Static Analysis Methods for Detection of Microsoft Office Exploits

Slides:

Advertisements

Similar presentations

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

By Hiranmayi Pai Neeraj Jain

An in depth analysis of CVE

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin.

1 Modular Software/ Component Software 2 Modular Software Code developed in modules. Modules can then be linked together to produce finished product/program.

SANS Technology Institute - Candidate for Master of Science Degree

Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University

APT29 HAMMERTOSS Jayakrishnan M.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Maritime Cyber Vulnerabilities in the Energy Sector Center for Joint Operations of the Sea ODU Maritime Institute Students Crow, Fresco, Lee.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Mario Vuksan CEO PROPRIETARY INFORMATION THREAT ANALYSIS LABS HAVE NEVER BEEN WORKING HARDER #SINET Connection.

Design and Implementation of The FiltroMatic™ Presented By: Lord Viper Scorpion D4 C0rrupt0r The Dark Stallion of Chaos Master of Terror.

Amit Malik SecurityXploded Research Group FireEye Labs.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Security fundamentals Topic 10 Securing the network perimeter.

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

When we create.rtf document apart from saving the actual info the tool saves additional info like start of a paragraph, bold, size of the font.. Etc. This.

Search Engine using Web Mining COMS E Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

Shasta Console Operations February 2010 Tony Caleb.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Understanding and breaking the cyber kill chain

What mobile ads know about mobile users

Security fundamentals

Advanced Endpoint Security Data Connectors-Charlotte January 2016

Return Oriented Programming

Tom Hartig Check Point Software Technologies August 13th, 2015

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Lecture 1-Part 2: Operating-System Structures

Malware Reverse Engineering Process

Yaoqi Jia, Zheng Leong Chua, Hong Hu,

Chapter 1. Basic Static Techniques

Malware Reverse Engineering Process

Viruses and Other Malicious Content

A Security Review Process for Existing Software Applications

Metasploit a one-stop hack shop

computer virus infection & symptoms

Microsoft Dynamics.

Intro to Ethical Hacking

Microsoft PowerPoint 2007 – Unit 2

DATABASES WHAT IS A DATABASE?

Severity and Exploitability Index

Department of Computer Science

Understanding and Preventing Buffer Overflow Attacks in Unix

Exploring DOM-Based Cross Site Attacks

Firmware security integrity checking Andrea Battaglia, Aspisec IT

Presentation transcript:

Static Analysis Methods for Detection of Microsoft Office Exploits CHINTAN SHAH VIRUS BULLETIN 2019 , LONDON

About Speaker Chintan Shah Over 14 Years in the Network Security Industry Currently working as a Security Researcher with McAfee IPS team Passionate about researching on targeted attacks. Uncovered multiple targeted and espionage attacks on Govt. organizations in the past Focus on : Fuzzing, Vulnerability Research, Rev. Engg exploits and developing detection solutions for the products 2nd time speaker at Virus Bulletin

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

Agenda Source: Kaspersky

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

Vulnerabilities Exploited Parsing engine flaws ( Predominantly RTF renderers ) RTF : Complex structure with nested formatting controls Multiple control word parsing vulnerabilities in the past > 1800 control words – largely unexplored Scripting engine flaws IEs Scripting engine flaws can also be exploited via Office files Object Linking and Embedding Massive attack vector Linking: Facilitates remote code download + execute Embedding: Mem corruption exploits OR aids further exploitation

Static Analysis Engine for Generic Detection Requires parsers that can extract embedded objects and streams Handles stream and document structure obfuscations Focus: Detecting weaponized exploits that uses auxiliary methods without worrying about the vulnerability Hidden code and payload inside embedded objects / streams Containerized exploits: Extraction and re-analysis Pointers to external code

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

RTF – Data streams in Control words RTF Control Words Primarily used for document formatting Takes parameters and data Destination Control Words Carries special meaning Can consume streams of data No restriction on the type of data it can consume > 1000 such control words

RTF – Data streams in Control words Can be abused Insert malicious payloads Insert shellcodes obfuscate stream to break immature RTF parsers / make analysis difficult Shellcode in “Leveltext” RTF control word Malicious code in pFragments RTF control word

RTF – Data streams in Control words Static Analysis RTF readers handles obfuscation attempts extract and scan streams to destination control words Can detect many auxiliary strategies in the exploit Exe file in “Datastore” control word

RTF – Overlay Data Streams Overlay streams in RTF RTF rendering engines will ignore this data while processing Many RTF exploits appends additional streams after EOF Another adopted auxiliary method to hide malicious resources CVE-2015-1641 – 380 KB of overlay stream [ Stores staged shellcode and Decoy document ] CVE-2017-11826 – 189KB of overlay stream is a red flag

RTF – Overlay Data Streams Static Analysis Look for data at the end of the file Critical to extract and analyze further for malicious indicators Larger volumes : almost always suspicious Size of RTF Overlay Total RTF documents with Overlay tested: 5000 Total RTF documents with Overlay > 100 B: 4655 Overlay > 300 B Total Found: 4250 Malicious: 3973 [ 93.5%] 100 B > Overlay < = 300 B Total Found: 405 Malicious: 368 [ 91% ] 10 B > Overlay <= 100 B Total Found: 345 Malicious: 311 [ 90% ]

RTF – Object Linking and Embedding OLE in RTF: OLE objects : Stored as a data to {\object control word OLESaveToStream : Stored in OLE1.0NativeStream format Modifiers indicates linked or embedded object \objemb : Embedded OLE object in RTF \objautlink : Linked OLE object in RTF. Can be external resource Exploitaton: Easy: Can be quickly adapted to target victims Recent trends : Remote code download  Invoke resp. resource handler  Code execute

RTF – Object Linking and Embedding OLE2 Compound Document within OLE1.0NativeStream {\Object : Destination control word for OLE object \objautlink : Linked object \objclass : Class of OLE object. Word.document.8 with objautlink is linked word document to container app. \objdata : OLE1.0NativeStream OLE1.0NativeStream

RTF – Object Linking and Embedding CVE-2015-2424: Embedded code inside OLE object

RTF – File Parsing and Inspection in Static Analysis Engine Inspect file for OLE objects \object..\objemb \object..\objautlink Word.document.8 Word.document.12 OLE Packages Extract OLE1.0NativeStream Data Extract OLE2.0 Compound Doc. Check and Extract OOXML Documents MS-CFB Analyzer Parse CDF extract Storage and object streams Extract OLE packages OOXML Analyzer Scan embedded ActiveX control for indicators Other control words with data streams Analyze streams for malicious indicators ( Shellcodes , extract Scripts, executables etc. - further analysis ) Extract Overlay Data

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

Office Open XML – COM Object Loading Multi COM loading ( Windows mitigations bypass ) Critical to inspect ActiveX objects load mechanism on OOXML Classic method used in many exploits for manipulating process heap

Exploitation strategies: Load single COM object several times Load fake objects using non existent CLSIDs RTF as a container for OOXML exploits: Bypass Windows mitigations CVE-2017-11826 loading non-existing CLSID

Office Open XML – Scan OLE Object streams Static Analysis Critical to scan object streams for possible signs of code /activeX , /Embeddings directory should be analyzed. OLE object : OLE2.0 format. Parse and extract storage / object streams CVE-2017-11826 : Code embedded in OLE object stream

Office Open XML – Scan OLE Object streams CVE-2015-1641 / CVE-2017-11826 Static Analysis Critical to scan object streams for supplemental techniques as well. Sledges , ROP chains etc.

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

Microsoft Compound Binary File Format Structured Storage Format Hierarchical Data in the form of Storage and object streams File directory sectors contains info about storage and stream objects Specific interest : ObjectPool storage: stores OLE object ObjInfo + OCXDATA Important to inspect all stream objects _VBA Storage object : Macro code

MS-CFB : Parse and extract storage streams Static Analysis Extract all storage and stream objects Useful to scan all the streams ( OCXDATA in particular ) CVE-2018-4878: Malicious “Contents” object stream

MS-CFB : Parse and extract storage streams Code found in “Powerpoint Document” stream object

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

VB Macro Code Analysis Engine Storage MS-CFB : Macros ( Storage object )  _VBA (Storage object ) /VBA/_VBA_PROJECT, /VBA/dir/ and other streams contains code OOXML : vbaproject.bin – again OLE format as above Analysis Supervised learning : Multiple methods tested : Random Forest, KNN.. Decision tree found working well Positive Negative True 96 % 3% False 0.5 % 0.5%

Partial Decision Tree plot

Agenda MS Office threat landscape Vulnerabilities exploited Static analysis methods for generic detection Rich Text Format Office OpenXML Microsoft Compound Binary File Supervised Learning For Macro classification Implementation of Engine Initial Results

High Level View

Initial Results - Exploits used in Targeted Attacks Exploit type Type Total Exploits Detected Not Detected Detection CVE-2012-0158 Mixed (Targeted attacks and variants) 2000 1809 191 90.4% CVE 2013-3906 150 100% CVE 2014-1761 Exploits used in targeted attacks 35 29 6 83% CVE 2015-1641 CVE-2015-2424 CVE-2015-6172 Exploits used in targeted attacks and variants 138 12 92% CVE 2016-4117 87 77 10 88.5% CVE-2017-11882 50 48 2 96% CVE 2018-4878 CVE-2018-15982 30 27 3 90%

Questions ???