Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.1.75

A Study on the Tracking and Blocking of Malicious Actors through Thread-Based Monitoring  

Ko, Boseung (Nurilab Inc.)
Choi, Wonhyok (Nurilab Inc.)
Jeong, Dajung (Nurilab Inc.)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.1, 2020 , pp. 75-86 More about this Journal
Abstract
With the recent advancement of malware, the actors performing malicious tasks are often not processes. Malicious code injected into the process that is installed by default in the operating system works thread by thread in the same way as DLL / code injection. In this case, diagnosing and blocking the process as malicious can cause serious problems with system operation. This white paper lists the problems of how to use process-based monitoring information to identify and block the malicious state of a process and presents an improved solution.
Keywords
Process behavior; Remotethread; DLL/Code injection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Myungcheol Lee, Daesung Moon and Ikkyun Kim, "Real-time Abnormal Behavior Detection System based on Fast Data," Journal of The Korea Institute of information Security & Cryptology, 25(5), pp. 1027-1041, Oct. 2015.   DOI
2 Microsoft Docs, "Filter Manager and Minifilter Driver Architecture" https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-and-minifilter-driver-architecture/, Jan. 7 2020.
3 Microsoft Docs, "Process Monitor" https://docs.microsoft.com/en-us/sysinternals/downloads/procmon/, Jan. 7 2020.
4 Microsoft Docs, "CmRegisterCallbackEx" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-cmregistercallbackex/, Jan. 7 2020.
5 Microsoft Docs, "PsSetCreateProcessNotifyRoutineEx" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex/, Jan. 7 2020.
6 Microsoft Docs, "PsSetCreateThreadNotifyRoutine" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine/, Jan. 7 2020.
7 Wikipedia, "Fileless malware" https://en.wikipedia.org/wiki/Fileless_malware, Jan. 7 2020.
8 Trendmicro, "Command and Control [C&C] Server" https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-server, Jan. 7 2020.
9 Raymond J. Canzanese, Jr, "Detection and classification of malicious processes using system call analysis," Doctor of Philosophy, Drexel University, May 2015.
10 Microsoft Docs, "CRITICAL_OBJECT_T ERMINATION" https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xf4-critical-object-termination, Jan. 7 2020.
11 Microsoft Docs, "PsGetCurrentProcessId" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nfntddk-psgetcurrentprocessid/, Jan. 7 2020.
12 Microsoft Docs, "PsGetCurrentThreadId" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nfntddk-psgetcurrentthreadid/, Jan. 7 2020.
13 Malwarebytes, "GandCrab" https://www.malwarebytes.com/gandcrab/, Jan.7 2020.
14 Microsoft Docs, "CreateRemoteThread" https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread/, Jan. 7 2020.
15 Wikipedia, "Hash table" https://en.wikipedia.org/wiki/Hash_table, Jan. 7 2020.
16 Wikipedia, "CryptoLocker" https://en.wikipedia.org/wiki/CryptoLocker, Jan.7 2020.
17 PCrisk, "SymmyWare" https://www.pcrisk.com/removal-guides/13980-symmyware-ransomware, Jan. 7 2020.
18 Red Teaming Experiments, "Reflective DLL Injection" https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection, Jan. 7 2020.