Session H2: Code Reuse Attacks CCS’17, October 30-November 3, 2017, Dallas, TX, USA Capturing Malware Propagations with Code Injections and Code-Reuse Aacks David Korczynski Heng Yin University of Oxford University of California, Riverside University of California, Riverside
[email protected] [email protected] ABSTRACT ght against malware is challenged by two core, albeit opposite, Defending against malware involves analysing large amounts of problems. On the one hand, anti-malware companies receive thou- suspicious samples. To deal with such quantities we rely heavily on sands of samples every day and each of these les must be processed automatic approaches to determine whether a sample is malicious and analysed in order to determine their maliciousness. On the or not. Unfortunately, complete and precise automatic analysis other hand, malicious applications are oen well-designed so- of malware is far from an easy task. is is because malware is ware with dedicated anti-analysis features. is makes accurate oen designed to contain several techniques and countermeasures and automatic analysis of malware a true challenge. In addition to specically to hinder analysis. One of these techniques is for the this, many of the current tools available are constructed for specic malware to propagate through the operating system so as to execute reverse engineering purposes, which makes them less applicable to in the context of benign processes. e malware does this by writing fully automated procedures and more useful for manually-assisted memory to a given process and then proceeds to have this memory analysis tasks. execute. In some cases these propagations are trivial to capture One problem that has particularly challenged the malware re- because they rely on well-known techniques.