O-checker: Detection of Malicious Documents Through Deviation from File Format Specifications

Presented at Black Hat USA 2016, Aug. 4, 2016, 11 a.m. (25 minutes).

Documents containing executable files are often used in targeted email attacks in Japan. We examine various document formats (Rich Text Format, Compound File Binary and Portable Document Format) for files used in targeted attacks from 2009 to 2012 in Japan. Almost all the examined document files contain executable files that ignore the document file format specifications. Therefore, we focus on deviations from file format specifications and examine stealth techniques for hiding executable files. We classify eight anomalous structures and create a tool named o-checker to detect them. O-checker detects 96.1% of the malicious files used in targeted email attacks in 2013 and 2014. There are far fewer stealth techniques than vulnerabilities of document processors. Additionally, document file formats are more stable than document processors themselves. Accordingly, we assert that o-checker can continue detecting malware with a high detection rate for long periods.


Presenters:

  • Yuhei Otsubo - National Police Agency, Japan
    Yuhei Otsubo became interested in programming around 1987. He currently works at the National Police Agency Information Communication Division Information Technology Analysis Division in Japan.

Links:

Similar Presentations: