Explore the intricacies of document hidden code analysis in this 50-minute conference talk from Circle City Con 2015. Delve into the concept of entropy in the context of document malware, understanding its significance in measuring information and detecting malicious content. Learn about the methodology for processing code in bulk and calculating entropy, with a focus on malicious VBA and malware VBA. Discover techniques for defeating entropy detection and decoding hidden messages, including zero-order, first-order word, and second-order word methods. Examine real-world examples of hidden code and discuss strategies for catching such threats. Gain insights into the importance of English language patterns in code analysis and stay one step ahead of evolving threats in document security.
Overview
Syllabus
Intro
OUTLINE
DOCUMENT MALWARE
WHAT IS THE VALUE OF INFORMATION?
MEASURING INFORMATION
WHAT IS ENTROPY?
CALCULATING ENTROPY
ENTROPY EXAMPLE
REDUNDANCY
METHODOLOGY
PROCESS CODE IN BULK
ENTROPY OF MALICIOUS VBA
ENTROPY OF MALWARE VBA
TWO STEPS FORWARD, ONE STEP BACK DEFEATING ENTROPY DETECTION
HOW DO WE DECODE?
ZERO ORDER
FIRST ORDER WORD
SECOND ORDER WORD
WHY ENGLISH?
ONE STEP AHEAD?
EXAMPLE 1
HOW TO CATCH?
EXAMPLE 2
NAMES
