Merken

Make "Invisible" Visible: Case Studies in PDF Malware

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
we know that the model always to have images of all malicious behavior and the change which you music so as last year we have to making we will review and today I would like to share some of the of molecules start with something we and many stations on the sea near Earth literacy initiatives and so the way talk about the there I would have to give a brief introduction about so much less so much slightly so 1 of the primary active so for us here would have made when 1 of the those of people to define the detection and then would do the cut various research and we do that the data analysis and above all we provide light detection and and just for all customers around the world so you might ask me a question the grass seed arguement round-the-clock 24 hours the answer is no we don't see of course antigen but there sort but it he
was that would have of around the different kinds of uh so foresees based on his head coaching Oxford UK and also would have office here in Budapest and they will have more freezing kind India and and Australia that's why we can walk around the clock and then we have we 100 and 200 and universes then is to develop rules should recover this threat research response system development Advanced Research and the detection so yeah then if for any any of your interest in in my research development you're welcome to contact us as so for Stockholm OK so this is
an agenda going to talk about is the introduction about that you have and the those guys are cut of fast and then what's the structure the flower and then I will discuss some case studies which included PDF with a URI URI or in which publicly the efficient and not media companies and the 2nd 1 is about of those guys this PDF to 2 . 0 6 with this and the that always is about you know PDF embedded in another another PDF file and each each case will follow by the demo and so why do get that
problem together crossed ever use that and so on you will used to give every day and is very popular and also because of is independent of operating system and applied for and there you go mate PDF from your friend you you box you feel that is less efficient than x and they all also because the likely Acrobat PDF reader has most of what achieved that and so that's you know lots of loss to mall writers because it is flexible to talk to the PDF reader so those are the 2 key reasons why that country
and even though will use PDF everyday but you might not have chased no the structure of D of what is just is just have like you know we I cast but you don't need you don't have to know that the engine what he's what he's under the bonnet so saying here
to their other because have to give some basic information about putative structure which basically PDF has 4 sections which is simple and then followed by the body section which is a group role for objects stored in a random order and then followed by the cross-reference table and that is that's leader so
we can see that it had a question which only has a communicative model presented to different age but the version number is quite simple and and this is
the main part which is the Board's section which the connection funeral people objects stored in the optical order so the object can be any number of types the air a dictionary and a number of genes so and also people don't like to use a different future due to a a compressed or encoded data so to make that signal and less readable this is especially common in PD Mahler so the uh the thought
of such a across levels table this is really important because this table will tell you about the offset of each object that's why the objects are stored in a random order but because he he's across reference table you know the of the ship object and so receive the index table yet and also as you can see that the 1st quarter of the 1st column is that there is the offset of that particular object from the beginning of and the 2nd 1 is the generation number to the fruits of the the the peer follows just erased it has no modification the generation number would start from there and then in the cross reference table the 1st entry always you know Europe started with offset 0 and the reason really future-generation number so we can ignore that and understand quantity which has therefore ends and means this object is you use and that means this object is everywhere here not you saute days in
last section which will tell you the size of the how how many objects in the PDF file and and through the root object were to start and then it's the different has been modified for each you have know slash URIs which to the period so the cross-reference table offset and and you will see this that acts that are yet to see the Q water and the you know that you what you will see that offset which is also 2 of the cost of unstable and and this is the end of March this that was the case
studies the 1st line simple
is the PDF file which you know the 2 size a single case file and then it has been unless you have a text and it contains a data to your I always share points to somewhere malicious and of promotion website and there we notice that there always those kind of popular does an efficient that 1st Armenia patterns and logistic companies like FedEx Romeo so let's take a look at some examples so we can see that you want go to 3 sentences and you have a name that in the in the middle and the free movement the users and the shortening which is different and that is that we're learning from point to point to the promoter of several hallmark so another 1 and then so if you could take the
name each for the PDF for readable will pops up a warning when the saying that there are going to another student proceed Roy and also you have a check to say OK you want me to remember this action that can watch the store blacklist distinct so uh yeah if you if you click and large during open abroad and adjusting the direct you to go to the side so you might be wondering who was going to make this figure far and wide is going to have to consider the fissioning the PDF of the kind just in can just condemn the fissioning in the mirror and these of course never thought of the the the reason I'm going I asked this question so if someone condensate allowed and proceed each were you know in this case is just another of nodes somewhat which contain summer and some of that experience so you can see that it we met we managed to this that and this has led to divide and that is that the snow this kind of name The only exists in way so serious so we often will not generate chihuahuas half knowledge about that existing more so if you're lucky you can you know you don't understand so that would be just you know we just ask why those concentrations the fissioning canopied involved you can just put the text of multiple do that but the problem is that this probability inefficient because in the universe in which the difference in our here in the middle you haven't had information you have the you deny I should really and you have more information so it's easier for them you know I'm very around to other detection to broke this is this confusion because you have less than a false positive but in the PDF example because you know you only have full text and the you with fissioning and is hard to minus of what was to run forced perspective so you have to keep doing this for support rebuild and that is the challenge that's why there just put in the deficient the in the PDF file and would also because the PDF file into the into the mirror so be careful so that the main point is to know for the fact that we tend to go amour to the promoter upset OK they say you have a look
at the this notice this simple them all and thank you this is a member 4
Informationsmodellierung
Datenanalyse
Gruppe <Mathematik>
Arbeitsplatzcomputer
Mathematisierung
Malware
GRASS <Programm>
Fastring
Schnitt <Graphentheorie>
Beobachtungsstudie
Quick-Sort
Bildgebendes Verfahren
Humanoider Roboter
Softwareentwickler
Gefrieren
Schlussregel
Malware
Physikalisches System
Endogene Variable
Office-Paket
W3C-Standard
Endogene Variable
Systementwicklung
Weitverkehrsnetz
Vorlesung/Konferenz
Softwareentwickler
Beobachtungsstudie
Schreib-Lese-Kopf
Beobachtungsstudie
Demo <Programm>
Einfügungsdämpfung
Quader
Systemplattform
Malware
Physikalisches System
Computeranimation
Hypermedia
Vorlesung/Konferenz
Datenstruktur
Suchmaschine
Stochastische Abhängigkeit
Beobachtungsstudie
URL
Objekt <Kategorie>
Gruppenkeim
Vorlesung/Konferenz
Malware
Garbentheorie
Information
E-Mail
Ordnung <Mathematik>
Datenstruktur
Beobachtungsstudie
Computeranimation
Tabelle <Informatik>
Objekt <Kategorie>
Einfach zusammenhängender Raum
Versionsverwaltung
Zahlenbereich
Malware
Digitalfilter
Boolesche Algebra
E-Mail
Computeranimation
Zeichenkette
Objekt <Kategorie>
Informationsmodellierung
Zahlenbereich
Mereologie
Datentyp
Data Dictionary
Garbentheorie
Ordnung <Mathematik>
Streaming <Kommunikationstechnik>
Versionsverwaltung
Beobachtungsstudie
Objekt <Kategorie>
Tabelle <Informatik>
Wasserdampftafel
Zahlenbereich
Malware
Elektronische Publikation
Frequenz
Computeranimation
Übergang
Objekt <Kategorie>
Generator <Informatik>
Wurzel <Mathematik>
Fahne <Mathematik>
Automatische Indexierung
Zahlenbereich
Garbentheorie
Gasdruck
Wurzel <Mathematik>
Beobachtungsstudie
Tabelle <Informatik>
Beobachtungsstudie
Web Site
Punkt
Einfache Genauigkeit
Malware
Vorzeichen <Mathematik>
Elektronische Publikation
Computeranimation
Homepage
Verschlingung
Mustersprache
Ablöseblase
Logistische Verteilung
Gerade
Beobachtungsstudie
URL
MUD
Subtraktion
Punkt
Kondensation <Mathematik>
Gruppenoperation
Gewichtete Summe
t-Test
Web Site
Malware
Extrempunkt
Elektronische Publikation
Computeranimation
Konzentrizität
Knotenmenge
Perspektive
Proxy Server
Information
Speicher <Informatik>
Figurierte Zahl
Grundraum
Beobachtungsstudie
Demo <Programm>
URL
Vorlesung/Konferenz
Malware
Beobachtungsstudie

Metadaten

Formale Metadaten

Titel Make "Invisible" Visible: Case Studies in PDF Malware
Serientitel Hacktivity 2015
Teil 18
Anzahl der Teile 29
Autor Zhang, Jason
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/18837
Herausgeber Hacktivity
Erscheinungsjahr 2015
Sprache Englisch

Technische Metadaten

Dauer 43:41

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Due to the popularity of the portable document format (PDF), malware writers continue to use it to deliver malware via web downloads, email attachments and other infection vectors in both targeted and non-targeted attacks. It is known that PDF attackers can break detection by using polymorphic techniques to hide malicious code, randomizing JavaScript, obfuscating embedded shellcode or using cascading filters. Malware writers have always tried hard to develop new techniques to bypass detection. Some recent PDF attack campaigns we have seen are typical examples of such new endeavors from malware writers: a) Simple but effective URL aliasing technique to download malware. b) Using PDF to deliver specific topic related text content for search engine poisoning. c) Encapsulating PDF malware inside a PDF file to break detection. In this paper we will investigate the recent PDF malware campaigns using - and often abusing - these new techniques.

Zugehöriges Material

Ähnliche Filme

Loading...