edge. This technique involves setting up an exception handler or secondary debugging process to perform actions at points in execution where code has been yanked. Still, the older techniques were put to good use. Now, Virtual CPU envelopes are at the bleeding edge of malware-wrapping technology and are typically difficult to build as well as unwrap.
This presentation will discuss a novel way to facilitate code obfuscation using a thin COM proxy between ActiveScript and the Windows API. In other words, writing Windows applications in JavaScript. Highlights of this talk include detection opportunities and challenges as well as display of various sample applications using this approach.
