Persistent Data-only Malware: Function Hooks without Code

Sebastian Vogl, Jonas Pfoh, Thomas Kittel, Claudia Eckert

Publikation: KonferenzbeitragPapierBegutachtung

29 Zitate (Scopus)

Abstract

As protection mechanisms become increasingly advanced, so too does the malware that seeks to circumvent them. Protection mechanisms such as secure boot, stack protection, heap protection, W +X, and address space layout randomization have raised the bar for system security. In turn, attack mechanisms have become increasingly sophisticated. Starting with simple instruction pointer manipulation aimed at executing shellcode on the stack, we are now seeing sophisticated attacks that combine complex heap exploitation with techniques such as return-oriented programming (ROP). ROP belongs to a family of exploitation techniques called data-only exploitation. This class of exploitation and the malware that is built around it makes use solely of data to manipulate the control flow of software without introducing any code. This advanced form of exploitation circumvents many of the modern protection mechanisms presented above, however it has had, until now, one limitation. Due to the fact that it introduces no code, it is very difficult to achieve any sort of persistence. Placing a function hook is straightforward, but where should this hook point to if the malware introduces no code? There are many challenges that must first be overcome if one wishes to answer this question. In this paper, we present the first persistent data-only malware proof of concept in the form of a persistent rootkit. We also present several methods by which one can achieve persistence beyond our proof of concept.

OriginalspracheEnglisch
DOIs
PublikationsstatusVeröffentlicht - 2014
Veranstaltung21st Annual Network and Distributed System Security Symposium, NDSS 2014 - San Diego, USA/Vereinigte Staaten
Dauer: 23 Feb. 201426 Feb. 2014

Konferenz

Konferenz21st Annual Network and Distributed System Security Symposium, NDSS 2014
Land/GebietUSA/Vereinigte Staaten
OrtSan Diego
Zeitraum23/02/1426/02/14

Fingerprint

Untersuchen Sie die Forschungsthemen von „Persistent Data-only Malware: Function Hooks without Code“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren