Bee Master: Detecting Host-Based Code Injection Attacks

  • Thomas Barabosch
  • Sebastian Eschweiler
  • Elmar Gerhards-Padilla
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8550)


A technique commonly used by malware for hiding on a targeted system is the host-based code injection attack. It allows malware to execute its code in a foreign process space enabling it to operate covertly and access critical information of other processes. Since there exists a plethora of different ways for injecting and executing code in a foreign process space, a generic approach spanning all these possibilities is needed. Approaches just focussing on low-level operating system details (e.g. API hooking) do not suffice since the suspicious API set is constantly extended. Thus, approaches focussing on low level operating system details are prone to miss novel attacks. Furthermore, such approaches are restricted to intimate knowledge of exactly one operating system.

In this paper, we present Bee Master, a novel approach for detecting host-based code injection attacks. Bee Master applies the honeypot paradigm to OS processes and by that it does not rely on low-level OS details. The basic idea is to expose regular OS processes as a decoy to malware. Our approach focuses on concepts – such as threads or memory pages – present in every modern operating system. Therefore, Bee Master does not suffer from the drawbacks of low-level OS-based approaches. Furthermore, it allows OS independent detection of host-based code injection attacks. To test the capabilities of our approach, we evaluated Bee Master qualitatively and quantitatively on Microsoft Windows and Linux. The results show that it reaches reliable and robust detection for various current malware families.


Host-Based Code Injection Attacks Malware Detection Computer Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Symantec. Internet Security Threat Report 2013, vol. 18. Technical report (2013)Google Scholar
  2. 2.
    Percoco, N.: Global Security Report 2013. Technical report, Trustwave (2013)Google Scholar
  3. 3.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    VirusTotal, (last access: April 23, 2014)
  5. 5.
    Cuckoo Sandbox, (last access: April 23, 2014)
  6. 6.
    Kornblum, J.: Exploiting the Rootkit Paradox with Windows Memory Analysis (2006)Google Scholar
  7. 7.
    Hale Ligh, M., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, 1st edn. Wiley Publishing, Inc. (2011)Google Scholar
  8. 8.
    Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: List of malicious samples used in bee master: Detecting host-based code injection attacks, (last access: April 23, 2014)
  9. 9.
    Kessem, L.: Thieves Reaching for Linux – ”Hand of Thief” Trojan Targets Linux (August 2013), (last access: April 23, 2014)
  10. 10.
    Mandiant. APT1 - Exposing One of China’s Cyber Espionage Units. Technical report, Mandiant (2013)Google Scholar
  11. 11.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy Proceeding, pp. 120–128. IEEE (1996)Google Scholar
  12. 12.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE (1999)Google Scholar
  13. 13.
    Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the IEEE Symposium on Security and Privacy, S&P 2001, pp. 156–168. IEEE (2001)Google Scholar
  14. 14.
    Kc, G., Keromytis, A., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, ACM, New York (2003)Google Scholar
  15. 15.
    Papadogiannakis, A., Loutsis, L., Papaefstathiou, V., Ioannidis, S.: ASIST: Architectural Support for Instruction Set Randomization. In: The Proceedings of the CCS 2013, Berlin, Germany (November 2013)Google Scholar
  16. 16.
    Sun, H., Tseng, Y., Lin, Y.: Detecting the Code Injection by Hooking System Calls in Windows Kernel Mode. In: The Proceedings of the International Computer Symposium (2006)Google Scholar
  17. 17.
    White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digital Investigation, 10 (2013); The Proceedings of the Thirteenth Annual DFRWS Conference 13th Annual Digital Forensics Research ConferenceGoogle Scholar
  18. 18.
    Volatile Systems. The Volatility Framework: Volatile memory artifact extraction utility framework, (last access: April 23, 2014)
  19. 19.
    Hanel, A.: Injdmp (2013), (last access: April 23, 2014)
  20. 20.
    Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The nepenthes platform: An efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Nazario, J.: PhoneyC: a virtual client honeypot. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2009, Berkeley, CA, USA. USENIX Association (2009)Google Scholar
  22. 22.
    Poeplau, S., Gassen, J.: A honeypot for arbitrary malware on USB storage devices. In: 7th International Conference on Risk and Security of Internet and Systems, CRiSIS (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Thomas Barabosch
    • 1
  • Sebastian Eschweiler
    • 1
  • Elmar Gerhards-Padilla
    • 1
  1. 1.Fraunhofer FKIEBonnGermany

Personalised recommendations