Skip to main content

Rope: Covert Multi-process Malware Execution with Return-Oriented Programming

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

Distributed execution designs challenge behavioral analyses of anti-malware solutions by spreading seemingly benign chunks of a malicious payload to multiple processes. Researchers have explored methods to chop payloads, spread chunks to victim applications through process injection techniques, and orchestrate the execution. However, these methods can hardly be practical as they exhibit conspicuous features and make use of primitives that anti-malware solutions and operating system mitigations readily detect. In this paper we reason on fundamental requirements and properties for a stealth implementation of distributed malware. We propose a new covert design, Rope, that minimizes its footprint by making use of commodity techniques like transacted files and return-oriented programming for covert communication and payload distribution. We report on how synthetic Rope samples eluded a number of state-of-the-art anti-virus and endpoint security solutions, and bypassed the opt-in mitigations of Windows 10 for hardening applications. We then discuss directions and practical remediations to mitigate such threats.

Keywords

  • Malware
  • Distributed execution
  • Anti-virus
  • EDR
  • Injection
  • Code reuse
  • Application hardening
  • ROP
  • TxF
  • WDEG

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_10
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1:

Notes

  1. 1.

    This is relevant also for mimicry attacks from process creation-based approaches.

  2. 2.

    Necessary to overcome present implementation gaps in WDEG, e.g., with concomitant use of ACG and ROP mitigations [28], or with ACG and remote allocations [19].

  3. 3.

    Only recursive functions would require semantic changes to their code: e.g., the attacker may use a stack data structure to host and reference each stack frame.

  4. 4.

    A more conservative and covert implementation may target an already-loaded module (e.g., kernel32.dll) and encode the bootstrap component and the chunks with, e.g., microgadgets [17] that are abundant [32]. However, this was not necessary for validating the stealthiness of our approach on the currently available tested defenses.

  5. 5.

    https://github.com/rwfpl/rewolf-wow64ext.

  6. 6.

    Also the ETW (Event Tracing for Windows) system offers useful tracing capabilities.

References

  1. Allred, C.: Understanding Windows file system transactions. In: Storage Developer Conference 2009. SNIA (2009). https://www.snia.org/sites/default/orig/sdc_archives/2009_presentations/tuesday/ChristianAllred_UnderstandingWindowsFileSystemTransactions.pdf

  2. Angelini, M., et al.: ROPMate: visually assisting the creation of ROP-based exploits. In: Proceedings of the 15th IEEE Symposium on Visualization for Cyber Security. VizSec 2018 (2018). https://doi.org/10.1109/VIZSEC.2018.8709204

  3. Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies. WOOT 2016, USENIX Association (2016)

    Google Scholar 

  4. Borrello, P., Coppa, E., D’Elia, D.C.: Hiding in the particles: when return-oriented programming meets program obfuscation. In: Proceedings of the 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 555–568. DSN 2021. IEEE (2021). https://doi.org/10.1109/DSN48987.2021.00064

  5. Borrello, P., Coppa, E., D’Elia, D.C., Demetrescu, C.: The ROP needle: hiding trigger-based injection vectors via code reuse. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 1962–1970. SAC 2019. ACM (2019). https://doi.org/10.1145/3297280.3297472

  6. Botacin, M., de Geus, P.L., Grégio, A.: “VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks. J. Comput. Virol. Hack. Techn. 15(4), 233–247 (2019). https://doi.org/10.1007/s11416-019-00333-y

  7. Ciholas, P., Such, J.M., Marnerides, A.K., Green, B., Zhang, J., Roedig, U.: Fast and furious: outrunning Windows kernel notification routines from user-mode. In: Maurice, C., Bilge, L., Stringhini, G., Neves, N. (eds.) DIMVA 2020. LNCS, vol. 12223, pp. 67–88. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-52683-2_4

    CrossRef  Google Scholar 

  8. De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V.: The Naked Sun: malicious cooperation between benign-looking processes. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12147, pp. 254–274. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_13

    CrossRef  Google Scholar 

  9. D’Elia, D.C., Coppa, E., Salvati, A., Demetrescu, C.: Static analysis of ROP code. In: Proceedings of the 12th European Workshop on Systems Security. EuroSec 2019, ACM (2019). https://doi.org/10.1145/3301417.3312494

  10. D’Elia, D.C., Invidia, L.: Rope: Bypassing behavioral detection of malware with distributed ROP-driven execution. Black Hat USA (2021). https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Rope-Bypassing-Behavioral-Detection-Of-Malware-With-Distributed-ROP-Driven-Execution-wp.pdf

  11. D’Elia, D.C., Nicchi, S., Mariani, M., Marini, M., Palmaro, F.: Designing robust API monitoring solutions. arXiv abs/2005.00323 (2020)

    Google Scholar 

  12. Doniec, A.: From a C project, through assembly, to shellcode (by hasherezade). VX Underground (2020). https://github.com/vxunderground/VXUG-Papers

  13. Filiol, E.: Formalisation and implementation aspects of K-ary (malicious) codes. J. Comput. Virol. 3, 75–86 (2007). https://doi.org/10.1007/s11416-007-0044-2

    CrossRef  Google Scholar 

  14. Graziano, M., Balzarotti, D., Zidouemba, A.: ROPMEMU: a framework for the analysis of complex code-reuse attacks. In: Proceedings of 11th Asia Conference on Computer and Communications Security, pp. 47–58. ASIACCS 2016. ACM (2016). https://doi.org/10.1145/2897845.2897894

  15. Hăjmăşan, G., Mondoc, A., Portase, R., Creţ, O.: Evasive malware detection using groups of processes. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 32–45. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_3

    CrossRef  Google Scholar 

  16. Hendrick, A.: Fileless malware and process injection in Linux. Hack.lu (2019). http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf

  17. Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: Size does matter in Turing-complete return-oriented programming. In: 6th USENIX Workshop on Offensive Technologies. WOOT 2012, USENIX Association (2012)

    Google Scholar 

  18. Hong, J., Ding, X.: A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces. In: Proceedings of the 2021 IEEE Symposium on Security and Privacy, pp. 402–418. SP 2021. IEEE Computer Society (2021). https://doi.org/10.1109/SP40001.2021.00024

  19. ired.team: ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG). Red Teaming Experiments GitBook (2020). https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy

  20. Ispoglou, K.K., Payer, M.: malWASH: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies. WOOT 2016, USENIX Association (2016)

    Google Scholar 

  21. Ji, Y., He, Y., Zhu, D., Li, Q., Guo, D.: A mulitiprocess mechanism of evading behavior-based bot detection approaches. In: Huang, X., Zhou, J. (eds.) ISPEC 2014. LNCS, vol. 8434, pp. 75–89. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06320-1_7

    CrossRef  Google Scholar 

  22. Kaspersky: Dvmap: the first Android malware with code injection. SecureList (2017). https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/)

  23. Klein, A., Kotler, I.: Process injection techniques - gotta catch them all (Windows process injection in 2019). Black Hat USA (2019). https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf

  24. Kulkarni, A.P., Jagdale, P.D.: Adapting to TxF. VirusBulletin, January 2010. https://www.virusbulletin.com/virusbulletin/2010/05/adapting-txf

  25. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conf. (ACSAC 2014), pp. 386–395. ACM (2014). https://doi.org/10.1145/2664243.2664252

  26. Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1), 1–13 (2012). https://doi.org/10.1007/s11416-011-0157-5

    CrossRef  Google Scholar 

  27. MDSec: Bypassing user-mode hooks and direct invocation of system calls for red teams (2020). https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

  28. Microsoft: Exploit protection reference. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide

  29. Microsoft: Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware (2017). https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

  30. Microsoft Defender Security Research Team: From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw. https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/

  31. Min, B., Varadharajan, V.: Design and analysis of a new feature-distributed malware. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 457–464 (2014). https://doi.org/10.1109/TrustCom.2014.58

  32. Nakanishi, F., De Pasquale, G., Ferla, D., Cavallaro, L.: Intertwining ROP gadgets and opaque predicates for robust obfuscation. arXiv abs/2012.09163 (2020)

    Google Scholar 

  33. Nemeth, Z.L.: Modern binary attacks and defences in the Windows environment - fighting against Microsoft EMET in seven rounds. In: 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics, pp. 275–280. SYSY 2015 (2015). https://doi.org/10.1109/SISY.2015.7325394

  34. Ntantogian, C., Poulios, G., Karopoulos, G., Xenakis, C.: Transforming malicious code to ROP gadgets for antivirus evasion. IET Inf. Security 13(6), 570–578 (2019). https://doi.org/10.1049/iet-ifs.2018.5386

    CrossRef  Google Scholar 

  35. Or-Meir, O., Nissim, N., Elovici, Y., Rokach, L.: Dynamic malware analysis in the modern era - a state of the art survey. ACM Comput. Surv. 52(5) (2019). https://doi.org/10.1145/3329786

  36. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: 22nd USENIX Security Symposium, pp. 447–462. USENIX Security 2013, USENIX Association (2013)

    Google Scholar 

  37. Pavithran, J., Patnaik, M., Rebeiro, C.: D-TIME: Distributed threadless independent malware execution for runtime obfuscation. In: 13th USENIX Workshop on Offensive Technologies. WOOT 2019, USENIX Association (2019)

    Google Scholar 

  38. Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 58–65. IEEE Computer Society (2011). https://doi.org/10.1109/MALWARE.2011.6112327

  39. Ramilli, M., Bishop, M.: Multi-stage delivery of malware. In: 2010 5th Int. Conference on Malicious and Unwanted Software, pp. 91–97 (2010). https://doi.org/10.1109/MALWARE.2010.5665788

  40. Ramilli, M., Bishop, M., Sun, S.: Multiprocess malware. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 8–13 (2011). https://doi.org/10.1109/MALWARE.2011.6112320

  41. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1) (2012). https://doi.org/10.1145/2133375.2133377

  42. Russinovich, M., Solomon, D.A.: Windows internals: including Windows server, : and Windows vista. Fifth Edition. Microsoft Press 2009, 965–974 (2008)

    Google Scholar 

  43. Sun, B., Liu, J., Xu, C.: How to survive the hardware-assisted control-flow integrity enforcement. Black Hat Asia (2019). https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-Hardware-Assisted-Control-Flow-Integrity-Enforcement.pdf

  44. Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: 22nd USENIX Security Symposium, pp. 559–572. USENIX Security 2013, USENIX Association (2013)

    Google Scholar 

  45. gs Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedin of the 14th ACM Conference on Computer and Communications Security, pp. 116–127. CCS 2007. ACM (2007). https://doi.org/10.1145/1315245.1315261

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Daniele Cono D’Elia .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

D’Elia, D.C., Invidia, L., Querzoni, L. (2021). Rope: Covert Multi-process Malware Execution with Return-Oriented Programming. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)