research-article

Comprehensive shellcode detection using runtime heuristics

Authors:
Michalis Polychronakis

Columbia University

Columbia University
View Profile

,
Kostas G. Anagnostakis

Niometrics, Singapore

Niometrics, Singapore
View Profile

,
Evangelos P. Markatos

FORTH-ICS, Greece

FORTH-ICS, Greece
View Profile

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications ConferenceDecember 2010Pages 287–296https://doi.org/10.1145/1920261.1920305

Published:06 December 2010Publication History

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 287–296

ABSTRACT

A promising method for the detection of previously unknown code injection attacks is the identification of the shellcode that is part of the attack vector using payload execution. Existing systems based on this approach rely on the self-decrypting behavior of polymorphic code and can identify only that particular class of shellcode. Plain, and more importantly, metamorphic shellcode do not carry a decryption routine nor exhibit any self-modifications and thus both evade existing detection systems. In this paper, we present a comprehensive shellcode detection technique that uses a set of runtime heuristics to identify the presence of shellcode in arbitrary data streams. We have identified fundamental machine-level operations that are inescapably performed by different shellcode types, based on which we have designed heuristics that enable the detection of plain and metamorphic shellcode regardless of the use of self-decryption. We have implemented our technique in Gene, a code injection attack detection system based on passive network monitoring. Our experimental evaluation and real-world deployment show that Gene can effectively detect a large and diverse set of shellcode samples that are currently missed by existing detectors, while so far it has not generated any false positives.

References

Goodfellas security research team. http://goodfellas.shellcode.com.ar/.Google Scholar
The metasploit project. http://www.metasploit.com/.Google Scholar
milw0rm. http://milw0rm.com/shellcode/win32/.Google Scholar
Packet storm. http://www.packetstormsecurity.org/.Google Scholar
Win32 assembly components, Dec. 2002. http://lsd-pl.net.Google Scholar
Common shellcode naming initiative, 2009. http://nepenthes.carnivore.it/csni.Google Scholar
Retrieving kernel32's base address, June 2009. http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html.Google Scholar
S. Andersson, A. Clark, and G. Mohay. Network-based buffer overflow detection by exploit code analysis. In Proceedings of the Asia Pacific Information Technology Security Conference (AusCERT), 2004.Google Scholar
P. Baecher and M. Koetter. libemu, 2009. http://libemu.carnivore.it/.Google Scholar
P. Bania. Evading network-level emulation, 2009. http://piotrbania.com/all/articles/pbania-evading-nemu2009.pdf.Google Scholar
K. Borders, A. Prakash, and M. Zielinski. Spector: Automatically analyzing shell code. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.Google ScholarCross Ref
R. Chinchani and E. V. D. Berg. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarDigital Library
S. P. Chung and A. K. Mok. Swarm attacks against network-level emulation/analysis. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2008. Google ScholarDigital Library
M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the 6th international conference on Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2009. Google ScholarDigital Library
S. Ford, M. Cova, C. Kruegel, and G. Vigna. Wepawet, 2009. http://wepawet.cs.ucsb.edu/.Google Scholar
I)ruid. Context-keyed payload encoding. Uninformed, 9, Oct. 2007.Google Scholar
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarDigital Library
J. Ma, J. Dunagan, H. J. Wang, S. Savage, and G. M. Voelker. Finding diversity in remote code injection exploits. In Proceedings of the 6th Internet Measurement Conference (IMC), 2006. Google ScholarDigital Library
J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In Proceedings of the 16th ACM conference on Computer and communications security (CCS), 2009. Google ScholarDigital Library
U. Payer, P. Teufl, and M. Lamberger. Hybrid engine for polymorphic shellcode detection. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 19--31, July 2005. Google ScholarDigital Library
M. Pietrek. A crash course on the depths of Win32#8482;structured exception handling, 1997. http://www.microsoft.com/msj/0197/exception/exception.aspx.Google Scholar
M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. An empirical study of real-world polymorphic code injection attacks. In Proceedings of the 2nd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), April 2009. Google ScholarDigital Library
M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Network-level polymorphic shellcode detection using emulation. In Proceedings of the Third Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2006. Google ScholarDigital Library
M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007. Google ScholarDigital Library
M. Shimamura and K. Kono. Yataglass: Network-level code emulation for analyzing memory-scanning attacks. In Proceedings of the 6th international conference on Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2009. Google ScholarDigital Library
sk. History and advances in windows shellcode. Phrack, 11(62), July 2004.Google Scholar
Skape. Understanding windows shellcode, 2003. http://www.hick.org/code/skape/papers/win32-shellcode.pdf.Google Scholar
Skape. Safely searching process virtual address space, 2004. http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf.Google Scholar
SkyLined. Finding the base address of kernel32 in Windows 7. http://skypher.com/index.php/2009/07/22/shellcode-finding-kernel32-in-windows-7/.Google Scholar
SkyLined. SEH GetPC (XP SP3), July 2009. http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA3/x86/ASCII/Mixedcase/SEH_GetPC_(XP_sp3).Google Scholar
Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis, and S. J. Stolfo. On the infeasibility of modeling polymorphic shellcode. In Proceedings of the 14th ACM conference on Computer and communications security (CCS), 2007. Google ScholarDigital Library
P. Ször. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, February 2005. Google ScholarDigital Library
T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2002. Google ScholarDigital Library
X. Wang, Y.-C. Jhi, S. Zhu, and P. Liu. Still: Exploit code detection via static taint and initialization analyses. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2008. Google ScholarDigital Library
X. Wang, C.-C. Pan, P. Liu, and S. Zhu. Sigfree: A signature-free buffer overflow attack blocker. In Proceedings of the USENIX Security Symposium, Aug. 2006. Google ScholarDigital Library
B.-J. Wever. SEH Omelet Shellcode, 2009. http://code.google.com/p/w32-seh-omelet-shellcode/.Google Scholar
G. Wicherski. Win32 egg search shellcode, 33 bytes. http://blog.oxff.net/2009/02/win32-egg-search-shellcode-33-bytes.html.Google Scholar
Q. Zhang, D. S. Reeves, P. Ning, and S. P. Lyer. Analyzing network traffic to detect self-decrypting exploit code. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2007. Google ScholarDigital Library

Index Terms

Comprehensive shellcode detection using runtime heuristics
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

English shellcode
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target ...
Read More
Network–Level polymorphic shellcode detection using emulation
DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment

As state–of–the–art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to evade detection. Although recent results have been promising, most existing proposals ...
Read More
Detection of malicious web pages based on hybrid analysis

Malicious web pages have become an increasingly serious threat to web security in recent years. In this paper, we propose a new detection method that consists of static and dynamic analyses for detecting malicious web pages. Static analysis utilizes ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference
December 2010
419 pages
ISBN:9781450301336
DOI:10.1145/1920261
Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
code emulation
payload execution
shellcode detection
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate104of497submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 43
  Total Citations
  View Citations
- 531
  Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Comprehensive shellcode detection using runtime heuristics

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

English shellcode

Network–Level polymorphic shellcode detection using emulation

Detection of malicious web pages based on hybrid analysis