Abstract
Distributed execution designs challenge behavioral analyses of anti-malware solutions by spreading seemingly benign chunks of a malicious payload to multiple processes. Researchers have explored methods to chop payloads, spread chunks to victim applications through process injection techniques, and orchestrate the execution. However, these methods can hardly be practical as they exhibit conspicuous features and make use of primitives that anti-malware solutions and operating system mitigations readily detect. In this paper we reason on fundamental requirements and properties for a stealth implementation of distributed malware. We propose a new covert design, Rope, that minimizes its footprint by making use of commodity techniques like transacted files and return-oriented programming for covert communication and payload distribution. We report on how synthetic Rope samples eluded a number of state-of-the-art anti-virus and endpoint security solutions, and bypassed the opt-in mitigations of Windows 10 for hardening applications. We then discuss directions and practical remediations to mitigate such threats.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
This is relevant also for mimicry attacks from process creation-based approaches.
- 2.
- 3.
Only recursive functions would require semantic changes to their code: e.g., the attacker may use a stack data structure to host and reference each stack frame.
- 4.
A more conservative and covert implementation may target an already-loaded module (e.g., kernel32.dll) and encode the bootstrap component and the chunks with, e.g., microgadgets [17] that are abundant [32]. However, this was not necessary for validating the stealthiness of our approach on the currently available tested defenses.
- 5.
- 6.
Also the ETW (Event Tracing for Windows) system offers useful tracing capabilities.
References
Allred, C.: Understanding Windows file system transactions. In: Storage Developer Conference 2009. SNIA (2009). https://www.snia.org/sites/default/orig/sdc_archives/2009_presentations/tuesday/ChristianAllred_UnderstandingWindowsFileSystemTransactions.pdf
Angelini, M., et al.: ROPMate: visually assisting the creation of ROP-based exploits. In: Proceedings of the 15th IEEE Symposium on Visualization for Cyber Security. VizSec 2018 (2018). https://doi.org/10.1109/VIZSEC.2018.8709204
Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies. WOOT 2016, USENIX Association (2016)
Borrello, P., Coppa, E., D’Elia, D.C.: Hiding in the particles: when return-oriented programming meets program obfuscation. In: Proceedings of the 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 555–568. DSN 2021. IEEE (2021). https://doi.org/10.1109/DSN48987.2021.00064
Borrello, P., Coppa, E., D’Elia, D.C., Demetrescu, C.: The ROP needle: hiding trigger-based injection vectors via code reuse. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 1962–1970. SAC 2019. ACM (2019). https://doi.org/10.1145/3297280.3297472
Botacin, M., de Geus, P.L., Grégio, A.: “VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks. J. Comput. Virol. Hack. Techn. 15(4), 233–247 (2019). https://doi.org/10.1007/s11416-019-00333-y
Ciholas, P., Such, J.M., Marnerides, A.K., Green, B., Zhang, J., Roedig, U.: Fast and furious: outrunning Windows kernel notification routines from user-mode. In: Maurice, C., Bilge, L., Stringhini, G., Neves, N. (eds.) DIMVA 2020. LNCS, vol. 12223, pp. 67–88. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-52683-2_4
De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V.: The Naked Sun: malicious cooperation between benign-looking processes. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12147, pp. 254–274. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_13
D’Elia, D.C., Coppa, E., Salvati, A., Demetrescu, C.: Static analysis of ROP code. In: Proceedings of the 12th European Workshop on Systems Security. EuroSec 2019, ACM (2019). https://doi.org/10.1145/3301417.3312494
D’Elia, D.C., Invidia, L.: Rope: Bypassing behavioral detection of malware with distributed ROP-driven execution. Black Hat USA (2021). https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Rope-Bypassing-Behavioral-Detection-Of-Malware-With-Distributed-ROP-Driven-Execution-wp.pdf
D’Elia, D.C., Nicchi, S., Mariani, M., Marini, M., Palmaro, F.: Designing robust API monitoring solutions. arXiv abs/2005.00323 (2020)
Doniec, A.: From a C project, through assembly, to shellcode (by hasherezade). VX Underground (2020). https://github.com/vxunderground/VXUG-Papers
Filiol, E.: Formalisation and implementation aspects of K-ary (malicious) codes. J. Comput. Virol. 3, 75–86 (2007). https://doi.org/10.1007/s11416-007-0044-2
Graziano, M., Balzarotti, D., Zidouemba, A.: ROPMEMU: a framework for the analysis of complex code-reuse attacks. In: Proceedings of 11th Asia Conference on Computer and Communications Security, pp. 47–58. ASIACCS 2016. ACM (2016). https://doi.org/10.1145/2897845.2897894
Hăjmăşan, G., Mondoc, A., Portase, R., Creţ, O.: Evasive malware detection using groups of processes. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 32–45. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_3
Hendrick, A.: Fileless malware and process injection in Linux. Hack.lu (2019). http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf
Homescu, A., Stewart, M., Larsen, P., Brunthaler, S., Franz, M.: Microgadgets: Size does matter in Turing-complete return-oriented programming. In: 6th USENIX Workshop on Offensive Technologies. WOOT 2012, USENIX Association (2012)
Hong, J., Ding, X.: A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces. In: Proceedings of the 2021 IEEE Symposium on Security and Privacy, pp. 402–418. SP 2021. IEEE Computer Society (2021). https://doi.org/10.1109/SP40001.2021.00024
ired.team: ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG). Red Teaming Experiments GitBook (2020). https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy
Ispoglou, K.K., Payer, M.: malWASH: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies. WOOT 2016, USENIX Association (2016)
Ji, Y., He, Y., Zhu, D., Li, Q., Guo, D.: A mulitiprocess mechanism of evading behavior-based bot detection approaches. In: Huang, X., Zhou, J. (eds.) ISPEC 2014. LNCS, vol. 8434, pp. 75–89. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06320-1_7
Kaspersky: Dvmap: the first Android malware with code injection. SecureList (2017). https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/)
Klein, A., Kotler, I.: Process injection techniques - gotta catch them all (Windows process injection in 2019). Black Hat USA (2019). https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
Kulkarni, A.P., Jagdale, P.D.: Adapting to TxF. VirusBulletin, January 2010. https://www.virusbulletin.com/virusbulletin/2010/05/adapting-txf
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conf. (ACSAC 2014), pp. 386–395. ACM (2014). https://doi.org/10.1145/2664243.2664252
Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1), 1–13 (2012). https://doi.org/10.1007/s11416-011-0157-5
MDSec: Bypassing user-mode hooks and direct invocation of system calls for red teams (2020). https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
Microsoft: Exploit protection reference. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide
Microsoft: Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware (2017). https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Microsoft Defender Security Research Team: From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw. https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/
Min, B., Varadharajan, V.: Design and analysis of a new feature-distributed malware. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 457–464 (2014). https://doi.org/10.1109/TrustCom.2014.58
Nakanishi, F., De Pasquale, G., Ferla, D., Cavallaro, L.: Intertwining ROP gadgets and opaque predicates for robust obfuscation. arXiv abs/2012.09163 (2020)
Nemeth, Z.L.: Modern binary attacks and defences in the Windows environment - fighting against Microsoft EMET in seven rounds. In: 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics, pp. 275–280. SYSY 2015 (2015). https://doi.org/10.1109/SISY.2015.7325394
Ntantogian, C., Poulios, G., Karopoulos, G., Xenakis, C.: Transforming malicious code to ROP gadgets for antivirus evasion. IET Inf. Security 13(6), 570–578 (2019). https://doi.org/10.1049/iet-ifs.2018.5386
Or-Meir, O., Nissim, N., Elovici, Y., Rokach, L.: Dynamic malware analysis in the modern era - a state of the art survey. ACM Comput. Surv. 52(5) (2019). https://doi.org/10.1145/3329786
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: 22nd USENIX Security Symposium, pp. 447–462. USENIX Security 2013, USENIX Association (2013)
Pavithran, J., Patnaik, M., Rebeiro, C.: D-TIME: Distributed threadless independent malware execution for runtime obfuscation. In: 13th USENIX Workshop on Offensive Technologies. WOOT 2019, USENIX Association (2019)
Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 58–65. IEEE Computer Society (2011). https://doi.org/10.1109/MALWARE.2011.6112327
Ramilli, M., Bishop, M.: Multi-stage delivery of malware. In: 2010 5th Int. Conference on Malicious and Unwanted Software, pp. 91–97 (2010). https://doi.org/10.1109/MALWARE.2010.5665788
Ramilli, M., Bishop, M., Sun, S.: Multiprocess malware. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 8–13 (2011). https://doi.org/10.1109/MALWARE.2011.6112320
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1) (2012). https://doi.org/10.1145/2133375.2133377
Russinovich, M., Solomon, D.A.: Windows internals: including Windows server, : and Windows vista. Fifth Edition. Microsoft Press 2009, 965–974 (2008)
Sun, B., Liu, J., Xu, C.: How to survive the hardware-assisted control-flow integrity enforcement. Black Hat Asia (2019). https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-Hardware-Assisted-Control-Flow-Integrity-Enforcement.pdf
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: 22nd USENIX Security Symposium, pp. 559–572. USENIX Security 2013, USENIX Association (2013)
gs Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedin of the 14th ACM Conference on Computer and Communications Security, pp. 116–127. CCS 2007. ACM (2007). https://doi.org/10.1145/1315245.1315261
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
D’Elia, D.C., Invidia, L., Querzoni, L. (2021). Rope: Covert Multi-process Malware Execution with Return-Oriented Programming. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)