Abstract
Malware predominantly employs code injections, which allow to run code in the trusted context of another process. This enables malware, for instance, to secretly operate or to intercept critical information. It is crucial for analysts to quickly detect injected code. While there are systems to detect code injections in memory dumps, they suffer from unsatisfying detection rates or their detection granularity is too coarse. In this paper, we present Quincy to overcome these drawbacks. It employs 38 features commonly associated with code injections to classify memory regions. We implemented Quincy for Windows XP, 7 and 10 and compared it to the current state of the art, Volatility’s malfind as well as hollowfind. For this sake, we created a high quality data set consisting of 102 current representatives of code injecting malware families. Quincy improves significantly upon both approaches, with up to 19.49% more true positives and a decrease in false positives by up to 94,76%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
The Portable Freeware Collection. http://www.portablefreeware.com. Accessed 24 Apr 2017
YARA. https://plusvic.github.io/yara/. Accessed 24 Apr 2017
scikit-learn (2016). http://scikit-learn.org. Accessed 24 Apr 2017
VirusTotal. https://www.virustotal.com. Accessed 24 Apr 2017
Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy Project Site. https://net.cs.uni-bonn.de/wg/cs/staff/thomas-barabosch/. Accessed 24 Apr 2017
Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 235–254. Springer, Cham (2014). doi:10.1007/978-3-319-08509-8_13
Barabosch, T., Gerhards-Padilla, E.: Host-based code injection attacks: a popular technique used by malware. In: Malicious and Unwanted Software (MALCON) (2014)
Bergstra, J., Bengio, Y.: Random search for hyper-parameter optimization. J. Mach. Learn. Res. (JMLR) 13, 281–305 (2012)
Breiman, L.: Random forests. Mach. Learn. 45, 5–32 (2001)
Breiman, L., Friedman, J., Stone, C.J., Olshen, R.A.: Classification and Regression Trees. CRC Press, Boca Raton (1984)
Freund, Y., Schapire, R.E.: A desicion-theoretic generalization of on-line learning and an application to boosting. In: Vitányi, P. (ed.) EuroCOLT 1995. LNCS, vol. 904, pp. 23–37. Springer, Heidelberg (1995). doi:10.1007/3-540-59119-2_166
Friedman, J.H.: Greedy function approximation: a gradient boosting machine. Ann. Stat. 29, 1189–1232 (2001)
Genuer, R., Poggi, J.-M., Tuleau-Malot, C.: Variable selection using random forests. Pattern Recognit. Lett. 31(14), 2225–2236 (2010)
Geurts, P., Ernst, D., Wehenkel, L.: Extremely randomized trees. Mach. Learn. 63, 3 (2006)
Griffin, K., Schneider, S., Hu, X., Chiueh, T.: Automatic generation of string signatures for malware detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 101–120. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04342-0_6
Guyon, I., Weston, J., Barnhill, S., Vladimir, V.: Gene selection for cancer classification using support vector machines. Mach. Learn. 46, 389–422 (2002)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_18
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. Secur. Priv. (S&P) (2007)
Microsoft: Microsoft Malware Classification Challenge (BIG 2015) (2015). https://www.kaggle.com/c/malware-classification. Accessed 24 Apr 2017
Monnappa, K.A.: Detecting deceptive process hollowing techniques using hollowfind volatility plugin (2016). https://cysinfo.com/detecting-deceptive-hollowing-techniques/. Accessed 24 Apr 2017
Nappa, A., Rafique, M.Z., Caballero, J.: The MALICIA dataset: identification and analysis of drive-by download operations. Int. J. Inf. Secur. 1–19 (2014)
Oracle: VirtualBox. https://www.virtualbox.org. Accessed 24 Apr 2017
Ortega, A.: Pafish. https://github.com/a0rtega/pafish. Accessed 24 Apr 2017
Pék, G., Lázár, Z., Várnagy, Z., Félegyházi, M., Buttyán, L.: Membrane: a posteriori detection of malicious code loading by memory paging analysis. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 199–216. Springer, Cham (2016). doi:10.1007/978-3-319-45744-4_10
Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: Security and Privacy (SP) (2012)
van Dantzig, M., Heppener, D., Frank Ruiz, Y.K., Hu, Y.Z., de Jong, E., de Mik, K., Haagsma, L.: Ponmocup - a giant hiding in the shadows (2015). https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf. Accessed 24 Apr 2017
Volatility Foundation: The Volatility Framework (2015). http://www.volatilityfoundation.org. Accessed 24 Apr 2017
White, A., Schatz, B., Foo, E.: Integrity verification of user space code. In: Digital Forensic Research Workshop (DFRWS) (2013)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. In: Proceedings of the 28th Symposium on Security and Privacy (S&P) (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E. (2017). Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)