Analysis of Maximum Executable Length for Detecting Text-based Malware

The possibility of using purely text stream (keyboard-enterable) as carrier of malware is under-researched and often underestimated. A text attack can happen at multiple levels, from code-injection attacks at the top level to host-compromising text-based machine code at the lowest level. Since a large number of protocols are text-based, at times the servers based on those protocols use ASCII filters to allow text input only. However simply applying ASCII filters to weed out the binary data is not enough from the security viewpoint since the assumption that malware are always binary is false. We show that although text is a subset of binary, binary malware detectors cannot always detect text malware. We analyze the MEL (Maximum Executable Length)-based detection schemes, and make two contributions by this analysis. First, although the concept of MEL has been used in various detection schemes earlier, we are the first to provide its underlying mathematical foundation. We show that the threshold value can be calculated from the input character frequencies and that it can be tuned to control the detection sensitivity Second, we demonstrate the effectiveness of a MEL-based text malware detector by exploiting the specific properties of text streams.