research-article

Using memory management to detect and extract illegitimate code for malware analysis

Authors:

Carsten Willems,

Felix C. Freiling,

Thorsten HolzAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Pages 179 - 188

https://doi.org/10.1145/2420950.2420979

Published: 03 December 2012 Publication History

Abstract

Exploits that successfully attack computers are typically based on some form of shellcode, i.e., illegitimate code that is injected by the attacker to take control of the system. Detecting and gathering such code is the first step to its detailed analysis. The amount and sophistication of modern malware calls for automated mechanisms that perform such detection and extraction.

In this paper, we present a novel generic and fully automatic approach to detect the execution of illegitimate code and extract such code upon detection. The basic idea is to flag certain memory pages as non-executable and utilize a modified page fault handler to react on the attempt to execute code from them. Our modified page fault handler detects if legitimate code is about to be executed or if the code originates from an untrusted location. In such a case, the corresponding memory content is extracted and execution is continued to retrieve more illegitimate code for analysis.

We present an implementation of the approach for the Windows platform called CWXDetector, which involved reverse-engineering the proprietary memory management system of this operating system. Evaluation results using a large corpus of malicious PDF documents show that our system produces no false positives and has a very low false negative rate. To further demonstrate the universality of our approach, we also used it to detect shellcode execution in Flash Player, RealVNC client, and VideoLan Client.

References

[1]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In ACM Conference on Computer and Communications Security (CCS), 2005.

Digital Library

[2]

P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. Stride: Polymorphic sled detection through instruction sequence analysis. In 20th IFIP International Information Security Conference, 2005.

[3]

P. Baecher and M. Koetter. libemu - x86 shellcode detection and emulation, 2007. http://libemu.carnivore.it/.

[4]

Dionysus Blazakis. Interpreter exploitation. In USENIX Workshop on Offensive Technologies (WOOT), 2010.

Digital Library

[5]

contagio Website. Malware Sample Dump For CVE-2011-0611 Flash Player Zero day. http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html.

[6]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code. In World Wide Web Conference (WWW), 2010.

Digital Library

[7]

Andreas Dewald, Thorsten Holz, and Felix C. Freiling. ADSandbox: Sandboxing JavaScript to fight malicious websites. In ACM Symposium on Applied Computing (SAC), 2010.

Digital Library

[8]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. Ether: malware analysis via hardware virtualization extensions. In ACM Conference on Computer and Communications Security (CCS), 2008.

Digital Library

[9]

Adobe Systems Incorporated. Document management, portable document format, part 1: Pdf 1.7, 2008.

[10]

Intel Corporation. Intel: 64 and IA-32 Architectures Software Developer's Manual. Specification, Intel, 2007. http://www.intel.com/products/processor/manuals/index.htm.

[11]

Christopher Jordan. Writing detection signatures. USENIX; login:, 30(6): 55--61, 2005.

[12]

Min Gyung Kang, Pongsin Poosankam, and Heng Yin. Renovo: a hidden code extractor for packed executables. In ACM Workshop on Recurring Malcode (WORM), 2007.

Digital Library

[13]

Vladimir Kiriansky, Derek Bruening, and Saman Amarasinghe. Secure execution via program shepherding. In USENIX Security Symposium, 2002.

Digital Library

[14]

Lionel Litty, H. Andrés Lagar-Cavilla, and David Lie. Hypervisor support for identifying covertly executing binaries. In USENIX Security Symposium, 2008.

Digital Library

[15]

Lorenzo Martignoni, Mihai Christodorescu, and Somesh Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In Annual Computer Security Applications Conference (ACSAC), 2007.

[16]

Microsoft. Enhanced mitigation experience toolkit (EMET). http://support.microsoft.com/kb/2458544/de.

[17]

MSDN. A detailed description of the data execution prevention (DEP) feature. http://support.microsoft.com/kb/875352/en-us.

[18]

Udo Payer, Peter Teufl, and Mario Lamberger. Hybrid engine for polymorphic shellcode detection. In Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.

Digital Library

[19]

Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level polymorphic shellcode detection using emulation. In Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2006.

Digital Library

[20]

Sebastian Porst. Dumping shellcode with Pin. http://blog.zynamics.com/2010/07/28/dumping-shellcode-with-pin/.

[21]

Rapid7. The metasploit framework. http://metasploit.com/.

[22]

Karthik Selvaraj and Nino Fred Gutierrez. The rise of PDF malware. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_rise_of_pdf_malware.pdf, 2010.

[23]

Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In ACM SIGOPS Symposium on OS Principles (SOSP), 2007.

Digital Library

[24]

Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM Conference on Computer and Communications Security (CCS), 2007.

Digital Library

[25]

Alexey Sintsov. Writing JIT-spray shellcode for fun and profit. http://dsecrg.com/pages/pub/show.php?id=22.

[26]

Hispasec Sistemas. Virus total. http://www.virustotal.com/.

[27]

Kevin Z. Snow, Srinivas Krishnan, Fabian Monrose, and Niels Provos. SHELLOS: enabling fast detection and forensic analysis of code injection attacks. In USENIX Security Symposium, 2011.

Digital Library

[28]

Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, Newso James, Pongsin Poosankam, and Prateek Saxena. BitBlaze: A New Approach to Computer Security via Binary Analysis. In International Conference on Information Systems Security (ICISS), 2008.

Digital Library

[29]

Didier Stevens. http://blog.didierstevens.com/2010/03/29/escape-from-pdf/, 2010.

[30]

Didier Stevens. http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/, 2010.

[31]

Joe Stewart. OllyBone: Semi-Automatic Unpacking on IA-32. Defcon 14, 2006.

[32]

PaX Team. Documentation for the PaX project - overall description. http://pax.grsecurity.net/docs/pax.txt, 2008.

[33]

The Pax team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2003.

[34]

Malware Tracker. pdf examiner. http://www.malwaretracker.com/pdf.php.

[35]

Carsten Willems. Windows memory management internals (not only) for malware analysis. Technical report, University of Mannheim, 2011.

[36]

Carsten Willems and Felix C. Freiling. Using memory management to detect and extract illegitimate code for malware analysis. Technical report, University of Erlangen, 2012.

Cited By

Caporaso PBianchi GQuaglia F(2024)JITScanner: Just-in-Time Executable Page Check in the Linux Operating SystemApplied Sciences10.3390/app1405191214:5(1912)Online publication date: 26-Feb-2024
https://doi.org/10.3390/app14051912
Caporaso PBianchi GQuaglia F(2023)JITScanner: Just-in-Time Executable Page Check in the Linux Operating SystemProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605035(1-8)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605035
Botacin MCeschin FSun ROliveira DGrégio A(2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102287
Show More Cited By

Index Terms

Using memory management to detect and extract illegitimate code for malware analysis

Recommendations

Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Malicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...
Detect Android Malware Variants Using Component Based Topology Graph
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Smartphone has experienced explosive growth recently. At present, Android system is the most popular mobile platform and attracts lots of developers as well as malware authors. In order to evade detection, malware authors often apply obfuscation ...
Using the presence of anti-reverse-engineering artifacts to detect malware

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
336
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Caporaso PBianchi GQuaglia F(2024)JITScanner: Just-in-Time Executable Page Check in the Linux Operating SystemApplied Sciences10.3390/app1405191214:5(1912)Online publication date: 26-Feb-2024
https://doi.org/10.3390/app14051912
Caporaso PBianchi GQuaglia F(2023)JITScanner: Just-in-Time Executable Page Check in the Linux Operating SystemProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605035(1-8)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605035
Botacin MCeschin FSun ROliveira DGrégio A(2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102287
Botacin MBertão Gde Geus PGrégio AKruegel CVigna G(2020)On the Security of Application Installers and Online Software RepositoriesDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-52683-2_10(192-214)Online publication date: 7-Jul-2020
https://doi.org/10.1007/978-3-030-52683-2_10
Jordan AGauthier FHassanshahi BZhao DMardziel PVazou N(2019)Unacceptable BehaviorProceedings of the 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security10.1145/3338504.3357341(19-30)Online publication date: 15-Nov-2019
https://dl.acm.org/doi/10.1145/3338504.3357341
Maiorca DBiggio BGiacinto G(2019)Towards Adversarial Malware DetectionACM Computing Surveys10.1145/333218452:4(1-36)Online publication date: 30-Aug-2019
https://dl.acm.org/doi/10.1145/3332184
Yagemann CSultana SChen LLee W(2019)Barnum: Detecting Document Malware via Control Flow Anomalies in Hardware TracesInformation Security10.1007/978-3-030-30215-3_17(341-359)Online publication date: 2-Sep-2019
https://doi.org/10.1007/978-3-030-30215-3_17
Sun HSun KWang YJing J(2015)Reliable and Trustworthy Memory Acquisition on SmartphonesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2015.246735610:12(2547-2561)Online publication date: Dec-2015
https://doi.org/10.1109/TIFS.2015.2467356
Mohaisen AAlrawi OMohaisen M(2015)AMALComputers and Security10.1016/j.cose.2015.04.00152:C(251-266)Online publication date: 1-Jul-2015
https://dl.acm.org/doi/10.1016/j.cose.2015.04.001
Mohaisen AWest AMankin AAlrawi O(2014)Chatter: Classifying malware families using system event ordering2014 IEEE Conference on Communications and Network Security10.1109/CNS.2014.6997496(283-291)Online publication date: Oct-2014
https://doi.org/10.1109/CNS.2014.6997496

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents