Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.2.431

Proposal of Process Hollowing Attack Detection Using Process Virtual Memory Data Similarity  

Lim, Su Min (Department of Computer and Software, Hanyang University)
Im, Eul Gyu (Division of Computer Science and Engineering, Hanyang University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.2, 2019 , pp. 431-438 More about this Journal
Abstract
Fileless malware uses memory injection attacks to hide traces of payloads to perform malicious works. During the memory injection attack, an attack named "process hollowing" is a method of creating paused benign process like system processes. And then injecting a malicious payload into the benign process allows malicious behavior by pretending to be a normal process. In this paper, we propose a method to detect the memory injection regardless of whether or not the malicious action is actually performed when a process hollowing attack occurs. The replication process having same execution condition as the process of suspending the memory injection is executed, the data set belonging to each process virtual memory area is compared using the fuzzy hash, and the similarity is calculated.
Keywords
Fileless malware; malware; Process hollowing; malware detection; Process memory; Memory similarity;
Citations & Related Records
연도 인용수 순위
  • Reference
1 A. Magnusardottir, "Fileless ransom ware. How it works and how to stop it [Online]", infosecurity, Available: https://www.infosecurityeurope.com/__novadocuments/483997?v=636650015234830000(downloaded 2018, OCT.28)
2 M. Gorelik, R. Moshailov, et al, "Fileless Malware: Attack Trend Exposed", Morphisec Ltd, 2017
3 J. Smelcer, "The rise of Fileless malware", Utica College, ProQuest Dissertations Publisjing, 10642524, 2017
4 P. Black, I. Gondal, R.Layton, "A survey of similarities in banking malware behaviours", Computers & Security, vol 77, pp. 756-772, 2018   DOI
5 Ligh, H. Michael, A. Case, J. Levy and A. Walters, "The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory", John Wiley & Sons, 2014
6 T. Tomer, "Detecting the one percent: Advanced targeted malware detection", Proceedings of the RSA Conference, San Francisco, USA, Vol. 8, 2013
7 J. A. Marpaung, M. Sain, Lee. H. J, "Survey on malware evasion techniques: State of the art and challenges", In Advanced Communication Technology (ICACT), 2012 14th International Conference, pp. 744-749, 2012
8 Lim. S. M and Im. E. G, "Proposal of Process Memory Injection Verification Method Using Memory Protection Constants", Proceedings of the 2018 Conference on International Conference on Convergence Content, pp. 55-56, 2018
9 Park. H. H and Park. D. W, "A Study on Treatment Way of a Malicious Code to injected in Windows System File," KSCI Review, Vol. 14, No. 2, pp. 255-262, 2006
10 Park. C. W, Chung. H. J, Seo. K. S and Lee. S. J, "Research on the Classification Model of Similarity Malware using Fuzzy Hash," Journal of the Korea Institute of Information Security & Cryptology, Vol. 22, No. 6, pp. 1325-1336, 2012
11 H. Pomeranz, "Detecting malware with memory forensics", SANS Institute, 2015