Abstract
Malicious document files used in targeted attacks often contain a small program called shellcode. It is often hard to prepare a runnable environment for dynamic analysis of these document files because they exploit specific vulnerabilities. In these cases, it is necessary to identify the position of the shellcode in each document file to analyze it. If the exploit code uses executable scripts such as JavaScript and Flash, it is not so hard to locate the shellcode. On the other hand, it is sometimes almost impossible to locate the shellcode when it does not contain any JavaScript or Flash but consists of native x86 code only. Binary fragment classification is often applied to visualize the location of regions of interest, and shellcode must contain at least a small fragment of x86 native code even if most of it is obfuscated, such as a decoder for the obfuscated body of the shellcode. In this paper, we propose a novel method, o-glasses, to visualize the shellcode by recognizing the x86 native code using a specially designed one-dimensional convolutional neural network (1d-CNN). The fragment size needs to be as small as the minimum size of the x86 native code in the whole shellcode. Our results show that a 16-instruction-sequence (approximately 48 bytes on average) is sufficient for the code fragment visualization. Our method, o-glasses (1d-CNN), outperforms other methods in that it recognizes x86 native code with a surprisingly high F-measure rate (about 99.95%).
Highlights
In recent years, targeted attacks have become a major threat
Malicious document files used in targeted email attacks often contain an executable file embedded within a decoy document file: over 60% of the attached files in targeted email attacks occurring in 2014 were reported to be document files [27]
The malicious document file consists of four parts: exploit code, shellcode, an executable file, and a decoy document file
Summary
In recent years, targeted attacks have become a major threat. In a targeted email attack, an email contains a request to open an attached file or click on a hyperlink in the email body. If the recipient does so, some malware is launched. Most such malware is newly crafted, unknown malware, and is often hard for antivirus scanners to detect. Malicious document files used in targeted email attacks often contain an executable file embedded within a decoy document file: over 60% of the attached files in targeted email attacks occurring in 2014 were reported to be document files [27]. The malicious document file consists of four parts: exploit code, shellcode, an executable file, and a decoy document file.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
