Skip to main content
SpringerLink
Log in

Automatic Discovery of Parasitic Malware

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Included in the following conference series:

Abstract

Malicious software includes functionality designed to block discovery or analysis by defensive utilities. To prevent correct attribution of undesirable behaviors to the malware, it often subverts the normal execution of benign processes by modifying their in-memory code images to include malicious activity. It is important to find not only maliciously-acting benign processes, but also the actual parasitic malware that may have infected those processes. In this paper, we present techniques for automatic discovery of unknown parasitic malware present on an infected system. We design and develop a hypervisor-based system, Pyrenée, that aggregates and correlates information from sensors at the network level, the network-to-host boundary, and the host level so that we correctly identify the true origin of malicious behavior. We demonstrate the effectiveness of our architecture with security and performance evaluations on a Windows system: we identified all malicious binaries in tests with real malware samples, and the tool imposed overheads of only 0%–5% on applications and performance benchmarks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structures invariants. In: ACSAC, Anaheim, CA (December 2008)

    Google Scholar 

  2. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2005)

    Google Scholar 

  3. Christodorescu, M., Sailer, R., Schales, D., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security. In: Cloud Computing Security Workshop, Chicago, IL (November 2009)

    Google Scholar 

  4. Community Developers. Ebtables, http://ebtables.sourceforge.net/ (last accessed April 15, 2010)

  5. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM CCS, Alexandria, VA (October 2008)

    Google Scholar 

  6. Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In: OSDI, Boston, MA (December 2002)

    Google Scholar 

  7. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 1996)

    Google Scholar 

  8. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, San Diego, CA (February 2003)

    Google Scholar 

  9. Giffin, J., Jha, S., Miller, B.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, CA (August 2002)

    Google Scholar 

  10. Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: NDSS, San Diego, CA (February 2004)

    Google Scholar 

  11. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: USENIX Security Symposium, Boston, MA (August 2007)

    Google Scholar 

  12. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)

    Google Scholar 

  13. IBM. Ibm page detailer, http://www.alphaworks.ibm.com/tech/pagedetailer/download (last accessed April 15, 2010)

  14. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based ‘out-of-the-box’ semantic view. In: ACM CCS, Alexandria, VA (November 2007)

    Google Scholar 

  15. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: ACM VEE, Seattle, WA (March 2008)

    Google Scholar 

  16. Kasslin, K.: Evolution of kernel-mode malware, http://igloo.engineeringforfun.com/malwares/Kimmo_Kasslin_Evolution_of_kernel_mode_malware_v2.pdf (last accessed April 15, 2010)

  17. Kephart, J., Arnold, W.: Automatic extraction of computer virus signatures. In: Virus Bulletin, Jersey, Channel Islands, UK (1994)

    Google Scholar 

  18. Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: ACM CCS, Fairfax, VA (November 1994)

    Google Scholar 

  19. King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM SOSP, Bolton Landing, NY (October 2003)

    Google Scholar 

  20. Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security Symposium, San Jose, CA (August 2008)

    Google Scholar 

  21. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  22. MSDN. Asynchronous procedure calls, http://msdn.microsoft.com/en-us/library/ms681951VS.85.aspx (last accessed April 15, 2010)

  23. OffensiveComputing. Storm Worm Process Injection from the Windows Kernel, http://www.offensivecomputing.net/?q=node/661 (last accessed April 15, 2010)

  24. Passmark Software. PassMark Performance Test, http://www.passmark.com/products/pt.htm (last accessed April 15, 2010)

  25. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Usenix Security, San Antonio, TA (January 1998)

    Google Scholar 

  26. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2008)

    Google Scholar 

  27. Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: USENIX Security Symposium, Vancouver, BC, Canada (August 2006)

    Google Scholar 

  28. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM CCS, Alexandria, VA (November 2007)

    Google Scholar 

  29. Richter, J.: Load your 32-bit DLL into another process’s address space using injlib. Microsoft Systems Journal 9(5) (May 1994)

    Google Scholar 

  30. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  31. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX LISA, Seattle, WA (November 1999)

    Google Scholar 

  32. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)

    Google Scholar 

  33. Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure in-vm monitoring using hardware virtualization. In: ACM CCS, Chicago, IL (November 2009)

    Google Scholar 

  34. Srivastava, A., Erete, I., Giffin, J.: Kernel data integrity protection via memory access control. Technical Report GT-CS-09-05, Georgia Institute of Technology, Atlanta, GA (2009)

    Google Scholar 

  35. Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  36. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: USENIX Security Symposium, San Francisco, CA (August 2002)

    Google Scholar 

  37. Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the reliability of commodity operating systems. In: ACM SOSP, Bolton Landing, NY (October 2003)

    Google Scholar 

  38. ThreatExpert. Conficker/downadup: Memory injection model. http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html (last accessed April 15, 2010)

  39. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  40. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM CCS, Chicago, IL (November 2009)

    Google Scholar 

  41. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy 5(2) (March 2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, Georgia Institute of Technology, USA

    Abhinav Srivastava & Jonathon Giffin

Authors
  1. Abhinav Srivastava
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonathon Giffin
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Srivastava, A., Giffin, J. (2010). Automatic Discovery of Parasitic Malware. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation