Browse > Article
http://dx.doi.org/10.30693/SMJ.2019.8.1.19

Unpacking Technique for In-memory malware injection technique  

Bae, Seong Il (한양대학교 컴퓨터 소프트웨어 학과)
Im, Eul Gyu (한양대학교 컴퓨터 소프트웨어 학부)
Publication Information
Smart Media Journal / v.8, no.1, 2019 , pp. 19-26 More about this Journal
Abstract
At the opening ceremony of 2018 Winter Olympics in PyeongChang, an unknown cyber-attack occurred. The malicious code used in the attack is based on in-memory malware, which differs from other malicious code in its concealed location and is spreading rapidly to be found in more than 140 banks, telecommunications and government agencies. In-memory malware accounts for more than 15% of all malicious codes, and it does not store its own information in a non-volatile storage device such as a disk but resides in a RAM, a volatile storage device and penetrates into well-known processes (explorer.exe, iexplore.exe, javaw.exe). Such characteristics make it difficult to analyze it. The most recently released in-memory malicious code bypasses the endpoint protection and detection tools and hides from the user recognition. In this paper, we propose a method to efficiently extract the payload by unpacking injection through IDA Pro debugger for Dorkbot and Erger, which are in-memory malicious codes.
Keywords
Injection; In-memory Malware; Unpacking; IDA Pro;
Citations & Related Records
연도 인용수 순위
  • Reference
1 "AhnLab Security Emergency response Center Report, 2017 Q4 Cyber Threat Trend Report", (Jan, 2018), https://www.ahnlab.com/kr/site/securityinfo/asec/asecView.do?groupCode=VNI001&seq=27109, (Sep/18/2018).
2 Jesse Smelcer. "The rise of Fileless malware". in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cybersecurity, December 2017.
3 David Patten. "The Evolution to Fileless Malware". East Carolina University, 2017.
4 Liam O' Murchu and Fred P. Gutierrez. "The evolution of the fileless click-fraud malware Poweliks", Symantec Security Response, June 9, 2015.
5 Yang-seo Choi, Ik-kyun Kim, Jin-tae Oh and Jae-cheol Ryou. PE File Header Analysis-Based Packed PE File Detection Technique (PHAD), Computer Science and its Applications, International Symposium on, pp. 28-31, Oct. 13, 2008.
6 Kris, Kendall and McMillan, Chad.Practical "Malware Analysis". Black Hat Conference, USA ,p. 10, 2007.
7 You, Ilsun and Yim, Kangbin. "Malware obfuscation techniques: A brief survey". Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on, IEEE, pp. 297-300, 2010.
8 Sikorski, Michael and Honig, Andrew. "Practical malware analysis: the hands-on guide to dissecting malicious software", Published by nostarch press, 2012.
9 Nasi and Emeric. "PE Injection Explained Advanced memory code injection technique". Creative Commons Attribution-NonCommercial-NoDerivs, volume 3, 2014.
10 Willems, Carsten and Holz. "Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy", IEEE, volume 5, Issue 2, pages 32-39, 2007.   DOI
11 Seong Il Bae and Eul Gyu Im. "Unpacking Technique for Process Injection Malware", 2018 Workshop on Dependable and Secure Computation, Aug, 16, 2018.