Skip to main content

Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

Malware predominantly employs code injections, which allow to run code in the trusted context of another process. This enables malware, for instance, to secretly operate or to intercept critical information. It is crucial for analysts to quickly detect injected code. While there are systems to detect code injections in memory dumps, they suffer from unsatisfying detection rates or their detection granularity is too coarse. In this paper, we present Quincy to overcome these drawbacks. It employs 38 features commonly associated with code injections to classify memory regions. We implemented Quincy for Windows XP, 7 and 10 and compared it to the current state of the art, Volatility’s malfind as well as hollowfind. For this sake, we created a high quality data set consisting of 102 current representatives of code injecting malware families. Quincy improves significantly upon both approaches, with up to 19.49% more true positives and a decrease in false positives by up to 94,76%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. The Portable Freeware Collection. http://www.portablefreeware.com. Accessed 24 Apr 2017

  2. YARA. https://plusvic.github.io/yara/. Accessed 24 Apr 2017

  3. scikit-learn (2016). http://scikit-learn.org. Accessed 24 Apr 2017

  4. VirusTotal. https://www.virustotal.com. Accessed 24 Apr 2017

  5. Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy Project Site. https://net.cs.uni-bonn.de/wg/cs/staff/thomas-barabosch/. Accessed 24 Apr 2017

  6. Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 235–254. Springer, Cham (2014). doi:10.1007/978-3-319-08509-8_13

    Google Scholar 

  7. Barabosch, T., Gerhards-Padilla, E.: Host-based code injection attacks: a popular technique used by malware. In: Malicious and Unwanted Software (MALCON) (2014)

    Google Scholar 

  8. Bergstra, J., Bengio, Y.: Random search for hyper-parameter optimization. J. Mach. Learn. Res. (JMLR) 13, 281–305 (2012)

    MathSciNet  MATH  Google Scholar 

  9. Breiman, L.: Random forests. Mach. Learn. 45, 5–32 (2001)

    Article  MATH  Google Scholar 

  10. Breiman, L., Friedman, J., Stone, C.J., Olshen, R.A.: Classification and Regression Trees. CRC Press, Boca Raton (1984)

    MATH  Google Scholar 

  11. Freund, Y., Schapire, R.E.: A desicion-theoretic generalization of on-line learning and an application to boosting. In: Vitányi, P. (ed.) EuroCOLT 1995. LNCS, vol. 904, pp. 23–37. Springer, Heidelberg (1995). doi:10.1007/3-540-59119-2_166

    Chapter  Google Scholar 

  12. Friedman, J.H.: Greedy function approximation: a gradient boosting machine. Ann. Stat. 29, 1189–1232 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  13. Genuer, R., Poggi, J.-M., Tuleau-Malot, C.: Variable selection using random forests. Pattern Recognit. Lett. 31(14), 2225–2236 (2010)

    Article  Google Scholar 

  14. Geurts, P., Ernst, D., Wehenkel, L.: Extremely randomized trees. Mach. Learn. 63, 3 (2006)

    Article  MATH  Google Scholar 

  15. Griffin, K., Schneider, S., Hu, X., Chiueh, T.: Automatic generation of string signatures for malware detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 101–120. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04342-0_6

    Chapter  Google Scholar 

  16. Guyon, I., Weston, J., Barnhill, S., Vladimir, V.: Gene selection for cancer classification using support vector machines. Mach. Learn. 46, 389–422 (2002)

    Article  MATH  Google Scholar 

  17. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_18

    Chapter  Google Scholar 

  18. Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. Secur. Priv. (S&P) (2007)

    Google Scholar 

  19. Microsoft: Microsoft Malware Classification Challenge (BIG 2015) (2015). https://www.kaggle.com/c/malware-classification. Accessed 24 Apr 2017

  20. Monnappa, K.A.: Detecting deceptive process hollowing techniques using hollowfind volatility plugin (2016). https://cysinfo.com/detecting-deceptive-hollowing-techniques/. Accessed 24 Apr 2017

  21. Nappa, A., Rafique, M.Z., Caballero, J.: The MALICIA dataset: identification and analysis of drive-by download operations. Int. J. Inf. Secur. 1–19 (2014)

    Google Scholar 

  22. Oracle: VirtualBox. https://www.virtualbox.org. Accessed 24 Apr 2017

  23. Ortega, A.: Pafish. https://github.com/a0rtega/pafish. Accessed 24 Apr 2017

  24. Pék, G., Lázár, Z., Várnagy, Z., Félegyházi, M., Buttyán, L.: Membrane: a posteriori detection of malicious code loading by memory paging analysis. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 199–216. Springer, Cham (2016). doi:10.1007/978-3-319-45744-4_10

    Chapter  Google Scholar 

  25. Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: Security and Privacy (SP) (2012)

    Google Scholar 

  26. van Dantzig, M., Heppener, D., Frank Ruiz, Y.K., Hu, Y.Z., de Jong, E., de Mik, K., Haagsma, L.: Ponmocup - a giant hiding in the shadows (2015). https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf. Accessed 24 Apr 2017

  27. Volatility Foundation: The Volatility Framework (2015). http://www.volatilityfoundation.org. Accessed 24 Apr 2017

  28. White, A., Schatz, B., Foo, E.: Integrity verification of user space code. In: Digital Forensic Research Workshop (DFRWS) (2013)

    Google Scholar 

  29. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. In: Proceedings of the 28th Symposium on Security and Privacy (S&P) (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Thomas Barabosch .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E. (2017). Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics