Static analysis methods for detection of Microsoft Office exploits

Presented at VB2019, Oct. 2, 2019, 4:30 p.m. (30 minutes).

Despite the recent advances in exploitation strategies and exploit mitigation techniques, fundamental infection vectors still remain the same. It is critical to advance security solutions to inspect the new and known infection vectors to be able to successfully mitigate targeted attacks. Apparently, the use of lure documents has become one of the most favoured attack strategies for infiltrating target organizations. Recently, some of the most high impact attacks using this conventional technique were uncovered by the security community. In this talk, we present one of the exploit detection tools that we built for a similar purpose. This detection engine employs multiple binary stream analysis techniques for flagging malicious *Office* documents, supporting static analysis of RTF, Office Open XML and Compound Binary File format [MS-CFB]. The use, by attackers, of lure weaponized documents necessitates deeper inspection of these file formats at the perimeter. Object Linking and Embedding expose a rich attack surface which had been abused by attackers over the past few years to hide malicious resources. For instance, OOXML files can be used to load the OLE controls which can eventually facilitate Remote Code Execution. Our proposed detection tool is built to extract embedded storage streams, OLE objects, etc. and apply binary stream analysis techniques over it, in addition to inspecting specific file sections and analysing embedded scripts, to identify malicious code. This detection tool had been tested over a wide set of in-the-wild exploits and variants. The results will be shared at the end of the talk.

Presenters:

  • Chintan Shah - McAfee
    Chintan Shah Chintan Shah is currently working as a lead researcher with the McAfee Intrusion Prevention System team and has over 13 years of experience in the network security industry. He primarily focuses on exploit and vulnerability research, malicious network traffic analysis, building threat intelligence frameworks, reverse engineering techniques and malware analysis. Chintan holds a patent in malicious command-and-control traffic detection and has uncovered multiple targeted and espionage attacks in the past, blogging about them as well. His interests lie in software fuzzing for vulnerability discovery, analysing exploits and translating to product improvement.

Links:

Similar Presentations: