Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Recent Advances in Intrusion Detection

RAID 2015: Research in Attacks, Intrusions, and Defenses pp 225–246Cite as

Preventing Exploits in Microsoft Office Documents Through Content Randomization

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Abstract

Malware laden documents are a common exploit vector, often used as attachments to phishing emails. Current approaches seek to detect the malicious attributes of documents through signature matching, dynamic analysis, or machine learning. We take a different approach: we perform transformations on documents that render exploits inoperable while maintaining the visual interpretation of the document intact. Our exploit mitigation techniques are similar in effect to address space layout randomization and data randomization, but we implement them through permutations to the document file layout.

We randomize the data block order of Microsoft OLE files in a manner similar to the inverse of a filesystem defragmention tool. This relocates malicious payloads in both the original document file and in the memory of the reader program. Through dynamic analysis, we demonstrate that our approach indeed subdues in the wild exploits in both Office 2003 and Office 2007 documents while the transformed documents continue to render benign content properly. We also show that randomizing the compression used in zip based OOXML files mitigates some attacks. The strength of these mechanisms lie in the number of content representation permutations, and the method applies where raw document content is used in attacks. Content randomization methods can be performed offline and require only a single document scan while the user-perceived delay when opening the transformed document is negligible.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. 5 attackers & counting: Dissecting the “docx.image” exploit kit, December 2013. http://www.proofpoint.com/threatinsight/posts/dissecting-docx-image-exploit-kit-cve-exploitation.php

  2. Security threat report 2014: Smarter, shadier, stealthier malware. Technical report, Sophos Labs (2014)

    Google Scholar 

  3. Bhatkar, S., Sekar, R.: Data space randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  4. Blond, S.L., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an NGO. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 543–558, USENIX Association, San Diego (2014)

    Google Scholar 

  5. Bradshaw, S.: The grey corner: omlette egghunter shellcode, October 2013. http://www.thegreycorner.com/2013/10/omlette-egghunter-shellcode.html

  6. Dhamankar, R., Paller, A., Sachs, M., Skoudis, E., Eschelbeck, G., Sarwate, A.: Top 20 internet security risks for 2007. http://www.sans.org/press/top20_2007.php

  7. Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digit. Investig. 6, S2–S11 (2009)

    Article  Google Scholar 

  8. Hardy, S., Crete-Nishihata, M., Kleemola, K., Senft, A., Sonne, B., Wiseman, G., Gill, P., Deibert, R.J.: Targeted threat index: characterizing and quantifying politically-motivated targeted malware. In: Proceedings of the 23rd USENIX Security Symposium (2014)

    Google Scholar 

  9. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 272–280. ACM, New York (2003)

    Google Scholar 

  10. Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digit. Investig. 3(suppl.), 91–97 (2006)

    Article  Google Scholar 

  11. Li, F., Lai, A., Ddl, D.: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 102–109, October 2011

    Google Scholar 

  12. Li, H., Zhu, S., Xie, J.: RTF attack takes advantage of multiple exploits, April 2014. http://blogs.mcafee.com/mcafee-labs/rtf-attack-takes-advantage-of-multiple-exploits

  13. Li, W.-J., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 231–250. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  14. Maiorca, D., Corona, I., Giacinto, G.: Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 119–130. ACM, New York (2013)

    Google Scholar 

  15. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 524–533. ACM, New York (2009)

    Google Scholar 

  16. Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 601–615, May 2012

    Google Scholar 

  17. Parkour, M.: 11,355+ malicious documents - archive for signature testing and research, April 2011. http://contagiodump.blogspot.com/2010/08/malicious-documents-archive-for.html

  18. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)

    Google Scholar 

  19. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 298–307. ACM, New York (2004)

    Google Scholar 

  20. Smutz, C., Stavrou, A.: Malicious PDF detection using metadata and structural features. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 239–248. ACM, New York (2012)

    Google Scholar 

  21. Srndic, N., Laskov, P.: Detection of malicious PDF files based on hierarchical document structure. In: Proceedings of the 20th Annual Network & Distributed System Security Symposium 2013 (2013)

    Google Scholar 

  22. Stolfo, S.J., Wang, K., Li, W.-J.: Fileprint analysis for malware detection. In: ACM CCS WORM (2005)

    Google Scholar 

  23. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62, May 2013

    Google Scholar 

  24. Tabish, S.M., Shafiq, M.Z., Farooq, M.: Malware detection using statistical analysis of byte-level file content. In: Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD 2009, pp. 23–31. ACM, New York (2009)

    Google Scholar 

  25. Team, C.: Exploit notes-win32 eggs-to-omelet, August 2010. https://www.corelan.be/index.php/2010/08/22/exploit-notes-win32-eggs-to-omelet/

  26. Team, P.: PaX address space layout randomization (2003). http://pax.grsecurity.net/docs/aslr.txt

  27. Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: Proceedings of the Fourth European Workshop on System Security, EUROSEC 2011, pp. 4:1–4:6. ACM, New York (2011)

    Google Scholar 

  28. Wei, T., Wang, T., Duan, L., Luo, J.: Secure dynamic code generation against spraying. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 738–740. ACM, New York (2010)

    Google Scholar 

  29. Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573, May 2013

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank all of the reviewers for their valuable comments and suggestions. This work is supported by Lockheed Martin Corporation and the National Science Foundation Grant No. CNS 1421747 and II-NEW 1205453. Opinions, findings, conclusions and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of Lockheed Martin, the NSF, or US Government.

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, USA

    Charles Smutz & Angelos Stavrou

Authors
  1. Charles Smutz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Charles Smutz .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Smutz, C., Stavrou, A. (2015). Preventing Exploits in Microsoft Office Documents Through Content Randomization. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation