How fast fingerprinting of OLE2 files can lead to efficient malware detection

Filed Under: Malware, SophosLabs

Baccas and Edwards presenting at VB 2011 At last week's Virus Bulletin 2011 conference Paul Baccas and Stephen Edwards from SophosLabs presented their research paper "Fast fingerprinting of OLE2 files: Heuristics for detection of exploited OLE2 files based on specification non-conformance".

They may win the prize for the longest title, but what does it mean? OLE2 is a container format synonymous with Microsoft Office files, although it is used for many other purposes.

Baccas and Edwards did an analysis of both clean and malicious OLE2 files to determine whether conformance to the official specifications for the OLE2 format could be used as a heuristic to discern between benign and malicious files.

They pointed out many poorly defined parts of the specification injecting a bit of humour, a welcome change at a serious conference like VB.

Fast Fingerprint title slideTheir conclusion? Using heuristics to classify OLE2 files that are more likely to be malicious based on non-conformance is a useful tool for grouping samples to decide which ones deserve deeper inspection.

Microsoft Excel files in particular showed promise as over 96% of files provide the required information within the first 8KB, which is often less than anti-virus engines already parse to determine if macros are present.

In addition to their results, their paper includes source code demonstrating the techniques used to conduct the research which should prove helpful to others tasked with efficiently detecting malicious OLE2 files.

Thank you to Virus Bulletin for granting us permission to share the paper and slides.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.