Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dynamic detection of shell code in electronic documents


Published on

Slides from PHDays 2013 (
The past few years show frequent use of e-mail messages with electronic documents containing exploits. Attackers use this technique to enlarge botnets or to spy on the industrial secrets of an organization. The report will describe dynamic detection of shellcode in electronic documents without signature analysis to enhance security of employees engaged in document flow. A zero-day vulnerability detected in Yandex.Browser will be used to demonstrate how the software use can decrease incident response time spent by the information security service of a company.

Published in: Technology
  • Login to see the comments

Dynamic detection of shell code in electronic documents

  1. 1. First of allIm sorry for my English...
  2. 2. WHOAMImany people know me from this image
  3. 3. WHOAMI_2Markov Pavel:Found zero-day in Windows (execute arbitrarycode by manipulating with folder settings)Just a developerAgievich Igor:Found vulnerability in Outpost Security Suite(2012), VirtualBox (2011), vBulletin (2005-2006)Not even a developer :)
  4. 4. Actually, we are trying to create afuzzer...Yet another bicycle?
  5. 5. Our goalsWe want to fuzz filetypes of our companyBut actually any file types can be fuzzed with ourfuzzer, depending on how much you know aboutspecific file format (thats how weve found abug in Yandex browser)
  6. 6. Our own fuzzing: how does it work?Its a client-server based softwareBasicly consists of:Generator (one or more)Clients for testing generated samples (one or more). At themoment of development they could only detect exceptions.Using IdebugClient with Python wrapper (allows fasterdevelopment than using Debug API).In addition we found out:Also this approach helps to find shell code in electronicdocuments
  7. 7. Our own fuzzing: how does it work?
  8. 8. Lets use a new source for testingour fuzzingWe tried using a real file from some receivedemail and we found... Exceptions! It was CVE-2012-0158 (.rtf)Then uploaded this file to Virtest, which returned:
  9. 9. Lets try to play with exploitOriginal file from email (on the left) and modifiedfile, still working (on the right)
  10. 10. What can shell code doHas functions for download andor execution
  11. 11. We can find suspicious workflowSuspicious workflow depends on tested software.For example, creation of the new process issuspicious for:Word 2003, Internet Explorer 6, Adobe Reader 8Not suspicious for:Google Chrome, Adobe Reader 11, Internet Explorer8-9)
  12. 12. Our soft in actionFull video:
  13. 13. And a good marksman may missDoes Yandex know about fuzzing?I think they do...But weve found a new bug anyway!
  14. 14. Our resultsWe tested our programm on:> 20 000 *.pdf files (was open in Adobe Reader 9-11, FoxitReader 3-6, Google Chrome, Yandex.Browser)> 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003,2007, Libre Office 4.0)OS Win XP, Win 7Weve found:Some APT attacks with some known CVE (CVE-2012-0158and some else) for MS Word 2003, 2007Bug in Yandex.Browser (fixed in latest version)
  15. 15. Any questions?If you have got any questions in English pleasewait until I am drunk and my speaking skills ofEnglish are leveled up :)Anyway, you can contact me on Internet@shanker_sec