While it is far from a new attack vector it is still very common to see malware attack through code embedded in Office documents (VBA macros) or PDF files (javascript). These attacks evade simple detection engines like IPS or AV by obfuscating and randomizing this malicious code. I will show how to extract and automate analysis of this type of code to determine if randomized code has been hidden inside. Finally, by further exploring the mathematical principles of information theory I will show how to defeat my own detection by using a more advanced randomization process.

Adam Hogan is a Consulting Security Engineer with Cisco’s Advanced Threat Solutions team. He began his career in security with the open source community and has been working with Snort and Clam ever since. He enjoys researching malware and how to stop it. His graduate studies are in economics, but turns out that wasn’t nearly as fun as security. Adam lives in Columbus, Ohio.

Back to Bsides Cleveland 2015 video list