Distributed execution designs challenge behavioral analyses of anti-malware solutions by spreading seemingly benign chunks of a malicious payload to multiple processes. Researchers have explored methods to chop payloads, spread chunks to victim applications through process injection techniques, and orchestrate the execution. However, these methods can hardly be practical as they exhibit conspicuous features and make use of primitives that anti-malware solutions and operating system mitigations readily detect. In this paper we reason on fundamental requirements and properties for a stealth implementation of distributed malware. We propose a new covert design, Rope, that minimizes its footprint by making use of commodity techniques like transacted files and return-oriented programming for covert communication and payload distribution. We report on how synthetic Rope samples eluded a number of state-of-the-art anti-virus and endpoint security solutions, and bypassed the opt-in mitigations of Windows 10 for hardening applications. We then discuss directions and practical remediations to mitigate such threats.
Rope: covert multi-process malware execution with return-oriented programming / D'Elia, D. C.; Invidia, L.; Querzoni, L.. - 12972:(2021), pp. 197-217. (Intervento presentato al convegno European Symposium On Research In Computer Security tenutosi a Darmstadt; Germany) [10.1007/978-3-030-88418-5_10].
Rope: covert multi-process malware execution with return-oriented programming
D'Elia D. C.
Primo
;Invidia L.;Querzoni L.
2021
Abstract
Distributed execution designs challenge behavioral analyses of anti-malware solutions by spreading seemingly benign chunks of a malicious payload to multiple processes. Researchers have explored methods to chop payloads, spread chunks to victim applications through process injection techniques, and orchestrate the execution. However, these methods can hardly be practical as they exhibit conspicuous features and make use of primitives that anti-malware solutions and operating system mitigations readily detect. In this paper we reason on fundamental requirements and properties for a stealth implementation of distributed malware. We propose a new covert design, Rope, that minimizes its footprint by making use of commodity techniques like transacted files and return-oriented programming for covert communication and payload distribution. We report on how synthetic Rope samples eluded a number of state-of-the-art anti-virus and endpoint security solutions, and bypassed the opt-in mitigations of Windows 10 for hardening applications. We then discuss directions and practical remediations to mitigate such threats.| File | Dimensione | Formato | |
|---|---|---|---|
|
DElia_Rope_2021.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
632.72 kB
Formato
Adobe PDF
|
632.72 kB | Adobe PDF | Contatta l'autore |
|
DElia_postprint_Rope_2021.pdf
accesso aperto
Note: https://link.springer.com/chapter/10.1007/978-3-030-88418-5_10
Tipologia:
Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
851.58 kB
Formato
Adobe PDF
|
851.58 kB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
