Bee Master: Detecting Host-Based Code Injection Attacks
详细信息 查看全文
- 作者:Thomas Barabosch (16)
Sebastian Eschweiler (16)
Elmar Gerhards-Padilla (16) - 关键词:Host ; Based Code Injection Attacks ; Malware Detection ; Computer Security
- 刊名:Lecture Notes in Computer Science
- 出版年:2014
- 出版时间:2014
- 年:2014
- 卷:8550
- 期:1
- 页码:235-254
- 参考文献:1. Symantec. Internet Security Threat Report 2013, vol. 18. Technical report (2013)
2. Percoco, N.: Global Security Report 2013. Technical report, Trustwave (2013)
3. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol.?4637, pp. 178-97. Springer, Heidelberg (2007) CrossRef
4. VirusTotal, https://www.virustotal.com (last access: April 23, 2014)
5. Cuckoo Sandbox, http://www.cuckoosandbox.org (last access: April 23, 2014)
6. Kornblum, J.: Exploiting the Rootkit Paradox with Windows Memory Analysis (2006)
7. Hale Ligh, M., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, 1st edn. Wiley Publishing, Inc. (2011)
8. Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: List of malicious samples used in bee master: Detecting host-based code injection attacks, http://net.cs.uni-bonn.de/wg/cs/staff/thomas-barabosch/ (last access: April 23, 2014)
9. Kessem, L.: Thieves Reaching for Linux -”Hand of Thief-Trojan Targets Linux (August 2013), https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild (last access: April 23, 2014)
10. Mandiant. APT1 - Exposing One of China’s Cyber Espionage Units. Technical report, Mandiant (2013)
11. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy Proceeding, pp. 120-28. IEEE (1996)
12. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133-45. IEEE (1999)
13. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, S&P 2001, pp. 156-68. IEEE (2001)
14. Kc, G., Keromytis, A., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, ACM, New York (2003)
15. Papadogiannakis, A., Loutsis, L., Papaefstathiou, V., Ioannidis, S.: ASIST: Architectural Support for Instruction Set Randomization. In: The Proceedings of the CCS 2013, Berlin, Germany (November 2013)
16. Sun, H., Tseng, Y., Lin, Y.: Detecting the Code Injection by Hooking System Calls in Windows Kernel Mode. In: The Proceedings of the International Computer Symposium (2006)
17. White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digital Investigation, 10 (2013); The Proceedings of the Thirteenth Annual DFRWS Conference 13th Annual Digital Forensics Research Conference
18. Volatile Systems. The Volatility Framework: Volatile memory artifact extraction utility framework, https://www.volatilesystems.com/default/volatility (last access: April 23, 2014)
19. Hanel, A.: Injdmp (2013), http://hooked-on-mnemonics.blogspot.jp/p/injdmp.html (last access: April 23, 2014)
20. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The nepenthes platform: An efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol.?4219, pp. 165-84. Springer, Heidelberg (2006) CrossRef
21. Nazario, J.: PhoneyC: a virtual client honeypot. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2009, Berkeley, CA, USA. USENIX Association (2009)
22. Poeplau, S., Gassen, J.: A honeypot for arbitrary malware on USB storage devices. In: 7th International Conference on Risk and Security of Internet and Systems, CRiSIS (2012) - 作者单位:Thomas Barabosch (16)
Sebastian Eschweiler (16)
Elmar Gerhards-Padilla (16)
16. Fraunhofer FKIE, Friedrich-Ebert-Allee 144, 53113, Bonn, Germany - ISSN:1611-3349
文摘
A technique commonly used by malware for hiding on a targeted system is the host-based code injection attack. It allows malware to execute its code in a foreign process space enabling it to operate covertly and access critical information of other processes. Since there exists a plethora of different ways for injecting and executing code in a foreign process space, a generic approach spanning all these possibilities is needed. Approaches just focussing on low-level operating system details (e.g. API hooking) do not suffice since the suspicious API set is constantly extended. Thus, approaches focussing on low level operating system details are prone to miss novel attacks. Furthermore, such approaches are restricted to intimate knowledge of exactly one operating system. In this paper, we present Bee Master, a novel approach for detecting host-based code injection attacks. Bee Master applies the honeypot paradigm to OS processes and by that it does not rely on low-level OS details. The basic idea is to expose regular OS processes as a decoy to malware. Our approach focuses on concepts -such as threads or memory pages -present in every modern operating system. Therefore, Bee Master does not suffer from the drawbacks of low-level OS-based approaches. Furthermore, it allows OS independent detection of host-based code injection attacks. To test the capabilities of our approach, we evaluated Bee Master qualitatively and quantitatively on Microsoft Windows and Linux. The results show that it reaches reliable and robust detection for various current malware families.