This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Using NetWitness to detect malicious PDFs and overcoming obfuscation

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-08-20 04:11 PM

Hi all,

 

I am putting together some procedures for detecting a malicious PDF using Netwitness.


So far I have gathered that it is fairly easy to search sessions for common indicators such as embedded JavaScript, Flash and actions such as OpenAction or /URI.

 

I am aware however that the PDF standard makes it very easy to obfuscate malicious content embedded in PDFs, particularly via the following methods:

 

  • String splitting across multiple lines using parenthesis and backslashes
  • Switching characters for octal or hexadecimal representations
  • Whitespacing between hex characters

 

I am finding it difficult to work out a way (Other then manual investigation) that NW can be used to automate the process of detected malicious PDFs using drills and searches and I was just wondering if anyone had any experience using Netwitness to detect malicious PDFs or any ideas how to overcome common obfuscation attempts?

 

Thanks in advance!

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2013-08-22 05:02 PM

Kit - I think this is best achieved by using the malware analysis module in the product. Here is a response from one of the engineers:

 

This is really the intended purpose of the RSA Malware Analysis module.  It will perform a much deeper inspection of the PDF file contents than what can be achieved natively in core product. 

 

The RSA Malware Analysis module will fully decode PDFs and assess the likelihood that the sample is malcious  using the following four scoring methodologies:


1.  Static Analysis

PDFs are fully decoded and inspected to statically analyze the sample for malice.  This inspection includes, but is not limited to the following:

  • Scanning for malicious encoded payloads.
  • Scanning for malicious shell code payloads
  • Scanning shell code payloads for common malicious shell techniques (e.g., API hashing, Kernel32 Lookups, etc)
  • Scanning for malicious JavaScript (e.g., eval(), payload references)
  • Scanning for heavily obfuscated JavaScript (e.g., Heavy string manipulation of source code, etc).
  • Scanning for Heavily Obfuscated PDF tags (e.g., Hex encoded, etc).
  • Scanning for Egg-Hunting techniques


2.  Dynamic Analysis

Running the samples in a sandbox environment and scoring their behavior.


3.  Community Awareness

Reviewing existing knowledge of the sample from A/V providors, etc.


4.  Session Analysis

Reviewing the Network session to identify known blacklisted sites, threat feeds, etc

View solution in original post

0 Likes
1 REPLY 1

Go to solution
Anonymous
Not applicable

‎2013-08-22 05:02 PM

Kit - I think this is best achieved by using the malware analysis module in the product. Here is a response from one of the engineers:

 

This is really the intended purpose of the RSA Malware Analysis module.  It will perform a much deeper inspection of the PDF file contents than what can be achieved natively in core product. 

 

The RSA Malware Analysis module will fully decode PDFs and assess the likelihood that the sample is malcious  using the following four scoring methodologies:


1.  Static Analysis

PDFs are fully decoded and inspected to statically analyze the sample for malice.  This inspection includes, but is not limited to the following:

  • Scanning for malicious encoded payloads.
  • Scanning for malicious shell code payloads
  • Scanning shell code payloads for common malicious shell techniques (e.g., API hashing, Kernel32 Lookups, etc)
  • Scanning for malicious JavaScript (e.g., eval(), payload references)
  • Scanning for heavily obfuscated JavaScript (e.g., Heavy string manipulation of source code, etc).
  • Scanning for Heavily Obfuscated PDF tags (e.g., Hex encoded, etc).
  • Scanning for Egg-Hunting techniques


2.  Dynamic Analysis

Running the samples in a sandbox environment and scoring their behavior.


3.  Community Awareness

Reviewing existing knowledge of the sample from A/V providors, etc.


4.  Session Analysis

Reviewing the Network session to identify known blacklisted sites, threat feeds, etc

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.