Finding diversity in remote code injection exploits

Ma, Jinxia; Dunagan, John; Wang, Helen J.; Savage, Stefan; Voelker, Geoffrey M.

doi:10.1145/1177080.1177087

Cited by 28 publications

(26 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By manually inspecting some of the shellcodes with same or similar lengths, but different MD5 hashes, we observed that in most cases the actual payload code was the same, but the seeding URL or IP address from where the "download and execute" shellcode would retrieve the actual malware was different. Our results are in accordance with previous studies [17] and clearly show that polymorphic shellcodes are extensively used in the wild, although in most cases they employ naive encryption methods, mostly for concealing restricted payload bytes.…”

Section: Real-world Deploymentsupporting

confidence: 93%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level emulation along two lines. First, we present an improved execution behavior heuristic that enables the detection of a certain class of non-self-contained polymorphic shellcodes that are currently missed by existing emulation-based approaches. Second, we present two generic algorithmic optimizations that improve the runtime performance of the detector. We have implemented a prototype of the proposed technique and evaluated it using off-the-shelf non-self-contained polymorphic shellcode engines and benign data. The detector achieves a modest processing throughput, which however is enough for decent runtime performance on actual deployments, while it has not produced any false positives. Finally, we report attack activity statistics from a seven-month deployment of our prototype in a production network, which demonstrate the effectiveness and practicality of our approach.

show abstract

Section: Real-world Deploymentsupporting

confidence: 93%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Ma et al [18] used code emulation to extract the actual runtime instruction sequence of shellcode samples captured in the wild. Spector [11] uses symbolic execution to extract the sequence of library calls made by the shellcode, along with their arguments, and at the end of the execution generates a low-level execution trace.…”

Section: Related Workmentioning

confidence: 99%

Comprehensive shellcode detection using runtime heuristics

Polychronakis

Anagnostakis²,

Markatos

2010

Proceedings of the 26th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

A promising method for the detection of previously unknown code injection attacks is the identification of the shellcode that is part of the attack vector using payload execution. Existing systems based on this approach rely on the self-decrypting behavior of polymorphic code and can identify only that particular class of shellcode. Plain, and more importantly, metamorphic shellcode do not carry a decryption routine nor exhibit any self-modifications and thus both evade existing detection systems. In this paper, we present a comprehensive shellcode detection technique that uses a set of runtime heuristics to identify the presence of shellcode in arbitrary data streams. We have identified fundamental machine-level operations that are inescapably performed by different shellcode types, based on which we have designed heuristics that enable the detection of plain and metamorphic shellcode regardless of the use of self-decryption. We have implemented our technique in Gene, a code injection attack detection system based on passive network monitoring. Our experimental evaluation and real-world deployment show that Gene can effectively detect a large and diverse set of shellcode samples that are currently missed by existing detectors, while so far it has not generated any false positives.

show abstract

“…Excellent, comprehensive reference material on malware can be found in [26]. Ma et al present a study more closely related to our own that infers the phylogeny (i.e., behavior characteristics) of malware shellcode [16]. Our work is most similar to these studies in that we too aim to establish evolutionary relationships between malware.…”

Section: Related Workmentioning

confidence: 72%

“…First, we hope to expand the corpus of malware meta-data in order to flesh out the evolutionary characteristics of malware in greater detail. Second, we believe that adding the behavioral characteristics such as those identified in [16] and others will further enrich our analysis. Finally, we will work more closely with AV companies and others concerned with malware analysis, to develop methods for anticipating future trends in malware development.…”

Section: Discussionmentioning

confidence: 99%

An empirical study of malware evolution

Gupta

Kuppili

Barford

2009

2009 First International Communication Systems and Networks and Workshops

View full text Add to dashboard Cite

Abstract-The diversity, sophistication and availability of malicious software (malcode/malware) pose enormous challenges for securing networks and end hosts from attacks. In this paper, we analyze a large corpus of malcode meta data compiled over a period of 19 years. Our aim is to understand how malcode has evolved over the years, and in particular, how different instances of malcode relate to one another. We develop a novel graph pruning technique to establish the inheritance relationships between different instances of malcode based on temporal information and key common phrases identified in the malcode descriptions. Our algorithm enables a range of possible inheritance structures. We study the resulting "likely" malcode families, which we identify through extensive manual investigation. We present an evaluation of gross characteristics of malcode evolution and also drill down on the details of the most interesting and potentially dangerous malcode families.

show abstract

Finding diversity in remote code injection exploits

Cited by 28 publications

References 10 publications

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Comprehensive shellcode detection using runtime heuristics

An empirical study of malware evolution

Contact Info

Product

Resources

About