Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.6.1385

A research on detection techniques of Proxy DLL malware disguised as a Windows library : Focus on the case of Winnti  

Koo, JunSeok (School of Information Security, Korea University)
Kim, Huy Kang (School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.6, 2015 , pp. 1385-1397 More about this Journal
Abstract
The Proxy DLL is a mechanism using a normal characteristics of Windows. Specific malware is executed via this mechanism after intrusion into a system which is targeted. If a intrusion of malware is successful, malware should be executed at least once. For execution, malware is disguised as a Windows Library. The malware of Winnti group is a good case for this. Winnti is a group of Chinese hacking groups identified by research in the fall of 2011 at Kaspersky Lab. Winnti group activities was negatively over the years to target the online video game industry, in this process by making a number of malware infected the online gaming company. In this paper, we perform research on detection techniques of Proxy DLL malware which is disguised as a Windows library through Winnti group case. The experiments that are undertaken to target real malware of Winnti show reliability of detection techniques.
Keywords
Malware; Malicious Code; Anti Virus; Proxy DLL; Windows Library; Winnti; APT;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Xuan, J. Copeland and R. Beyah, "Toward Revealing Kernel Malware Behavior in Virtual Execution Environments," In 12th International Symposium on Recent Advances in Intrusion Detection, pp. 304-325., 2009
2 M. Preda, "Code Obfuscation and Malware Detection by Abstract Interpretation," In Dipartimento di Informatica, 2010.
3 Ahmed F.Shosha, Chen-Ching Liu and Pavel Gladyshev, "Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects," 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), 2012.
4 Kaspersky Lab Global Research and Analysis Team, "winnti - more than just a game," Kaspersky Lab, 2013
5 Microsoft MSDN Dynamic-Link Library https://msdn.microsoft.com/en-us/library/windows/desktop/ms686912(v=vs.85).aspx
6 Microsoft MSDN Dynamic-Link Library https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx#standard_search_order_for_desktop_applications
7 Lee, Ho Dong, "Structure and Concept of Windows System Executable File," Hanbit Media, 2005
8 Fanglu Guo, Peter Ferrie and Tzi-cker Chiueh, "A Study of the Packer Problem and Its Solutions," In 11th International Symposium on Recent Advances in Intrusion Detection, pp. 98-115, 2008
9 Ilsun You and Kangbin Yim, "Malware Obfuscation Techniques: A Brief Survey," In International Conference on Broadband, Wireless Computing, Communication and Applications, IEEE Computer Society. pp. 297-300, 2010
10 A. Moser, C. Kruegel and E. Kirda, "Exploring Multiple Execution Paths for Malware Analysis," In IEEE Symposium on Security and Privacy, pp. 231-245.A., 2007