Advertisement

Detecting PE-Infection Based Malware

  • Chia-Mei Chen
  • Gu-Hsin LaiEmail author
  • Tzu-Ching Chang
  • Boyi Lee
Conference paper
  • 84 Downloads
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1129)

Abstract

Advanced Persistent Threat (APT) attacks are notorious in businesses and organizations, performed by highly organized, well-funded hacker groups against specific targets. Attackers employ advanced and customized attack tactics to invade target systems to gain access. DLL injection and PE Infection are common customized tactics to hide the presence of APT in order to retain control and unaware by users for a long duration. The average time for an APT to be discovered is one and a half years and some incidents lasted longer by using DLL injection or PE infection. Signature-based detection fails to discover such malware or unknown malware. This paper presents a hybrid approach combining static and dynamic analysis to discover misbehaviors. The experimental results show that the proposed approach could detect customized PE infected malware efficiently.

Keywords

Malware detection DLL injection Advanced Persistent Threat 

References

  1. 1.
    AppInit DLLs https://attack.mitre.org/techniques/T1103/. Accessed 7 July 2019
  2. 2.
    Dealing with Svchost.exe Virus’ Sneak Attack. https://www.kaspersky.co.uk/resource-center/threats/dealing-with-svchost-exe-virus-sneak-attack. Accessed 7 July 2019
  3. 3.
    Hooking. https://attack.mitre.org/techniques/T1179/. Accessed 7 July 2019
  4. 4.
    Windows DLL Injection Basics. http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html. Accessed 7 July 2019
  5. 5.
    APT Group Sends Spear Phishing Emails to Indian Government Officials. https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html. Accessed 7 July 2019
  6. 6.
    POISON IVY: Assessing Damage and Extracting Intelligence. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf. Accessed 7 July 2019
  7. 7.
  8. 8.
    AsSadhan, B., Moura, J.M., Lapsley, D.: Periodic behavior in botnet command and control channels traffic. In: GLOBECOM 2009–2009 IEEE Global Telecommunications Conference, pp. 1–6. IEEE (2009)Google Scholar
  9. 9.
    Chiu, D., Attack Gains Foothold Against East Asian Government Through “Auto Start”. Accessed 7 July 2019Google Scholar
  10. 10.
    Choi, H., Lee, H., Kim, H.: BotGAD: detecting botnets by capturing group activities in network traffic (2009)Google Scholar
  11. 11.
    Choi, Y.H., Han, B.J., Bae, B.C., Oh, H.G., Sohn, K.W.: Toward extracting malware features for classification using static and dynamic analysis (2012)Google Scholar
  12. 12.
    Ki, Y., Kim, E., Kim, H.K.: A novel approach to detect malware based on API call sequence analysis. Int. J. Distrib. Sensor Netw. 11, 659101 (2015)CrossRefGoogle Scholar
  13. 13.
    Kim, S., Park, J., Lee, K., You, I., Yim, K.: A brief survey on rootkit techniques in malicious codes. J. Internet Serv. Inf. Secur. 2, 134–147 (2012)Google Scholar
  14. 14.
    Kuster, R., Three Ways to Inject Your Code into Another Process. https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces. Accessed 7 July 2019
  15. 15.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: ACM SIGCOMM Computer Communication Review, pp. 217–228. ACM (2005)Google Scholar
  16. 16.
    Livadas, C., Walsh, R., Lapsley, D.E., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: LCN, pp. 967–974. Citeseer (2006)Google Scholar
  17. 17.
    Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. Comput. Commun. 34, 502–514 (2011)CrossRefGoogle Scholar
  18. 18.
    Malik, A., DLL Injection and Hooking. https://securityxploded.com/dll-injection-and-hooking.php. Accessed 7 July 2019
  19. 19.
    McGrath, D.K., Kalafut, A., Gupta, M.: Phishing infrastructure fluxes all the way. IEEE Secur. Priv. 7, 21–28 (2009)CrossRefGoogle Scholar
  20. 20.
    Polino, M., Scorti, A., Maggi, F., Zanero, S.: Jackdaw: towards automatic reverse engineering of large datasets of binaries. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 121–143. Springer (2015)Google Scholar
  21. 21.
    Rezaei, S., Afraz, A., Rezaei, F., Shamani, M.R.: Malware detection using opcodes statistical features. In: 2016 8th International Symposium on Telecommunications (IST), pp. 151–155. IEEE (2016)Google Scholar
  22. 22.
    TACERT, TACERT Documents. https://tacert.tanet.edu.tw/prog/Document.php. Accessed 7 July 2019
  23. 23.
    Ye, Y., Li, T., Adjeroh, D., Iyengar, S.S.: A survey on malware detection using data mining techniques. ACM Comput. Surv. CSUR 50, 41 (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Chia-Mei Chen
    • 1
  • Gu-Hsin Lai
    • 2
    Email author
  • Tzu-Ching Chang
    • 1
  • Boyi Lee
    • 1
  1. 1.National Sun Yat-Sen UniversityKaohsiungTaiwan
  2. 2.Taiwan Police CollegeTaipeiTaiwan

Personalised recommendations