Fast fingerprinting of OLE2 files: heuristics for detection of exploited OLE2 files based on specification non-conformance

Stephen Edwards Sophos
Paul Baccas Sophos

Today, the main class of malicious OLE2 files currently seen by SophosLabs exploit vulnerabilities in Microsoft Office applications. These are used to install malware - most often rootkits, backdoors, or downloaders. Ten years ago, SophosLabs would have been inundated with self-replicating threats or macro-based trojans. As the attack vector has changed, techniques for detection have also adapted - the knowledge of the OLE2 specification is a powerful tool in the fight.

OLE2 documents are complex, therefore the cost of parsing in order to directly detect an exploit can be prohibitive for a security scanner. However, it is typical for Microsoft Office file formats to have early records with a significant number of rigidly defined fields. This paper will investigate whether non-adherence to specification within these fields can be used as a low-cost heuristic to improve detection of this class of malware. Additionally, this paper will set out which violations are pertinent to exploit detection via the scanning of diverse clean and exploited files.

 del.icio.us  digg this! digg this

Quick Links

Poll
Does your company allow you to use a personal laptop/mobile device to access company resources?
Yes, it's allowed
Yes, it's actively encouraged
No
I don't know
Leave a comment
View 1 comment

EC-council-boston

VB100 certification
VB100 As expected, the annual VB100 test on Windows XP was an epic. A higher than usual pass rate was tempered by numerous stability issues with the products under test, prompting the unveiling of a new stability rating system. John Hawes has all the details.
See full results.

Virus Bulletin currently has 225,186 registered users.