Journal of IKEEE (전기전자학회논문지)

Institute of Korean Electrical and Electronics Engineers (한국전기전자학회)
권호 표지
DOI QR코드

DOI QR Code

Hierarchical Threads Generation-based Bypassing Attack on DLL Injection Monitoring System

계층화된 쓰레드 생성을 이용한 DLL 삽입 탐지기술 우회 공격 기법

  • DaeYoub Kim (Dept. of Information Security, Suwon University)
  • Received : 2023.08.23
  • Accepted : 2023.09.18
  • Published : 2023.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Whitelist-based ransomware solution is known as being vulnerable to false impersonation attack using DLL injection attack. To solve this problem, it is proposed to monitor DLL injection attack and to integrate the monitoring result to ransomware solutions. In this paper, we show that attackers can easily bypass the monitoring mechanism and then illegally access files of a target system. It means that whitelist-based ransomware solutions are still vulnerable.

화이트리스트 기반 랜섬웨어 솔루션이 DLL 삽입공격을 활용한 사칭공격에 취약한 것으로 알려진 후, 이러한 문제점을 개선하기 위하여 DLL 삽입 공격을 활용한 사칭공격을 탐지하고, 랜섬웨어 탐지 및 대응 기술과 연동하는 기술이 제안되었다. 본 논문에서는 공격자가 이러한 탐지기술을 우회하여 불법적으로 공격 대상의 파일에 접근할 수 있음을 보여준다. 이는 화이트리스트 기반 랜섬웨어 솔루션이 여전히 DLL 삽입 공격에 취약함을 의미한다. 특히, 본 논문에서는 랜섬웨어 솔루션을 대상으로 실제 공격을 수행하여, 그 가능성을 증명하였다.

Keywords

Acknowledgement

This work was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government (MSIT)(No. NRF-2021R1F1A1062954).

References

  1. F. Aloul, "Smart grid security: Threats, vulnerabilities and solutions," International Journal of Smart Grid and Clean Energy, vol.1, no.1, pp.1-6, 2012. DOI: 10.12720/sgce.1.1.1-6
  2. K. Toh, "Security for smart cities," IET Smart Cities, vol.2, no.2, pp.95-104,
  3. N. Tariq, "Blockchain and smart healthcare security: a survey," Procedia Computer Science, vol.175, pp.615-620, 2020. DOI: 10.1016/j.procs.2020.07.089
  4. R. Bold, H. Khateeb, and N. Ersotelos, "Reducing False Negatives in Ransomware Detection: A Critical Evaluation of Machine Learning Algorithms," Appl. Sci. 2022, Vol.12, no.24, pp.12941, 2022. DOI: 10.3390/app122412941
  5. S. Osborn, "Mandatory access control and role-based access control revisited," Proceedings of the second ACM workshop on Role-based access control. 1997. DOI: 10.1145/266741.266751
  6. Microsoft Docs, "Enable controlled folder access," Online: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide
  7. D. Kim and J. Lee, "Blacklist vs. Whitelist-Based Ransomware Solutions," IEEE Consumer Electronics Magazine, vol.9, no.3, pp.22-28, 2020. DOI: 10.1109/MCE.2019.2956192
  8. A. Klein and I. Kotler, "Windows Process Injection in 2019," Black Hat USA 2019, 2019. Online: https://i.blackhat.com/USA-19/ Thursday/us-19-Kotler-Process-InjectionTechniques-Gotta-Catch-Them-All-wp.pdf
  9. L. Abrams, "Windows 10 Ransomware Protection Bypassed Using DLL Injection," Online: https://www.bleepingcomputer.com/news/security/windows-10-ransomware-protection-bypassed-using-dll-injection/
  10. B. Ko, W. Choi, and D. Jeong, "A Study on the Tracking and Blocking of Malicious Actors through Thread-Based Monitoring," Journal of the Korea Institute of Information Security & Cryptology, vol.30, no.1, pp.75-86, 2020. DOI: 10.1016/j.jcss.2014.02.005
  11. S. Cheon, G. Choi, and D. Kim, "A Cheating Attack on a Whitelist-based Anti-Ransomware Solution and its Countermeasure," 2023 IEEE International Conference on Consumer Electronics (ICCE), 2023. DOI: 10.1109/ICCE56470.2023.10043480
  12. S. Ramachandran, J. Rami, A. Shah, K. Kim, and D Rathod, "Defence against crypto-ransomware families using dynamic binary instrumentation and DLL injection," International Journal of Electronic Security and Digital Forensics, vol.15, no.4, pp.424-442, 2023. DOI: 10.1504/IJESDF.2023.131961
  13. Microsoft Docs, "CreateRemoteThread Function," Online: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread.
  14. J. Seong, "A Study on Injection Attacks and Defenses on Microsoft Windows," Journal of Software Assessment and Valuation, vol.16, no.2, pp.9-23, 2020. DOI: 10.29056/jsav.2020.12.02s