Abstract
Nowadays, cybercriminals become sophisticated and conducting advanced malware attacks on critical infrastructures, both, in the private and public sector. Therefore, it’s important to detect, respond and mitigate such threat to digital protection the cyber world. They leverage advanced malware techniques to bypass anti-virus software and being stealth while conducting malicious tasks. One of those techniques is called file-less malware in which malware authors abuse legitimate windows binaries to perform malicious tasks. Those binaries are called Living Off The Land Binaries (LOLBINS). That being said, during the execution of the attack it is not used any malicious executable and, consequently, the antivirus is unable to identify and prevent such threats. This paper focuses on defining rules to monitor the binaries used by threat actors in order to identify malicious behaviors.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cohen, F.: Computer viruses. Computers & Security (1987)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, pp. 421–430 (2007)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 1–42 (2012)
Ki, Y., Kim, E., Kim, H.: A novel approach to detect malware based on API call sequence analysis. Int. J. Distrib. Sensor Netw. 11(6), 659101 (2015)
Chen, L., Ye, Y., Bourlai, T.: Adversarial machine learning in malware detection: arms race between evasion attack and defense. In: 2017 European Intelligence and Security Informatics Conference (EISIC) (2017)
Afianian, A., Niksefat, S., Sadeghiyan, B., Baptiste, D.: Malware Dynamic Analysis Evasion Techniques: A Survey (2018)
Moubarak, J., Chamoun, M., Filiol, E.: Comparative study of recent MEA malware phylogeny. In: 2017 2nd International Conference on Computer and Communication Systems (ICCCS) (2017)
Naik, N., Jenkins, P., Savage, N., Yang, L.: Cyberthreat hunting - part 1: triaging ransomware using fuzzy hashing, import hashing and YARA rules. In: 2019 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), New Orleans, 23–26 June 2019 (2019)
Yara.readthedocs.io: Welcome to YARA’s documentation! — yara 3.8.1 documentation (2019). https://yara.readthedocs.io
Trautman, L., Ormerod, P.: Wannacry, ransomware, and the emerging threat to corporations. SSRN Electron. J. (2018)
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. (2017)
Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. In: IEEE Network, vol. 30, no. 6, pp. 14–20, November–December 2016
Ravi, C., Manoharan, R.: Malware detection using windows API sequence and machine learning. Int. J. Comput. Appl. 43(17), 12–16 (2012)
Sethi, K., Chaudhary, S., Tripathy, B., Bera, P.: A novel malware analysis framework for malware detection and classification using machine learning approach, pp. 1–4 (2018)
Cuckoosandbox.org: Cuckoo Sandbox - Automated Malware Analysis (2019). https://cuckoosandbox.org/
Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. In: IEEE Security & Privacy, vol. 6, no. 5, pp. 65–69, September–October 2008
Sai, S.V., Kohli, P., Bezawada, B.: Signature generation and detection of malware families, vol. 5107, pp. 336–349 (2008)
Docs.microsoft.com: PE Format - Windows applications (2019). https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
Docs.microsoft.com: About WinINet - Windows applications (2019). https://docs.microsoft.com/en-us/windows/desktop/wininet/about-wininet
Undocumented.ntinternals.net: NTAPI Undocumented Functions (2019). https://undocumented.ntinternals.net/. Accessed 10 May 2019
Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: mining structural information to detect malicious executables in realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol. 5758. Springer, Heidelberg (2009)
Katja, H.: Robust Static Analysis of Portable Executable Malware, Master Thesis in Computer Science, HTWK Leipzig
GitHub: fireeye/flare-floss (2019). https://github.com/fireeye/flare-floss/blob/master/doc/theory.md
Blackhat.com (2019). https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf
Docs.microsoft.com. (2019). _PEB. https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-_peb
Detours: Binary interception of Win32 functions. In: Hunt, G., Brubacher, D. (eds.) Third USENIX Windows NT Symposium. USENIX, July 1999
Marhusin, M.F., Larkin, H., Lokan, C., Cornforth, D.: An evaluation of API calls hooking performance. In: 2008 International Conference on Computational Intelligence and Security, Suzhou, pp. 315–319 (2008)
Mansfield-Devine, S.: Fileless attacks: compromising targets without malware. Netw. Secur. 2017(4), 7–11 (2017)
Chan, K.T., Lenard, C., Mills, T.: An Introduction to Markov Chains (2012)
Yaml.org: The Official YAML Web Site (2019). https://yaml.org/
Sikorski, M., Honig, A.: Practical malware analysis. San Francisco (California, EEUU) (2012)
Easyhook.github.io (2019). EasyHook. https://easyhook.github.io/
GitHub: jbeder/yaml-cpp (2019). https://github.com/jbeder/yaml-cpp
Docs.microsoft.com: PsSetLoadImageNotifyRoutine function (ntddk.h) - Windows drivers (2019). https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutine
Docs.microsoft.com: Antimalware Scan Interface (AMSI) - Windows applications (2019). https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal
Blog, Z.: How to bypass AMSI and execute ANY malicious Powershell code, zc00l blog (2019). https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
Blog.gentilkiwi.com: mimikatz| Blog de Gentil Kiwi (2019). http://blog.gentilkiwi.com/mimikatz. Accessed 10 May 2019
Attack.mitre.org: Technique: Process Hollowing - MITRE ATT&CKâ„¢ (2019). https://attack.mitre.org/techniques/T1093
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Tarek, R., Chaimae, S., Habiba, C. (2020). Runtime API Signature for Fileless Malware Detection. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Advances in Information and Communication. FICC 2020. Advances in Intelligent Systems and Computing, vol 1129. Springer, Cham. https://doi.org/10.1007/978-3-030-39445-5_47
Download citation
DOI: https://doi.org/10.1007/978-3-030-39445-5_47
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39444-8
Online ISBN: 978-3-030-39445-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)