ABSTRACT
A promising method for the detection of previously unknown code injection attacks is the identification of the shellcode that is part of the attack vector using payload execution. Existing systems based on this approach rely on the self-decrypting behavior of polymorphic code and can identify only that particular class of shellcode. Plain, and more importantly, metamorphic shellcode do not carry a decryption routine nor exhibit any self-modifications and thus both evade existing detection systems. In this paper, we present a comprehensive shellcode detection technique that uses a set of runtime heuristics to identify the presence of shellcode in arbitrary data streams. We have identified fundamental machine-level operations that are inescapably performed by different shellcode types, based on which we have designed heuristics that enable the detection of plain and metamorphic shellcode regardless of the use of self-decryption. We have implemented our technique in Gene, a code injection attack detection system based on passive network monitoring. Our experimental evaluation and real-world deployment show that Gene can effectively detect a large and diverse set of shellcode samples that are currently missed by existing detectors, while so far it has not generated any false positives.
- Goodfellas security research team. http://goodfellas.shellcode.com.ar/.Google Scholar
- The metasploit project. http://www.metasploit.com/.Google Scholar
- milw0rm. http://milw0rm.com/shellcode/win32/.Google Scholar
- Packet storm. http://www.packetstormsecurity.org/.Google Scholar
- Win32 assembly components, Dec. 2002. http://lsd-pl.net.Google Scholar
- Common shellcode naming initiative, 2009. http://nepenthes.carnivore.it/csni.Google Scholar
- Retrieving kernel32's base address, June 2009. http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html.Google Scholar
- S. Andersson, A. Clark, and G. Mohay. Network-based buffer overflow detection by exploit code analysis. In Proceedings of the Asia Pacific Information Technology Security Conference (AusCERT), 2004.Google Scholar
- P. Baecher and M. Koetter. libemu, 2009. http://libemu.carnivore.it/.Google Scholar
- P. Bania. Evading network-level emulation, 2009. http://piotrbania.com/all/articles/pbania-evading-nemu2009.pdf.Google Scholar
- K. Borders, A. Prakash, and M. Zielinski. Spector: Automatically analyzing shell code. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.Google ScholarCross Ref
- R. Chinchani and E. V. D. Berg. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarDigital Library
- S. P. Chung and A. K. Mok. Swarm attacks against network-level emulation/analysis. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2008. Google ScholarDigital Library
- M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the 6th international conference on Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2009. Google ScholarDigital Library
- S. Ford, M. Cova, C. Kruegel, and G. Vigna. Wepawet, 2009. http://wepawet.cs.ucsb.edu/.Google Scholar
- I)ruid. Context-keyed payload encoding. Uninformed, 9, Oct. 2007.Google Scholar
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarDigital Library
- J. Ma, J. Dunagan, H. J. Wang, S. Savage, and G. M. Voelker. Finding diversity in remote code injection exploits. In Proceedings of the 6th Internet Measurement Conference (IMC), 2006. Google ScholarDigital Library
- J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In Proceedings of the 16th ACM conference on Computer and communications security (CCS), 2009. Google ScholarDigital Library
- U. Payer, P. Teufl, and M. Lamberger. Hybrid engine for polymorphic shellcode detection. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 19--31, July 2005. Google ScholarDigital Library
- M. Pietrek. A crash course on the depths of Win32#8482;structured exception handling, 1997. http://www.microsoft.com/msj/0197/exception/exception.aspx.Google Scholar
- M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. An empirical study of real-world polymorphic code injection attacks. In Proceedings of the 2nd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), April 2009. Google ScholarDigital Library
- M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Network-level polymorphic shellcode detection using emulation. In Proceedings of the Third Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2006. Google ScholarDigital Library
- M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007. Google ScholarDigital Library
- M. Shimamura and K. Kono. Yataglass: Network-level code emulation for analyzing memory-scanning attacks. In Proceedings of the 6th international conference on Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2009. Google ScholarDigital Library
- sk. History and advances in windows shellcode. Phrack, 11(62), July 2004.Google Scholar
- Skape. Understanding windows shellcode, 2003. http://www.hick.org/code/skape/papers/win32-shellcode.pdf.Google Scholar
- Skape. Safely searching process virtual address space, 2004. http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf.Google Scholar
- SkyLined. Finding the base address of kernel32 in Windows 7. http://skypher.com/index.php/2009/07/22/shellcode-finding-kernel32-in-windows-7/.Google Scholar
- SkyLined. SEH GetPC (XP SP3), July 2009. http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA3/x86/ASCII/Mixedcase/SEH_GetPC_(XP_sp3).Google Scholar
- Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis, and S. J. Stolfo. On the infeasibility of modeling polymorphic shellcode. In Proceedings of the 14th ACM conference on Computer and communications security (CCS), 2007. Google ScholarDigital Library
- P. Ször. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, February 2005. Google ScholarDigital Library
- T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2002. Google ScholarDigital Library
- X. Wang, Y.-C. Jhi, S. Zhu, and P. Liu. Still: Exploit code detection via static taint and initialization analyses. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2008. Google ScholarDigital Library
- X. Wang, C.-C. Pan, P. Liu, and S. Zhu. Sigfree: A signature-free buffer overflow attack blocker. In Proceedings of the USENIX Security Symposium, Aug. 2006. Google ScholarDigital Library
- B.-J. Wever. SEH Omelet Shellcode, 2009. http://code.google.com/p/w32-seh-omelet-shellcode/.Google Scholar
- G. Wicherski. Win32 egg search shellcode, 33 bytes. http://blog.oxff.net/2009/02/win32-egg-search-shellcode-33-bytes.html.Google Scholar
- Q. Zhang, D. S. Reeves, P. Ning, and S. P. Lyer. Analyzing network traffic to detect self-decrypting exploit code. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2007. Google ScholarDigital Library
Index Terms
- Comprehensive shellcode detection using runtime heuristics
Recommendations
English shellcode
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityHistory indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target ...
Network–Level polymorphic shellcode detection using emulation
DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability AssessmentAs state–of–the–art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to evade detection. Although recent results have been promising, most existing proposals ...
Detection of malicious web pages based on hybrid analysis
Malicious web pages have become an increasingly serious threat to web security in recent years. In this paper, we propose a new detection method that consists of static and dynamic analyses for detecting malicious web pages. Static analysis utilizes ...
Comments