Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2014: Detection of Intrusions and Malware, and Vulnerability Assessment pp 235–254Cite as

Bee Master: Detecting Host-Based Code Injection Attacks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8550))

Abstract

A technique commonly used by malware for hiding on a targeted system is the host-based code injection attack. It allows malware to execute its code in a foreign process space enabling it to operate covertly and access critical information of other processes. Since there exists a plethora of different ways for injecting and executing code in a foreign process space, a generic approach spanning all these possibilities is needed. Approaches just focussing on low-level operating system details (e.g. API hooking) do not suffice since the suspicious API set is constantly extended. Thus, approaches focussing on low level operating system details are prone to miss novel attacks. Furthermore, such approaches are restricted to intimate knowledge of exactly one operating system.

In this paper, we present Bee Master, a novel approach for detecting host-based code injection attacks. Bee Master applies the honeypot paradigm to OS processes and by that it does not rely on low-level OS details. The basic idea is to expose regular OS processes as a decoy to malware. Our approach focuses on concepts – such as threads or memory pages – present in every modern operating system. Therefore, Bee Master does not suffer from the drawbacks of low-level OS-based approaches. Furthermore, it allows OS independent detection of host-based code injection attacks. To test the capabilities of our approach, we evaluated Bee Master qualitatively and quantitatively on Microsoft Windows and Linux. The results show that it reaches reliable and robust detection for various current malware families.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Symantec. Internet Security Threat Report 2013, vol. 18. Technical report (2013)

    Google Scholar 

  2. Percoco, N.: Global Security Report 2013. Technical report, Trustwave (2013)

    Google Scholar 

  3. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  4. VirusTotal, https://www.virustotal.com (last access: April 23, 2014)

  5. Cuckoo Sandbox, http://www.cuckoosandbox.org (last access: April 23, 2014)

  6. Kornblum, J.: Exploiting the Rootkit Paradox with Windows Memory Analysis (2006)

    Google Scholar 

  7. Hale Ligh, M., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, 1st edn. Wiley Publishing, Inc. (2011)

    Google Scholar 

  8. Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: List of malicious samples used in bee master: Detecting host-based code injection attacks, http://net.cs.uni-bonn.de/wg/cs/staff/thomas-barabosch/ (last access: April 23, 2014)

  9. Kessem, L.: Thieves Reaching for Linux – ”Hand of Thief” Trojan Targets Linux (August 2013), https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild (last access: April 23, 2014)

  10. Mandiant. APT1 - Exposing One of China’s Cyber Espionage Units. Technical report, Mandiant (2013)

    Google Scholar 

  11. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy Proceeding, pp. 120–128. IEEE (1996)

    Google Scholar 

  12. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE (1999)

    Google Scholar 

  13. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, S&P 2001, pp. 156–168. IEEE (2001)

    Google Scholar 

  14. Kc, G., Keromytis, A., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, ACM, New York (2003)

    Google Scholar 

  15. Papadogiannakis, A., Loutsis, L., Papaefstathiou, V., Ioannidis, S.: ASIST: Architectural Support for Instruction Set Randomization. In: The Proceedings of the CCS 2013, Berlin, Germany (November 2013)

    Google Scholar 

  16. Sun, H., Tseng, Y., Lin, Y.: Detecting the Code Injection by Hooking System Calls in Windows Kernel Mode. In: The Proceedings of the International Computer Symposium (2006)

    Google Scholar 

  17. White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digital Investigation, 10 (2013); The Proceedings of the Thirteenth Annual DFRWS Conference 13th Annual Digital Forensics Research Conference

    Google Scholar 

  18. Volatile Systems. The Volatility Framework: Volatile memory artifact extraction utility framework, https://www.volatilesystems.com/default/volatility (last access: April 23, 2014)

  19. Hanel, A.: Injdmp (2013), http://hooked-on-mnemonics.blogspot.jp/p/injdmp.html (last access: April 23, 2014)

  20. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The nepenthes platform: An efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Nazario, J.: PhoneyC: a virtual client honeypot. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2009, Berkeley, CA, USA. USENIX Association (2009)

    Google Scholar 

  22. Poeplau, S., Gassen, J.: A honeypot for arbitrary malware on USB storage devices. In: 7th International Conference on Risk and Security of Internet and Systems, CRiSIS (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer FKIE, Friedrich-Ebert-Allee 144, 53113, Bonn, Germany

    Thomas Barabosch, Sebastian Eschweiler & Elmar Gerhards-Padilla

Authors
  1. Thomas Barabosch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Eschweiler
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elmar Gerhards-Padilla
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Castle Point on Hudson, Stevens Institute of Technology, 07030, Hoboken, NJ, USA

    Sven Dietrich

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Barabosch, T., Eschweiler, S., Gerhards-Padilla, E. (2014). Bee Master: Detecting Host-Based Code Injection Attacks. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08509-8_13

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08508-1

  • Online ISBN: 978-3-319-08509-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation