Abstract
This paper revisits the shellcode embedding problem for PDF files. We found that a popularly used shellcode embedding technique called reverse mimicry attack has not been shown to be effective against well-trained state-of-the-art detectors. To overcome the limitation of the reverse mimicry method against existing shellcode detectors, we extend the idea of reverse mimicry attack to a more generalized one by applying the k-depth mimicry method to PDF files. We implement a proof-of-concept tool for the k-depth mimicry attack and show its feasibility by generating shellcode-embedded PDF files to evade the best known shellcode detector (PDFrate) with three classifiers. The experimental results show that all tested classifiers failed to effectively detect the shellcode embedded by the k-depth mimicry method when \(k \ge 20\).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
PJScan (2013). https://sourceforge.net/p/pjscan/home/Home
Malware Slayer (2014). https://pralab.diee.unica.it/en/Slayer
PDFrate (2016). https://csmutz.com/pdfrate
Adobe Systems Incorporated: PDF reference-adobe portable document format (2006). https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf
Adobe Systems Incorporated: What is PDF? (2016). https://acrobat.adobe.com/kr/ko/why-adobe/about-adobe-pdf.html
Fratantonio, Y., Kruegel, C., Vigna, G.: Shellzer: a tool for the dynamic analysis of malicious shellcode. In: Proceedings of International Workshop on Recent Advances in Intrusion Detection (2011)
International Organization for Standardization: PDF (portable document format), version 1.7, base level (ISO 32000–1: 2008) (2008). http://www.digitalpreservation.gov/formats/fdd/fdd000277.shtml
Johnson, D.: PDF still dominates electronic documents online (2015). http://duff-johnson.com/2015/10/07/pdf-still-dominates-electronic-documents-online
Maiorca, D., Corona, I., Giacinto, G.: Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (2013)
Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Symposium on Information, Computer and Communications Security (2009)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74320-0_5
Schmitt, F., Gassen, J., Gerhards-Padilla, E.: PDF scrutinizer: detecting javascript-based attacks in PDF documents. In: Proceedings of the 10th Annual International Conference on Privacy, Security and Trust (2012)
Symantec: ISTR: Internet security threat report. In: Trend Report, vol. 21 (2016)
Toth, T., Kruegel, C.: Accurate buffer overflow detection via abstract pay load execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002). doi:10.1007/3-540-36084-0_15
Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: Proceedings of the 4th European Workshop on System Security (2011)
Šrndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: Proceedings of the IEEE Symposium on Security and Privacy (2014)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (2002)
Zhang, Q., Reeves, D.S., Ning, P., Iyer, S.P.: Analyzing network traffic to detect self-decrypting exploit code. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (2007)
Acknowledgement
This work was supported in part by the NRF Korea (No. 2014R1A1A1003707), the ITRC (IITP-2016-R0992-16-1006), and the MSIP/IITP (No. R0166-15-1041, R-20160222-002755). The first author’s research was mainly funded by the MSIP, under the “Employment Contract based Master’s Degree Program for Information Security” (H2101-16-1001) supervised by KISA. The contents of this article do not necessarily express the views of KISA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Park, J., Kim, H. (2017). k-Depth Mimicry Attack to Secretly Embed Shellcode into PDF Files. In: Kim, K., Joukov, N. (eds) Information Science and Applications 2017. ICISA 2017. Lecture Notes in Electrical Engineering, vol 424. Springer, Singapore. https://doi.org/10.1007/978-981-10-4154-9_45
Download citation
DOI: https://doi.org/10.1007/978-981-10-4154-9_45
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-4153-2
Online ISBN: 978-981-10-4154-9
eBook Packages: EngineeringEngineering (R0)