SpringerLink
Log in

A Measurement Study on Interprocess Code Propagation of Malicious Software

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2023)

Included in the following conference series:

  • 178 Accesses

Abstract

The propagation of code from one process to another is an important aspect of many malware families and can be achieved, for example, through code injections or the launch of new instances. An in-depth understanding of how and when malware uses interprocess code propagations would be a valuable aid in the analysis of this threat, since many dynamic malware analysis and unpacking schemes rely on finding running instances of malicious code. However, despite the prevalence of such propagations, there is little research on this topic. Therefore, in this work, we aim to extend the state-of-the-art by measuring both the behavior and the prevalence of interprocess code propagations of malicious software. We developed a method based on API-tracing for measuring code propagations in dynamic malware analysis. Subsequently, we implemented this method into a proof-of-concept implementation as a basis for further research. To gain more knowledge on the prevalence of code propagations and the code propagation techniques used, we conducted a study using our implementation on a real-world data set of 4853 malware samples from 1747 families. Our results show that more than a third (38.13%) of the executables use code propagation, which can be further classified into four different topologies and 24 different code propagation techniques. We also provide a list of the most significant representative malware samples for each of these topologies and techniques as a starting point for researchers aiming to develop countermeasures against code propagation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Git commit d366eb0 - Jan 6, 2023.

  2. 2.

    Our definition differs from the definition for starlike trees in that the vertex with degree greater than 1 does not need to be the root.

  3. 3.

    6adecfaec434b41ecce9911f00b48e4e8ae6e3e8b9081d59e1b46480e9f7dbfc.

  4. 4.

    f19ce795b4b2421a82ff71a3f3a271032578c80cadd0cc44b1714848b5bb81c0.

  5. 5.

    f9ef36da6a3786dd672e049aa4028d12d0cd33a4f4771ec70309c89f8f482930.

  6. 6.

    bd882e2eefd0145ff169d868c1815df272f84a5ad1e501cfa5c3336839774171.

  7. 7.

    a7a29da4c53d424e1997ff8f2702aea6b76e9f5b60d704f306c353e01cea4d76.

  8. 8.

    520ae48364d7e5fe6bdb0a59c9cd1370dee5b26e648677fa84f1f601f727d280.

  9. 9.

    89b138eaaade5a1ec36e2d1422ae38059f138e81b722301e713b65a74de521c7.

  10. 10.

    f24354e54e4b59f6c327b1f7e144092647e726505acde5595a8386e7c2c6fa8a.

  11. 11.

    40fa0ae6c2f73af93c304b3e12d22ee38100ac0e18798f2e96b1db37abbca8e8.

  12. 12.

    072cdcf66b81772724648da4c0ca2429a39504599e07ccfca2ba8af73ec24adc.

  13. 13.

    97a614c078ca4302c31a8af24cf19317d76507c5fee17b4df10149157127b19b.

  14. 14.

    df70581c5a712e2eda57922114534704166f93dc2158c302c58d61a487330546.

  15. 15.

    be65dc1c2d2cb1ddbb7b08780e608eb0d9cabc706491f5bd7657326018c0c518.

  16. 16.

    e7fa2707166283e1f0e7422546ee387aae01b5ee5c255a62909da0a3b6cb19c0.

  17. 17.

    92c0cc5879215255478b3325bee34353090e08337aa61a92506f0498f7907500.

  18. 18.

    92bb2efeea875eb5e8779f13cc50d1a831b3c538eb73e15384f8748266be8ff1.

  19. 19.

    bff06d770eec594c363a217effbe2ea4e8a618b7ef95da1100e5aef9c847403f.

  20. 20.

    b2c6c7e9d8bb6f75865324788cf311a5a951e2d4e69137937ecfb0879ebae1ce.

  21. 21.

    d7489e3f876cb41d61b08bb1f91ed9a9f862761416954649c4ee2c26b5c3c199.

  22. 22.

    80823b2e354ed28badde4e8a7525113be5fc61b4a48f64a5f33da9491d2d2aa9.

  23. 23.

    d22f9035ac8c69bb391bd478b01305c00bef0cb7b1b0b2ea716ad31a3fcc07cb.

  24. 24.

    3ff49706e78067613aa1dcf0174968963b17f15e9a6bc54396a9f233d382d0e6.

  25. 25.

    104428ccf005b36edfb62d110203a43bdbb417052b31eb4646395309645c9944.

  26. 26.

    6adecfaec434b41ecce9911f00b48e4e8ae6e3e8b9081d59e1b46480e9f7dbfc.

References

  1. Alvarez, V.M.: YARA: the pattern matching swiss knife for malware researchers (and everyone else). http://virustotal.github.io/yara/. Accessed 16 Aug 2023

  2. ATT &CK, M.: Mitre att &ck (2021). https://attack.mitre.org

  3. AVTest: security report 2019/2020. https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2019-2020.pdf. Accessed 16 Aug 2023

  4. Bacs, A., Vermeulen, R., Slowinska, A., Bos, H.: System-level support for intrusion recovery. In: Flegel, U., Markatos, E., Robertson, W. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, vol. 7591, pp. 144–163. Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-37300-8_9

    Chapter  Google Scholar 

  5. Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: Detecting host-based code injection attacks in memory dumps. In: Proceedings of the 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Bonn, Germany (2017)

    Google Scholar 

  6. Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Proceedings of the 11th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), London, UK (2014)

    Google Scholar 

  7. Barabosch, T., Gerhards-Padilla, E.: Host-based code injection attacks: a popular technique used by malware. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), pp. 8–17. IEEE (2014)

    Google Scholar 

  8. Bohne, L., Holz, T.: Pandora’s Bochs: automated malware unpacking. Master’s thesis, RWTH Aachen University (2008)

    Google Scholar 

  9. ByteAtlas: Knowledge fragment: Hardening win7 x64 on virtualbox for malware analysis. http://byte-atlas.blogspot.com/2017/02/hardening-vbox-win7x64.html. Accessed 16 Aug 2023

  10. D’Elia, D.C., Nicchi, S., Mariani, M., Marini, M., Palmaro, F.: Designing robust API monitoring solutions. IEEE Trans. Dependable Secure Comput. 01, 1–1 (2021)

    Google Scholar 

  11. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference On Computer and Communications Security, pp. 51–62. ACM (2008)

    Google Scholar 

  12. Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, pp. 1–11 (2015)

    Google Scholar 

  13. Isawa, R., Morii, M., Inoue, D.: Comparing malware samples for unpacking: a feasibility study. In: 2016 11th Asia Joint Conference on Information Security (AsiaJCIS), pp. 155–160. IEEE (2016)

    Google Scholar 

  14. Ispoglou, K.K., Payer, M.: malWASH: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX (2016). https://www.usenix.org/conference/woot16/workshop-program/presentation/ispoglou

  15. Jenke, T., Plohmann, D., Padilla, E.: RoAMer: the robust automated malware unpacker. In: 14th International Conference on Malicious and Unwanted Software (MALWARE), Nantucket, MA, USA, 2019, pp. 67–74 (2019)

    Google Scholar 

  16. Jeong, G., Choo, E., Lee, J., Bat-Erdene, M., Lee, H.: Generic unpacking using entropy analysis. In: 2010 5th International Conference on Malicious and Unwanted Software, pp. 98–105. IEEE (2010)

    Google Scholar 

  17. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 46–53. ACM (2007)

    Google Scholar 

  18. Kawakoya, Y., Shioji, E., Iwamura, M., Miyoshi, J.: API chaser: taint-assisted sandbox for evasive malware analysis. J. Inf. Proc. 27, 297–314 (2019)

    Google Scholar 

  19. Korczynski, D.: RePEconstruct: reconstructing binaries with self-modifying code and import address table destruction. In: 2016 11th International Conference on Malicious and Unwanted Software (MALWARE), pp. 1–8. IEEE (2016)

    Google Scholar 

  20. Korczynski, D.: Precise system-wide concatic malware unpacking. ar**v preprint: ar**v:1908.09204 (2019)

  21. Korczynski, D., Yin, H.: Capturing malware propagations with code injections and code-reuse attacks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1691–1708 (2017)

    Google Scholar 

  22. Küchler, A., Mantovani, A., Han, Y., Bilge, L., Balzarotti, D.: Does every second count? time-based evolution of malware behavior in sandboxes. In: Proceedings of the Network and Distributed System Security Symposium, NDSS. The Internet Society (2021)

    Google Scholar 

  23. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395 (2014)

    Google Scholar 

  24. Lepović, M., Gutman, I.: No starlike trees are cospectral. Discret. Math. 242(1–3), 291–295 (2002)

    Article  MathSciNet  Google Scholar 

  25. Magazine, S.: Ransomware attacks nearly doubled in 2021 (2022)

    Google Scholar 

  26. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 431–441. IEEE (2007)

    Google Scholar 

  27. Microsoft: Microsoft detours. https://github.com/microsoft/Detours. Accessed 16 Aug 2023

  28. Microsoft: Samples: Syelog. https://documentation.help/Detours/Sam_Syelog.htm. Accessed 16 Aug 2023

  29. Microsoft: Samples: Traceapi. https://documentation.help/Detours/Sam_Traceapi.htm. Accessed 16 Aug 2023

  30. Mohammad, A.H.: Ransomware evolution, growth and recommendation for detection. Mod. Appl. Sci. 14(3), 68 (2020)

    Article  Google Scholar 

  31. Oracle: Oracle virtualbox. https://www.virtualbox.org/. Accessed 16 Aug 2023

  32. Plohmann, D., Clauss, M., Enders, S., Padilla, E.: Malpedia: a collaborative effort to inventorize the malware landscape. In: Proceedings of the Botconf (2017)

    Google Scholar 

  33. Plohmann, D., Enders, S., Padilla, E.: ApiScout: robust windows API usage recovery for malware characterization and similarity analysis. J Cybercrime Digit. Invest. 4, 1–6 (2018)

    Google Scholar 

  34. Rossow, C., et al.: Prudent practices for designing malware experiments: status quo and outlook. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (S &P), San Francisco, CA (2012)

    Google Scholar 

  35. Royal, P., Halpin, M., Dagon, D.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: ACSAC, pp 289–300 (2006)

    Google Scholar 

  36. Sharif, M., Yegneswaran, V., Saidi, H., Porras, P., Lee, W.: Eureka: a framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) Computer Security - ESORICS 2008. Lecture Notes in Computer Science, vol. 5283, pp. 481–500. Springer, Berlin (2008). https://doi.org/10.1007/978-3-540-88313-5_31

    Chapter  Google Scholar 

  37. Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: RAMBO: run-time packer analysis with multiple branch observation. In: Caballero, J., Zurutuza, U., Rodriguez, R. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science(), vol. 9721, pp. 186–206. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_10

    Chapter  Google Scholar 

  38. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 116–127 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer FKIE, Zanderstraße 5, 53177, Bonn, Germany

    Thorsten Jenke, Simon Liessem, Elmar Padilla & Lilli Bruckschen

Authors
  1. Thorsten Jenke
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Liessem
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elmar Padilla
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lilli Bruckschen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thorsten Jenke .

Editor information

Editors and Affiliations

  1. University of Albany, Albany, GA, USA

    Sanjay Goel

  2. Universidade Federal do Espírito Santo, Alegre, Brazil

    Paulo Roberto Nunes de Souza

Rights and permissions

Reprints and permissions

Copyright information

© 2024 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jenke, T., Liessem, S., Padilla, E., Bruckschen, L. (2024). A Measurement Study on Interprocess Code Propagation of Malicious Software. In: Goel, S., Nunes de Souza, P.R. (eds) Digital Forensics and Cyber Crime. ICDF2C 2023. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 571. Springer, Cham. https://doi.org/10.1007/978-3-031-56583-0_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-56583-0_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-56582-3

  • Online ISBN: 978-3-031-56583-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation