Skip to main content
SpringerLink
Log in

Runtime API Signature for Fileless Malware Detection

  • Conference paper
  • First Online:
Advances in Information and Communication (FICC 2020)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1129))

Included in the following conference series:

Abstract

Nowadays, cybercriminals become sophisticated and conducting advanced malware attacks on critical infrastructures, both, in the private and public sector. Therefore, it’s important to detect, respond and mitigate such threat to digital protection the cyber world. They leverage advanced malware techniques to bypass anti-virus software and being stealth while conducting malicious tasks. One of those techniques is called file-less malware in which malware authors abuse legitimate windows binaries to perform malicious tasks. Those binaries are called Living Off The Land Binaries (LOLBINS). That being said, during the execution of the attack it is not used any malicious executable and, consequently, the antivirus is unable to identify and prevent such threats. This paper focuses on defining rules to monitor the binaries used by threat actors in order to identify malicious behaviors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 229.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 299.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cohen, F.: Computer viruses. Computers & Security (1987)

    Google Scholar 

  2. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, pp. 421–430 (2007)

    Google Scholar 

  3. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 1–42 (2012)

    Article  Google Scholar 

  4. Ki, Y., Kim, E., Kim, H.: A novel approach to detect malware based on API call sequence analysis. Int. J. Distrib. Sensor Netw. 11(6), 659101 (2015)

    Article  Google Scholar 

  5. Chen, L., Ye, Y., Bourlai, T.: Adversarial machine learning in malware detection: arms race between evasion attack and defense. In: 2017 European Intelligence and Security Informatics Conference (EISIC) (2017)

    Google Scholar 

  6. Afianian, A., Niksefat, S., Sadeghiyan, B., Baptiste, D.: Malware Dynamic Analysis Evasion Techniques: A Survey (2018)

    Google Scholar 

  7. Moubarak, J., Chamoun, M., Filiol, E.: Comparative study of recent MEA malware phylogeny. In: 2017 2nd International Conference on Computer and Communication Systems (ICCCS) (2017)

    Google Scholar 

  8. Naik, N., Jenkins, P., Savage, N., Yang, L.: Cyberthreat hunting - part 1: triaging ransomware using fuzzy hashing, import hashing and YARA rules. In: 2019 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), New Orleans, 23–26 June 2019 (2019)

    Google Scholar 

  9. Yara.readthedocs.io: Welcome to YARA’s documentation! — yara 3.8.1 documentation (2019). https://yara.readthedocs.io

  10. Trautman, L., Ormerod, P.: Wannacry, ransomware, and the emerging threat to corporations. SSRN Electron. J. (2018)

    Google Scholar 

  11. Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. (2017)

    Google Scholar 

  12. Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. In: IEEE Network, vol. 30, no. 6, pp. 14–20, November–December 2016

    Google Scholar 

  13. Ravi, C., Manoharan, R.: Malware detection using windows API sequence and machine learning. Int. J. Comput. Appl. 43(17), 12–16 (2012)

    Google Scholar 

  14. Sethi, K., Chaudhary, S., Tripathy, B., Bera, P.: A novel malware analysis framework for malware detection and classification using machine learning approach, pp. 1–4 (2018)

    Google Scholar 

  15. Cuckoosandbox.org: Cuckoo Sandbox - Automated Malware Analysis (2019). https://cuckoosandbox.org/

  16. Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. In: IEEE Security & Privacy, vol. 6, no. 5, pp. 65–69, September–October 2008

    Google Scholar 

  17. Sai, S.V., Kohli, P., Bezawada, B.: Signature generation and detection of malware families, vol. 5107, pp. 336–349 (2008)

    Google Scholar 

  18. Docs.microsoft.com: PE Format - Windows applications (2019). https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format

  19. Docs.microsoft.com: About WinINet - Windows applications (2019). https://docs.microsoft.com/en-us/windows/desktop/wininet/about-wininet

  20. Undocumented.ntinternals.net: NTAPI Undocumented Functions (2019). https://undocumented.ntinternals.net/. Accessed 10 May 2019

  21. Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: mining structural information to detect malicious executables in realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol. 5758. Springer, Heidelberg (2009)

    Google Scholar 

  22. Katja, H.: Robust Static Analysis of Portable Executable Malware, Master Thesis in Computer Science, HTWK Leipzig

    Google Scholar 

  23. GitHub: fireeye/flare-floss (2019). https://github.com/fireeye/flare-floss/blob/master/doc/theory.md

  24. Blackhat.com (2019). https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf

  25. Docs.microsoft.com. (2019). _PEB. https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-_peb

  26. Detours: Binary interception of Win32 functions. In: Hunt, G., Brubacher, D. (eds.) Third USENIX Windows NT Symposium. USENIX, July 1999

    Google Scholar 

  27. Marhusin, M.F., Larkin, H., Lokan, C., Cornforth, D.: An evaluation of API calls hooking performance. In: 2008 International Conference on Computational Intelligence and Security, Suzhou, pp. 315–319 (2008)

    Google Scholar 

  28. Mansfield-Devine, S.: Fileless attacks: compromising targets without malware. Netw. Secur. 2017(4), 7–11 (2017)

    Article  Google Scholar 

  29. Chan, K.T., Lenard, C., Mills, T.: An Introduction to Markov Chains (2012)

    Google Scholar 

  30. Yaml.org: The Official YAML Web Site (2019). https://yaml.org/

  31. Sikorski, M., Honig, A.: Practical malware analysis. San Francisco (California, EEUU) (2012)

    Google Scholar 

  32. Easyhook.github.io (2019). EasyHook. https://easyhook.github.io/

  33. GitHub: jbeder/yaml-cpp (2019). https://github.com/jbeder/yaml-cpp

  34. Docs.microsoft.com: PsSetLoadImageNotifyRoutine function (ntddk.h) - Windows drivers (2019). https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutine

  35. Docs.microsoft.com: Antimalware Scan Interface (AMSI) - Windows applications (2019). https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal

  36. Blog, Z.: How to bypass AMSI and execute ANY malicious Powershell code, zc00l blog (2019). https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html

  37. Blog.gentilkiwi.com: mimikatz| Blog de Gentil Kiwi (2019). http://blog.gentilkiwi.com/mimikatz. Accessed 10 May 2019

  38. Attack.mitre.org: Technique: Process Hollowing - MITRE ATT&CKâ„¢ (2019). https://attack.mitre.org/techniques/T1093

Download references

Author information

Authors and Affiliations

  1. System Engineering Laboratory, ADSI Team, National School of Applied Sciences, Ibn Tofail University, Kenitra, Morocco

    Radah Tarek, Saadi Chaimae & Chaoui Habiba

Authors
  1. Radah Tarek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saadi Chaimae
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chaoui Habiba
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Radah Tarek .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Supriya Kapoor

  3. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Rahul Bhatia

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tarek, R., Chaimae, S., Habiba, C. (2020). Runtime API Signature for Fileless Malware Detection. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Advances in Information and Communication. FICC 2020. Advances in Intelligent Systems and Computing, vol 1129. Springer, Cham. https://doi.org/10.1007/978-3-030-39445-5_47

Download citation

Publish with us

Policies and ethics

Search

Navigation