'Last-minute' presentations
14:00 - 14:20 Reza Rajabiun COMDOM Software
14:20 - 14:40 Robert Freeman IBM
14:00 - 14:20 Reza Rajabiun. High-speed image part recognition
download slides (PDF)
As anti-spam filters have improved in their capacity to process text-based messages, spammers have learned to 'envelope'
their communications in a number of different formats. These envelopes include documents, pdf files and graphical
formats. Although it is relatively easy to construct filters that read and process content embedded in some of
these envelopes, image spam has challenged the analytical capacity of academic and industry researchers.
The most pressing problem raised by image spam is the large computational power necessary to process incoming
content using traditional Optimal Character Recognition (OCR) techniques. For this reason, many network
administrators have simply limited the ability of their end users to receive messages containing images. This simple
solution has the disadvantage that it limits the usefulness of email as a communication device for business
and personal use. Less biased options have been offered more recently by Dredze et al. (2007) who introduce a
simple feature selection algorithm resembling ad hoc challenge response methods used in text-based anti-spam
products of the late 1990s. Additionally, Wang et al. (2007) extend the standard 'fuzzy signature' method of
the mid-2000s for processing text to detecting image spam.
This paper introduces and demonstrates a novel approach to accurate and high-speed processing of image spam
that: a) does not suffer from the well known shortcomings of challenge response and signature-based systems,
notably their ease of manipulation by spammers, and b) imposes much lower computational costs in terms of
hardware than OCR. Image Part Recognition (IPR) decomposes an image into its constituent parts in order
to read the characters used to construct spam messages. In combination with a high capacity Bayesian
classifier, IPR offers a promising approach to fast and robust processing of image spam. Given the increased
importance of sophisticated image spam over the past months, for instance in 'pump and dump' schemes used to
manipulate the price of corporate securities, IPR significantly lowers the hardware and end user costs of 'smart spam'
enveloped in graphical images.
14:20 - 14:40 Robert Freeman. Novel code obfuscation with COM
download slides (PDF)
In the future, will synergistic relationships between scripting engine extensions and script languages like JavaScript
emerge as an obfuscation trend? What detection logic will work and what will not?
Over time, code obfuscation techniques have become increasingly esoteric. Early forms of binary code obfuscation
consisted of self-modifying code and junk bytes between instructions. With the advent of executable wrappers,
even compression and encryption are reasonably thought of in terms of obfuscation. Later, 'stolen bytes' were cutting
edge. This technique involves setting up an exception handler or secondary debugging process to perform actions
at points in execution where code has been yanked. Still, the older techniques were put to good use. Now, Virtual
CPU envelopes are at the bleeding edge of malware-wrapping technology and are typically difficult to build as well
as unwrap.
This presentation will discuss a novel way to facilitate code obfuscation using a thin COM proxy between
ActiveScript and the Windows API. In other words, writing Windows applications in JavaScript. Highlights of this
talk include detection opportunities and challenges as well as display of various sample applications using this
approach.
