Analyzing network traffic to detect self-decrypting exploit code

Authors:
Qinghua Zhang;Douglas S. Reeves;Peng Ning;S. Purushothaman Iyer
Affiliations:
North Carolina State University, Raleigh, NC;North Carolina State University, Raleigh, NC;North Carolina State University, Raleigh, NC;North Carolina State University, Raleigh, NC
Venue:
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Year:
2007

Citing 14
Cited 11

Advanced compiler design and implementation

Advanced compiler design and implementation
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Sockets, Shellcode, Porting, & Coding: Reverse Engineering Exploits And Tool Coding For Security Professionals

Sockets, Shellcode, Porting, & Coding: Reverse Engineering Exploits And Tool Coding For Security Professionals
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Static disassembly of obfuscated binaries

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
SigFree: a signature-free buffer overflow attack blocker

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Accurate buffer overflow detection via abstract payload execution

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Network–Level polymorphic shellcode detection using emulation

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Hybrid engine for polymorphic shellcode detection

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A fast static analysis approach to detect exploit code inside network flows

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Paragraph: thwarting signature learning by training maliciously

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Swarm Attacks against Network-Level Emulation/Analysis

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Tracing Stored Program Counter to Detect Polymorphic Shellcode

IEICE - Transactions on Information and Systems
Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
English shellcode

Proceedings of the 16th ACM conference on Computer and communications security
DROP: Detecting Return-Oriented Programming Malicious Code

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
A heuristic approach for detection of obfuscated malware

ISI'09 Proceedings of the 2009 IEEE international conference on Intelligence and security informatics
Emulation-based detection of non-self-contained polymorphic shellcode

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Lightweight static analysis to detect polymorphic exploit code with static analysis resistant technique

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
An empirical study of real-world polymorphic code injection attacks

LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Comprehensive shellcode detection using runtime heuristics

Proceedings of the 26th Annual Computer Security Applications Conference
SHELLOS: enabling fast detection and forensic analysis of code injection attacks

SEC'11 Proceedings of the 20th USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Remotely-launched software exploits are a common way for attackers to intrude into vulnerable computer systems. As detection techniques improve, remote exploitation techniques are also evolving. Recent techniques for evasion of exploit detection include polymorphism (code encryption) and meta-morphism (code obfuscation). This paper addresses the problem of detecting in network traffic polymorphic remote exploits that are encrypted, and that self-decrypt before launching the intrusion. Such exploits pose a great challenge to existing malware detection techniques, partly due to the non-obvious starting location of the exploit code in the network payload.We describe a new method for detecting self-decrypting exploit codes. This method scans network traffic for the presence of a decryption routine, which is characteristic of such exploits. The proposed method uses static analysis and emulated instruction execution techniques. This improves the accuracy of determining the starting location and instructions of the decryption routine, even if self-modifying code is used. The method outperforms approaches that have been previously proposed, both in terms of detection capabilities, and in detection accuracy.The proposed method has been implemented and tested on current polymorphic exploits, including ones generated by state-of-the-art polymorphic engines. All exploits have been detected (i.e., a 100% detection rate), including those for which the decryption routine is dynamically coded, or self-modifying. The false positive rate is close to 0%. Running time is approximately linear in the size of the network payload being analyzed.