Abstract
Malicious software includes functionality designed to block discovery or analysis by defensive utilities. To prevent correct attribution of undesirable behaviors to the malware, it often subverts the normal execution of benign processes by modifying their in-memory code images to include malicious activity. It is important to find not only maliciously-acting benign processes, but also the actual parasitic malware that may have infected those processes. In this paper, we present techniques for automatic discovery of unknown parasitic malware present on an infected system. We design and develop a hypervisor-based system, Pyrenée, that aggregates and correlates information from sensors at the network level, the network-to-host boundary, and the host level so that we correctly identify the true origin of malicious behavior. We demonstrate the effectiveness of our architecture with security and performance evaluations on a Windows system: we identified all malicious binaries in tests with real malware samples, and the tool imposed overheads of only 0%–5% on applications and performance benchmarks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structures invariants. In: ACSAC, Anaheim, CA (December 2008)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2005)
Christodorescu, M., Sailer, R., Schales, D., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security. In: Cloud Computing Security Workshop, Chicago, IL (November 2009)
Community Developers. Ebtables, http://ebtables.sourceforge.net/ (last accessed April 15, 2010)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM CCS, Alexandria, VA (October 2008)
Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In: OSDI, Boston, MA (December 2002)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 1996)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, San Diego, CA (February 2003)
Giffin, J., Jha, S., Miller, B.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, CA (August 2002)
Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: NDSS, San Diego, CA (February 2004)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: USENIX Security Symposium, Boston, MA (August 2007)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)
IBM. Ibm page detailer, http://www.alphaworks.ibm.com/tech/pagedetailer/download (last accessed April 15, 2010)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based ‘out-of-the-box’ semantic view. In: ACM CCS, Alexandria, VA (November 2007)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: ACM VEE, Seattle, WA (March 2008)
Kasslin, K.: Evolution of kernel-mode malware, http://igloo.engineeringforfun.com/malwares/Kimmo_Kasslin_Evolution_of_kernel_mode_malware_v2.pdf (last accessed April 15, 2010)
Kephart, J., Arnold, W.: Automatic extraction of computer virus signatures. In: Virus Bulletin, Jersey, Channel Islands, UK (1994)
Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: ACM CCS, Fairfax, VA (November 1994)
King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM SOSP, Bolton Landing, NY (October 2003)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security Symposium, San Jose, CA (August 2008)
Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)
MSDN. Asynchronous procedure calls, http://msdn.microsoft.com/en-us/library/ms681951VS.85.aspx (last accessed April 15, 2010)
OffensiveComputing. Storm Worm Process Injection from the Windows Kernel, http://www.offensivecomputing.net/?q=node/661 (last accessed April 15, 2010)
Passmark Software. PassMark Performance Test, http://www.passmark.com/products/pt.htm (last accessed April 15, 2010)
Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Usenix Security, San Antonio, TA (January 1998)
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2008)
Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: USENIX Security Symposium, Vancouver, BC, Canada (August 2006)
Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM CCS, Alexandria, VA (November 2007)
Richter, J.: Load your 32-bit DLL into another process’s address space using injlib. Microsoft Systems Journal 9(5) (May 1994)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX LISA, Seattle, WA (November 1999)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure in-vm monitoring using hardware virtualization. In: ACM CCS, Chicago, IL (November 2009)
Srivastava, A., Erete, I., Giffin, J.: Kernel data integrity protection via memory access control. Technical Report GT-CS-09-05, Georgia Institute of Technology, Atlanta, GA (2009)
Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: USENIX Security Symposium, San Francisco, CA (August 2002)
Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the reliability of commodity operating systems. In: ACM SOSP, Bolton Landing, NY (October 2003)
ThreatExpert. Conficker/downadup: Memory injection model. http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html (last accessed April 15, 2010)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM CCS, Chicago, IL (November 2009)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy 5(2) (March 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Srivastava, A., Giffin, J. (2010). Automatic Discovery of Parasitic Malware. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-15512-3_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)