Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
A Quantum Physics Approach for Enabling Information-Theoretic Secure Communication Channels Kapitel lesen Erstes Kapitel lesen

2024 | OriginalPaper | Buchkapitel

A Measurement Study on Interprocess Code Propagation of Malicious Software

verfasst von : Thorsten Jenke, Simon Liessem, Elmar Padilla, Lilli Bruckschen

Erschienen in: Digital Forensics and Cyber Crime

Verlag: Springer Nature Switzerland

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The propagation of code from one process to another is an important aspect of many malware families and can be achieved, for example, through code injections or the launch of new instances. An in-depth understanding of how and when malware uses interprocess code propagations would be a valuable aid in the analysis of this threat, since many dynamic malware analysis and unpacking schemes rely on finding running instances of malicious code. However, despite the prevalence of such propagations, there is little research on this topic. Therefore, in this work, we aim to extend the state-of-the-art by measuring both the behavior and the prevalence of interprocess code propagations of malicious software. We developed a method based on API-tracing for measuring code propagations in dynamic malware analysis. Subsequently, we implemented this method into a proof-of-concept implementation as a basis for further research. To gain more knowledge on the prevalence of code propagations and the code propagation techniques used, we conducted a study using our implementation on a real-world data set of 4853 malware samples from 1747 families. Our results show that more than a third (38.13%) of the executables use code propagation, which can be further classified into four different topologies and 24 different code propagation techniques. We also provide a list of the most significant representative malware samples for each of these topologies and techniques as a starting point for researchers aiming to develop countermeasures against code propagation.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Improvement of an Identity-Based Aggregate Signature Protocol from Lattice
Nächstes Kapitel An Android Malware Detection Method Based on Optimized Feature Extraction Using Graph Convolutional Network
Fußnoten
1
Git commit d366eb0 - Jan 6, 2023.
 
2
Our definition differs from the definition for starlike trees in that the vertex with degree greater than 1 does not need to be the root.
 
3
6adecfaec434b41ecce9911f00b48e4e8ae6e3e8b9081d59e1b46480e9f7dbfc.
 
4
f19ce795b4b2421a82ff71a3f3a271032578c80cadd0cc44b1714848b5bb81c0.
 
5
f9ef36da6a3786dd672e049aa4028d12d0cd33a4f4771ec70309c89f8f482930.
 
6
bd882e2eefd0145ff169d868c1815df272f84a5ad1e501cfa5c3336839774171.
 
7
a7a29da4c53d424e1997ff8f2702aea6b76e9f5b60d704f306c353e01cea4d76.
 
8
520ae48364d7e5fe6bdb0a59c9cd1370dee5b26e648677fa84f1f601f727d280.
 
9
89b138eaaade5a1ec36e2d1422ae38059f138e81b722301e713b65a74de521c7.
 
10
f24354e54e4b59f6c327b1f7e144092647e726505acde5595a8386e7c2c6fa8a.
 
11
40fa0ae6c2f73af93c304b3e12d22ee38100ac0e18798f2e96b1db37abbca8e8.
 
12
072cdcf66b81772724648da4c0ca2429a39504599e07ccfca2ba8af73ec24adc.
 
13
97a614c078ca4302c31a8af24cf19317d76507c5fee17b4df10149157127b19b.
 
14
df70581c5a712e2eda57922114534704166f93dc2158c302c58d61a487330546.
 
15
be65dc1c2d2cb1ddbb7b08780e608eb0d9cabc706491f5bd7657326018c0c518.
 
16
e7fa2707166283e1f0e7422546ee387aae01b5ee5c255a62909da0a3b6cb19c0.
 
17
92c0cc5879215255478b3325bee34353090e08337aa61a92506f0498f7907500.
 
18
92bb2efeea875eb5e8779f13cc50d1a831b3c538eb73e15384f8748266be8ff1.
 
19
bff06d770eec594c363a217effbe2ea4e8a618b7ef95da1100e5aef9c847403f.
 
20
b2c6c7e9d8bb6f75865324788cf311a5a951e2d4e69137937ecfb0879ebae1ce.
 
21
d7489e3f876cb41d61b08bb1f91ed9a9f862761416954649c4ee2c26b5c3c199.
 
22
80823b2e354ed28badde4e8a7525113be5fc61b4a48f64a5f33da9491d2d2aa9.
 
23
d22f9035ac8c69bb391bd478b01305c00bef0cb7b1b0b2ea716ad31a3fcc07cb.
 
24
3ff49706e78067613aa1dcf0174968963b17f15e9a6bc54396a9f233d382d0e6.
 
25
104428ccf005b36edfb62d110203a43bdbb417052b31eb4646395309645c9944.
 
26
6adecfaec434b41ecce9911f00b48e4e8ae6e3e8b9081d59e1b46480e9f7dbfc.
 
Literatur
1.
2.
3.
4.
Bacs, A., Vermeulen, R., Slowinska, A., Bos, H.: System-level support for intrusion recovery. In: Flegel, U., Markatos, E., Robertson, W. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, vol. 7591, pp. 144–163. Springer, Berlin (2012). https://​doi.​org/​10.​1007/​978-3-642-37300-8_​9CrossRef
5.
Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: Detecting host-based code injection attacks in memory dumps. In: Proceedings of the 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Bonn, Germany (2017)
6.
Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Proceedings of the 11th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), London, UK (2014)
7.
Barabosch, T., Gerhards-Padilla, E.: Host-based code injection attacks: a popular technique used by malware. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), pp. 8–17. IEEE (2014)
8.
Bohne, L., Holz, T.: Pandora’s Bochs: automated malware unpacking. Master’s thesis, RWTH Aachen University (2008)
9.
10.
D’Elia, D.C., Nicchi, S., Mariani, M., Marini, M., Palmaro, F.: Designing robust API monitoring solutions. IEEE Trans. Dependable Secure Comput. 01, 1–1 (2021)
11.
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference On Computer and Communications Security, pp. 51–62. ACM (2008)
12.
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, pp. 1–11 (2015)
13.
Isawa, R., Morii, M., Inoue, D.: Comparing malware samples for unpacking: a feasibility study. In: 2016 11th Asia Joint Conference on Information Security (AsiaJCIS), pp. 155–160. IEEE (2016)
14.
15.
Jenke, T., Plohmann, D., Padilla, E.: RoAMer: the robust automated malware unpacker. In: 14th International Conference on Malicious and Unwanted Software (MALWARE), Nantucket, MA, USA, 2019, pp. 67–74 (2019)
16.
Jeong, G., Choo, E., Lee, J., Bat-Erdene, M., Lee, H.: Generic unpacking using entropy analysis. In: 2010 5th International Conference on Malicious and Unwanted Software, pp. 98–105. IEEE (2010)
17.
Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 46–53. ACM (2007)
18.
Kawakoya, Y., Shioji, E., Iwamura, M., Miyoshi, J.: API chaser: taint-assisted sandbox for evasive malware analysis. J. Inf. Proc. 27, 297–314 (2019)
19.
Korczynski, D.: RePEconstruct: reconstructing binaries with self-modifying code and import address table destruction. In: 2016 11th International Conference on Malicious and Unwanted Software (MALWARE), pp. 1–8. IEEE (2016)
20.
21.
Korczynski, D., Yin, H.: Capturing malware propagations with code injections and code-reuse attacks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1691–1708 (2017)
22.
Küchler, A., Mantovani, A., Han, Y., Bilge, L., Balzarotti, D.: Does every second count? time-based evolution of malware behavior in sandboxes. In: Proceedings of the Network and Distributed System Security Symposium, NDSS. The Internet Society (2021)
23.
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395 (2014)
24.
25.
Magazine, S.: Ransomware attacks nearly doubled in 2021 (2022)
26.
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 431–441. IEEE (2007)
27.
28.
29.
30.
Mohammad, A.H.: Ransomware evolution, growth and recommendation for detection. Mod. Appl. Sci. 14(3), 68 (2020)CrossRef
31.
32.
Plohmann, D., Clauss, M., Enders, S., Padilla, E.: Malpedia: a collaborative effort to inventorize the malware landscape. In: Proceedings of the Botconf (2017)
33.
Plohmann, D., Enders, S., Padilla, E.: ApiScout: robust windows API usage recovery for malware characterization and similarity analysis. J Cybercrime Digit. Invest. 4, 1–6 (2018)
34.
Rossow, C., et al.: Prudent practices for designing malware experiments: status quo and outlook. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (S &P), San Francisco, CA (2012)
35.
Royal, P., Halpin, M., Dagon, D.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: ACSAC, pp 289–300 (2006)
36.
37.
Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: RAMBO: run-time packer analysis with multiple branch observation. In: Caballero, J., Zurutuza, U., Rodriguez, R. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science(), vol. 9721, pp. 186–206. Springer, Cham (2016). https://​doi.​org/​10.​1007/​978-3-319-40667-1_​10CrossRef
38.
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 116–127 (2007)
Metadaten
Titel
A Measurement Study on Interprocess Code Propagation of Malicious Software
verfasst von
Thorsten Jenke
Simon Liessem
Elmar Padilla
Lilli Bruckschen
Copyright-Jahr
2024
Buch
Digital Forensics and Cyber Crime

Print ISBN: 978-3-031-56582-3

Electronic ISBN: 978-3-031-56583-0

Copyright-Jahr: 2024

DOI
https://doi.org/10.1007/978-3-031-56583-0_18

Premium Partner

    Bildnachweise