Abstract
Malware laden documents are a common exploit vector, often used as attachments to phishing emails. Current approaches seek to detect the malicious attributes of documents through signature matching, dynamic analysis, or machine learning. We take a different approach: we perform transformations on documents that render exploits inoperable while maintaining the visual interpretation of the document intact. Our exploit mitigation techniques are similar in effect to address space layout randomization and data randomization, but we implement them through permutations to the document file layout.
We randomize the data block order of Microsoft OLE files in a manner similar to the inverse of a filesystem defragmention tool. This relocates malicious payloads in both the original document file and in the memory of the reader program. Through dynamic analysis, we demonstrate that our approach indeed subdues in the wild exploits in both Office 2003 and Office 2007 documents while the transformed documents continue to render benign content properly. We also show that randomizing the compression used in zip based OOXML files mitigates some attacks. The strength of these mechanisms lie in the number of content representation permutations, and the method applies where raw document content is used in attacks. Content randomization methods can be performed offline and require only a single document scan while the user-perceived delay when opening the transformed document is negligible.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
5 attackers & counting: Dissecting the “docx.image” exploit kit, December 2013. http://www.proofpoint.com/threatinsight/posts/dissecting-docx-image-exploit-kit-cve-exploitation.php
Security threat report 2014: Smarter, shadier, stealthier malware. Technical report, Sophos Labs (2014)
Bhatkar, S., Sekar, R.: Data space randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008)
Blond, S.L., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an NGO. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 543–558, USENIX Association, San Diego (2014)
Bradshaw, S.: The grey corner: omlette egghunter shellcode, October 2013. http://www.thegreycorner.com/2013/10/omlette-egghunter-shellcode.html
Dhamankar, R., Paller, A., Sachs, M., Skoudis, E., Eschelbeck, G., Sarwate, A.: Top 20 internet security risks for 2007. http://www.sans.org/press/top20_2007.php
Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digit. Investig. 6, S2–S11 (2009)
Hardy, S., Crete-Nishihata, M., Kleemola, K., Senft, A., Sonne, B., Wiseman, G., Gill, P., Deibert, R.J.: Targeted threat index: characterizing and quantifying politically-motivated targeted malware. In: Proceedings of the 23rd USENIX Security Symposium (2014)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 272–280. ACM, New York (2003)
Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digit. Investig. 3(suppl.), 91–97 (2006)
Li, F., Lai, A., Ddl, D.: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 102–109, October 2011
Li, H., Zhu, S., Xie, J.: RTF attack takes advantage of multiple exploits, April 2014. http://blogs.mcafee.com/mcafee-labs/rtf-attack-takes-advantage-of-multiple-exploits
Li, W.-J., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 231–250. Springer, Heidelberg (2007)
Maiorca, D., Corona, I., Giacinto, G.: Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 119–130. ACM, New York (2013)
Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 524–533. ACM, New York (2009)
Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 601–615, May 2012
Parkour, M.: 11,355+ malicious documents - archive for signature testing and research, April 2011. http://contagiodump.blogspot.com/2010/08/malicious-documents-archive-for.html
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 298–307. ACM, New York (2004)
Smutz, C., Stavrou, A.: Malicious PDF detection using metadata and structural features. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 239–248. ACM, New York (2012)
Srndic, N., Laskov, P.: Detection of malicious PDF files based on hierarchical document structure. In: Proceedings of the 20th Annual Network & Distributed System Security Symposium 2013 (2013)
Stolfo, S.J., Wang, K., Li, W.-J.: Fileprint analysis for malware detection. In: ACM CCS WORM (2005)
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62, May 2013
Tabish, S.M., Shafiq, M.Z., Farooq, M.: Malware detection using statistical analysis of byte-level file content. In: Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD 2009, pp. 23–31. ACM, New York (2009)
Team, C.: Exploit notes-win32 eggs-to-omelet, August 2010. https://www.corelan.be/index.php/2010/08/22/exploit-notes-win32-eggs-to-omelet/
Team, P.: PaX address space layout randomization (2003). http://pax.grsecurity.net/docs/aslr.txt
Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: Proceedings of the Fourth European Workshop on System Security, EUROSEC 2011, pp. 4:1–4:6. ACM, New York (2011)
Wei, T., Wang, T., Duan, L., Luo, J.: Secure dynamic code generation against spraying. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 738–740. ACM, New York (2010)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573, May 2013
Acknowledgments
The authors would like to thank all of the reviewers for their valuable comments and suggestions. This work is supported by Lockheed Martin Corporation and the National Science Foundation Grant No. CNS 1421747 and II-NEW 1205453. Opinions, findings, conclusions and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of Lockheed Martin, the NSF, or US Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Smutz, C., Stavrou, A. (2015). Preventing Exploits in Microsoft Office Documents Through Content Randomization. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)