Journal of IKEEE (전기전자학회논문지)

Institute of Korean Electrical and Electronics Engineers (한국전기전자학회)
권호 표지
DOI QR코드

DOI QR Code

A Countermeasure against a Whitelist-based Access Control Bypass Attack Using Dynamic DLL Injection Scheme

동적 DLL 삽입 기술을 이용한 화이트리스트 기반 접근통제 우회공격 대응 방안 연구

  • Kim, Dae-Youb (Dept. of Information Security, Suwon University)
  • Received : 2022.08.22
  • Accepted : 2022.09.15
  • Published : 2022.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

The traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then such a detection technology makes a blacklist based on the analyzed malicious characteristics and checks programs in the user's system based on the blacklist to determine whether each program is malware. However, such an approach can detect known malicious programs, but responding to unknown or variant malware is challenging. In addition, since such detection technologies generally monitor all programs in the system in real-time, there is a disadvantage that they can degrade the system performance. In order to solve such problems, various methods have been proposed to analyze major behaviors of malicious programs and to respond to them. The main characteristic of ransomware is to access and encrypt the user's file. So, a new approach is to produce the whitelist of programs installed in the user's system and allow the only programs listed on the whitelist to access the user's files. However, although it applies such an approach, attackers can still perform malicious behavior by performing a DLL(Dynamic-Link Library) injection attack on a regular program registered on the whitelist. This paper proposes a method to respond effectively to attacks using DLL injection.

전통적인 악성코드 탐지 기술은 알려진 악성코드를 수집하고 특성을 분석한 후, 분석된 정보를 블랙리스트로 생성하고, 이를 기반으로 시스템 내의 프로그램들을 검사하여 악성코드 여부를 판별한다. 그러나 이러한 접근 방법은 알려진 악성코드의 탐지에는 효과적일 수 있으나 알려지지 않았거나 기존 악성코드의 변종에 대해서는 효과적으로 대응하기 어렵다. 또한, 시스템 내의 모든 프로그램을 감시하기 때문에 시스템의 성능을 저하시킬 수 있다. 이러한 문제점들을 해결하기 위하여 악성코드의 주요 행위를 분석하고 대응하기 위한 다양한 방안들이 제안되고 있다. 랜섬웨어는 사용자의 파일에 접근하여 암호화한다. 이러한 동작특성을 이용하여 시스템의 사용자 파일에 접근하는 정상적인 프로그램들을 화이트리스트로 관리하고 파일 접근을 제어하는 방안이 제안되었다. 그러나 화이트리스트에 등록된 정상 프로그램에 DLL(Dynamic-Link Library) 삽입 공격을 수행하여 악성 행위를 수행하게 할 수 있다는 문제점이 지적되었다. 본 논문에서는 화이트리스트 기반 접근통제 기술이 이러한 DLL 삽입 공격에 효과적으로 대응할 수 있는 방안을 제안한다.

Keywords

Acknowledgement

The paper was supported by The research grant of the University of Suwon in 2021.

References

  1. S. Chakkaravarthy, D. Sangeetha, and V. Vaidehi, "A Survey on malware analysis and mitigation techniques," Computer Science Review, vol.32, pp.1-23, 2019. DOI: 10.1016/j.cosrev.2019.01.002
  2. D. Gibert, C. Mateu, and J. Planes, "The rise of machine learning for detection and classification of malware: Research developments, trends and challenges," Journal of Network and Computer Applications, vol.153, no.1, 2020. DOI: 10.1016/j.jnca.2019.102526
  3. B. Khammas, "Ransomware Detection using Random Forest Technique," ICT Express, vol.6, no.4, 2020. DOI: 10.1016/j.icte.2020.11.001
  4. BS K, WH C, and DJ J, "A Study on the Tracking and Blocking of Malicious Actors through ThreadBased Monitoring," Korea Institute of Information Security and Cryptology, vol.30, no.1, pp.75-86, 2020. DOI: 10.13089/JKIISC.2020.30.1.75
  5. D. Kim and J. Lee, "Blacklist vs. Whitelist-Based Ransomware Solutions," IEEE Consumer Electronics Magazine, vol.9, no.3, pp.22-28, 2020. DOI: 10.1109/MCE.2019.2956192
  6. T. McIntosh, A. Kayes, Y. Chen, A. Ng, and P. Watters, "Ransomware Mitigation in the Modern Era: A Comprehensive Review, Research Challenges, and Future Directions," Computer Science ACM Computing Surveys (CSUR), vol.7, 2021. DOI: 10.1145/3479393
  7. S. Kim, I. Hwang, and D. Kim, "A Study on Creation of Secure Storage Area and Access Control to Protect Data from Unspecified Threats," Journal of the Society of Disaster Information, vol.17, no.4, pp.897-903, 2021. DOI: 10.15683/kosdi.2021.12.31.897
  8. Microsoft Docs, "Enable controlled folder access," https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlledfolders?view=o365-worldwide
  9. L. Abrams, "Windows 10 Ransomware Protection Bypassed Using DLL Injection," https://www.bleepingcomputer.com/news/security/windows-10-ransomware-protection-bypassed-using-dll-injection/
  10. Microsoft Docs, "Filter Manager and Minifilter Driver Architecture," 2020, https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ifs/filtermanager-concepts