An empirical study of real-world polymorphic code injection attacks

Authors:
Michalis Polychronakis;Kostas G. Anagnostakis;Evangelos P. Markatos
Affiliations:
FORTH-ICS, Greece;I²R, Singapore;FORTH-ICS, Greece
Venue:
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Year:
2009

Citing 11
Cited 8

Internet intrusions: global characteristics and prevalence

SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Proceedings of the 12th ACM conference on Computer and communications security
Finding diversity in remote code injection exploits

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Analyzing network traffic to detect self-decrypting exploit code

ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Polymorphic blending attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
On the infeasibility of modeling polymorphic shellcode

Proceedings of the 14th ACM conference on Computer and communications security
All your iFRAMEs point to Us

SS'08 Proceedings of the 17th conference on Security symposium
Emulation-based detection of non-self-contained polymorphic shellcode

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Network–Level polymorphic shellcode detection using emulation

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

English shellcode

Proceedings of the 16th ACM conference on Computer and communications security
Improving the accuracy of network intrusion detection systems under load using selective packet discarding

Proceedings of the Third European Workshop on System Security
Analyzing and improving Linux kernel memory protection: a model checking approach

Proceedings of the 26th Annual Computer Security Applications Conference
Comprehensive shellcode detection using runtime heuristics

Proceedings of the 26th Annual Computer Security Applications Conference
SHELLOS: enabling fast detection and forensic analysis of code injection attacks

SEC'11 Proceedings of the 20th USENIX conference on Security
Packed, printable, and polymorphic return-oriented programming

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Transparent ROP exploit mitigation using indirect branch tracing

SEC'13 Proceedings of the 22nd USENIX conference on Security
RopSteg: program steganography with return oriented programming

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Remote code injection attacks against network services remain one of the most effective and widely used exploitation methods for malware propagation. In this paper, we present a study of more than 1.2 million polymorphic code injection attacks targeting production systems, captured using network-level emulation. We focus on the analysis of the structure and operation of the attack code, as well as the overall attack activity in relation to the targeted services. The observed attacks employ a highly diverse set of exploits, often against less widely used vulnerable services, while our results indicate limited use of sophisticated obfuscation schemes and extensive code reuse among different malware families.