Host-Based Code Injection Attacks: a Popular Technique Used by Malware

Host-Based Code Injection Attacks: a Popular Technique Used by Malware

Host-Based Code Injection Attacks: A Popular Technique Used By Malware Thomas Barabosch Elmar Gerhards-Padilla Fraunhofer FKIE Fraunhofer FKIE Friedrich-Ebert-Allee 144 Friedrich-Ebert-Allee 144 53113 Bonn, Germany 53113 Bonn, Germany [email protected] [email protected] c 2014 IEEE. Personal use of this material is per- implemented with different goals in mind, they share one mitted. Permission from IEEE must be obtained for all common feature: they all inject code locally into foreign other uses, in any current or future media, including process spaces. One reason for this behaviour is detection reprinting/republishing this material for advertising or avoidance. However, code injections are not limited to tar- promotional purposes, creating new collective works, for geted malware. Mass-malware also uses code injections in resale or redistribution to servers or lists, or reuse of any order to stay under the radar (ZeroAccess, ZeusP2P or Con- copyrighted component of this work in other works. ficker). Detection avoidance is not the only advantage of us- ing code injections from a malware author’s point of view. Abstract Further reasons for using code injections are interception of critical information, privilege escalation or manipulation of Common goals of malware authors are detection avoid- security products. ance and gathering of critical information. There exist The above mentioned examples are all malware fami- numerous techniques that help these actors to reach their lies for Microsoft Windows. However, code injections are goals. One especially popular technique is the Host-Based platform-independent. In fact all established multitasking Code Injection Attack (HBCIA). According to our research operating systems (OS) are prone to HBCIAs. Malware 63.94% out of a malware set of 162850 samples use families such as Flashback (Apple Mac OS X) [16], Hanthie HBCIAs. The act of locally copying malicious code into (Linux) [14] or Oldboot (Android) [7] employ HBCIAs on a foreign process space and subsequently executing it is mobile and non-mobile operating systems. This fact shows called a Host-Based Code Injection Attack. that HBCIAs are present on mobile and non-mobile oper- In this paper, we define HBCIAs and introduce a taxon- ating systems today. HBCIAs are therefore a relevant tech- omy for HBCIA algorithms. We show that a HBCIA algo- nique for security researchers. rithm can be broken down into three steps. In total there In this paper, we examine the phenomenon of Host- are four classes of HBCIA algorithms. Then we examine a Based Code Injection Attacks (HBCIA) employed by mal- huge set of malware samples and estimate the prevalence ware in-depth. We describe the motivation for malware of HBCIA-employing malware and their target process dis- authors to use HBCIAs. We define HBCIAs and propose tribution. Moreover, we analyse Intrusion Prevention Sys- a taxonomy for classifying them. Several evaluations on tem data and show that HBCIA-employing malware prefers a large set of malware samples discover the prevalence of network-related processes for its network communication. HBCIA-employing malware, typical target processes and To the best of our knowledge, we are the first to thor- network communicators. oughly describe and formalize this phenomenon and give The contributions of this paper can be summarized in the an estimation of its prevalence. Thus, we build a solid foun- following three key points: dation for future work on this topic. (I) Formalization of Host-Based Code Injection At- tacks used by malware and its key components We derive definitions for key terms associated with 1. Introduction Host-Based Code Injection Attacks. By formalizing HBCIAs, we build a solid foundation for future re- Several reports have been published about malware search on this topic. families that operated for years without being detected (Uroburos, Careto or Stuxnet). Even though they have been (II) Proposal of a Host-Based Code Injection Attack algorithm taxonomy the attacker and the victim reside on different systems (Re- We examine the algorithms used for employing HB- mote Code Injection). CIAs and derive a classification scheme for them. We We define a Host-Based Code Injection as follows show that there exist four different classes. Definition 2 A Host-Based Code Injection (HBCI) is a (III) Prevalence estimation of Host-Based Code Injec- Code Injection, where the two entities inject and victim tion Attacks used by current malware reside on the same computer system. We estimate the prevalence of HBCIAs used by cur- rent malware based on a set of 162850 malware sam- inject injects code into victim typically with the help of ples. We show in addition that not all processes are the operating system. In this scenario, inject or victim can targeted equally and that such malware prefers a dif- be, for example, a user space process, a kernel module or a ferent set of processes for network communication. hardware device. In contrary to a Host-Based Code Injection, inject and 2 Code Injections victim reside on two different systems in a Remote Code Injection. That leads to Definition 3 for a Remote Code Probably the first code-injecting malware was the Morris Injection. worm [8] in 1988. It was able to infect large parts of the Definition 3 A Remote Code Injection (RCI) is a Code In- Internet by remotely exploiting a buffer overflow. jection, where the two entities inject and victim do not We discuss Code Injections and more specifically Host- reside on the same computer system. They communicate by Based Code Injection Attacks employed by malware in this means of a connecting channel. section. At first, the term Code Injection is defined. Then we define Host-Based and Remote Code Injections. After- For example, such a connecting channel can be a computer wards, we differentiate between Host-Based and Remote network. The injection is typically triggered by exploiting Code Injections and Host-Based and Remote Code Injec- a vulnerability in a network service. In such an scenario tion Attacks. inject would be a network client and victim a network ser- While Remote Code Injections Attacks have been inten- vice. inject sends a specially crafted payload containing sively researched (e.g. [18] or [25]), there is little research code to exploit victim. In case victim is vulnerable to this on Host-Based Code Injection Attacks. exploit, the code is executed within the scope of victim. 2.1 Code Injections 2.3 HBCI/RCI vs. HBCIA/RCIA In this and the latter sections, we define the term Host- Host-Based and Remote Code Injections are not mali- Based Code Injection Attack. We achieve this by develop- cious per se. There are legitimate uses for injecting code. ing a set of definitions beginning with simple Code Injec- These legitimate uses include hot patching [12], software tions. diagnostics [9], malware analysis [22] and debugging [19]. Firstly, we define a Code Injection as follows The Microsoft patent ”Method for injecting code into an- Definition 1 A Code Injection denominates copying of other process” also suggests benign use cases, because their code from an injecting entity inject into a victim entity ”invention relates generally to computer software diagnos- victim and executing this code within the scope of victim. tic tools” [9]. In general, injecting code is seldom a fea- ture that is needed by a common program in order to ful- For example, these entities inject and victim can be hard- fil its task. It is rather needed during application devel- ware devices or operating system processes. But they are opment. However, there is no way to distinguish between not limited to these examples. It is important to notice that Host-Based/Remote Code Injections and corresponding at- there are two crucial things needed for a Code Injection: tack versions without taking the purpose of the injection executable code and an execution context for this code. into account. Thus, we define a Host-Based Code Injection At- 2.2 Host-Based Code Injections versus tack/Remote Code Injection Attack as follows. Remote Code Injections Definition 4 If a Host-based Code Injection or a Remote The definition of a Code Injection does not specify the Code Injection serves a nefarious purpose, i.e. it has not place of residence of inject and victim. It can be distin- been intended by the original author of victim, then it is guished between two cases. The attacker and the victim called a Host-Based Code Injection Attack (HBCIA) or Re- reside on the same system (Host-Based Code Injection) and mote Code Injection Attack (RCIA), respectively. 3 HBCIAs from a Malware Author’s Point of 3.1.3 Detection Avoidance View Another reason for using HBCIAs is avoiding detection. If a user is suspicious, he might investigate the currently run- Host-Based Code Injection Attacks are an important ning processes. In case he finds a suspicious process name, technique for the successful operation of several malware he might kill this process. On account of this the malware families such as Citadel [21], Flame [2] or Flashback [16]. stops operating and the actor in-behind loses a valuable re- On the one hand, using HBCIAs comes with a lot of ad- source. But also automatic detection by security products vantages from a malware author’s point of view such as might be evaded. Once malware resides in a victim pro- privilege escalation or detection avoidance. On the other cess space, it blends into the behaviour of its victim. Hiding hand, a malware author has to meet additional challenges within another process space might enable malware to con- when implementing HBCIA-employing malware such as tinue its operation for an even longer period of time. One maintaining system stability or handling increased architec- example is the cyber espionage malware Flame.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us