O-checker: Detection of Malicious Documents Through Deviation from File Format Specifications

Black Hat USA 2016

Presented by: Yuhei Otsubo
Date: Thursday August 04, 2016
Time: 11:00 - 11:25
Location: Jasmine Ballroom

Documents containing executable files are often used in targeted email attacks in Japan. We examine various document formats (Rich Text Format, Compound File Binary and Portable Document Format) for files used in targeted attacks from 2009 to 2012 in Japan. Almost all the examined document files contain executable files that ignore the document file format specifications. Therefore, we focus on deviations from file format specifications and examine stealth techniques for hiding executable files. We classify eight anomalous structures and create a tool named o-checker to detect them. O-checker detects 96.1% of the malicious files used in targeted email attacks in 2013 and 2014. There are far fewer stealth techniques than vulnerabilities of document processors. Additionally, document file formats are more stable than document processors themselves. Accordingly, we assert that o-checker can continue detecting malware with a high detection rate for long periods.

Yuhei Otsubo

Yuhei Otsubo became interested in programming around 1987. He currently worksat the National Police Agency Information Communication Division InformationTechnology Analysis Division in Japan.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats