Skip to main content
SpringerLink
Log in

Server-Side Code Injection Attacks: A Historical Perspective

  • Conference paper
Book cover Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

Server-side code injection attacks used to be one of the main culprits for the spread of malware. A vast amount of research has been devoted to the problem of effectively detecting and analyzing these attacks. Common belief seems to be that these attacks are now a marginal threat compared to other attack vectors such as drive-by download and targeted emails. However, information on the complexity and the evolution of the threat landscape in recent years is mostly conjectural. This paper builds upon five years of data collected by a honeypot deployment that provides a unique, long-term perspective obtained by traffic monitoring at the premises of different organizations and networks. Our contributions are twofold: first, we look at the characteristics of the threat landscape and at the major changes that have happened in the last five years; second, we observe the impact of these characteristics on the insights provided by various approaches proposed in previous research. The analysis underlines important findings that are instrumental at driving best practices and future research directions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Symantec: W32.Stuxnet Dossier version 1.4, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf (February 2011) (last downloaded October 2012)

  2. Symantec: W32.Duqu The precursor to the next Stuxnet. (November 2011), http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf (last downloaded October 2012)

  3. Dacier, M., Pouget, F., Debar, H.: Honeypots: Practical means to validate malicious fault assumptions. In: Proceedings of the 10th IEEE Pacific Rim International Symposium on Dependable Computing, pp. 383–388. IEEE (2004)

    Google Scholar 

  4. Cooke, E., Bailey, M., Mao, Z., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 54–64. ACM (2004)

    Google Scholar 

  5. Leita, C., Dacier, M.: SGNET: a worldwide deployable framework to support the analysis of malware threat models. In: 7th European Dependable Computing Conference (EDCC 2008) (May 2008)

    Google Scholar 

  6. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 541–551 (2007)

    Google Scholar 

  7. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

  8. Bennett, J., Lin, Y., Haq, T.: The Number of the Beast (2013), http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html

  9. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of USENIX LISA 1999 (November 1999), software available from http://www.snort.org/

  10. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX Security Symposium (January 1998)

    Google Scholar 

  11. honeynet.org: Sebek (2012), https://projects.honeynet.org/sebek/

  12. Tang, Y., Chen, S.: Defending against internet worms: A signature-based approach. In: Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM 2005, vol. 2, pp. 1384–1394. IEEE (2005)

    Google Scholar 

  13. Zhuge, J., Holz, T., Han, X., Song, C., Zou, W.: Collecting autonomous spreading malware using high-interaction honeypots. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 438–451. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  14. Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (SOSP), pp. 148–162 (2005)

    Google Scholar 

  15. Jiang, X., Xu, D.: Collapsar: A vm-based architecture for network attack detention center. In: Proceedings of the 13th USENIX Security Symposium (2004)

    Google Scholar 

  16. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: Local worm detection using honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  17. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev. 40(4), 15–27 (2006)

    Article  Google Scholar 

  18. Anagnostakis, K.G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E.P., Keromytis, A.D.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proceedings of the 14th USENIX Security Symposium, pp. 129–144 (August 2005)

    Google Scholar 

  19. Provos, N.: Honeyd: a virtual honeypot daemon. In: 10th DFN-CERT Workshop, Hamburg, Germany, vol. 2 (2003)

    Google Scholar 

  20. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The nepenthes platform: An efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Amun: Python honeypot (2009), http://amunhoney.sourceforge.net/

  22. Dionaea: catches bugs (2012), http://dionaea.carnivore.it/

  23. Baecher, P., Koetter, M.: libemu (2009), http://libemu.carnivore.it/

  24. Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: [GQ]: Practical Containment for Measuring Modern Malware Systems. In: Proceedings of the ACM Internet Measurement Conference (IMC), Berlin, Germany (November 2011)

    Google Scholar 

  25. Leita, C.: SGNET: automated protocol learning for the observation of malicious threats. PhD thesis, University of Nice-Sophia Antipolis (December 2008)

    Google Scholar 

  26. K2: ADMmutate (2001), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz

  27. Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.: Polymorphic shellcode engine using spectrum analysis. Phrack 11(61) (August 2003)

    Google Scholar 

  28. Obscou: Building ia32 ’unicode-proof’ shellcodes. Phrack 11(61) (August 2003)

    Google Scholar 

  29. Rix: Writing IA32 alphanumeric shellcodes. Phrack 11(57) (August 2001)

    Google Scholar 

  30. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS (2009)

    Google Scholar 

  31. Kreibich, C., Crowcroft, J.: Honeycomb – creating intrusion detection signatures using honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II) (November 2003)

    Google Scholar 

  32. Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271–286 (2004)

    Google Scholar 

  33. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design & Implementation, OSDI (December 2004)

    Google Scholar 

  34. Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: Evading IDS by blending in with normal traffic (2004), http://www.cc.gatech.edu/~ok/w/ok_pw.pdf

  35. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: Proceedings of the IEEE Symposium on Security & Privacy, pp. 226–241 ( May 2005)

    Google Scholar 

  36. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  37. Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the IEEE Symposium on Security & Privacy, pp. 32–47 (2006)

    Google Scholar 

  38. Newsome, J., Karp, B., Song, D.: Paragraph: Thwarting signature learning by training maliciously. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 81–105. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  39. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium (2006)

    Google Scholar 

  40. Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the ACM SIGCOMM Conference, pp. 193–204 (August 2004)

    Google Scholar 

  41. Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  42. Tóth, T., Kruegel, C.: Accurate Buffer Overflow Detection via Abstract Payload Execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  43. Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: STRIDE: Polymorphic sled detection through instruction sequence analysis. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) Information Security Conference. IFIP AICT, vol. 181, pp. 375–391. Springer, Boston (2005)

    Google Scholar 

  44. Andersson, S., Clark, A., Mohay, G.: Network-based buffer overflow detection by exploit code analysis. In: Proceedings of the Asia Pacific Information Technology Security Conference, AusCERT (2004)

    Google Scholar 

  45. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  46. Payer, U., Teufl, P., Lamberger, M.: Hybrid engine for polymorphic shellcode detection. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 19–31. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  47. Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  48. Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: A signature-free buffer overflow attack blocker. In: Proceedings of the USENIX Security Symposium (August 2006)

    Google Scholar 

  49. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  50. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  51. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC) (December 2010)

    Google Scholar 

  52. Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: ShellOS: Enabling fast detection and forensic analysis of code injection attacks. In: Proceedings of the 20th USENIX Security Symposium (2011)

    Google Scholar 

  53. Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: 21st Annual Computer Security Applications Conference (December 2005)

    Google Scholar 

  54. Leita, C., Dacier, M., Massicotte, F.: Automatic handling of protocol dependencies and reaction to 0-day attacks with scriptGen based honeypots. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 185–205. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  55. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: An empirical study of real-world polymorphic code injection attacks. In: Proceedings of the 2nd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET) (April 2009)

    Google Scholar 

  56. Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: Proceedings of the 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 58–65 (October 2011)

    Google Scholar 

  57. Patton, S., Yurcik, W., Doss, D.: An achilles heel in signature-based ids: Squealing false positives in snort. In: Proceedings of RAID 2001 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Symantec Research Labs, Sophia Antipolis, France

    Jakob Fritz & Corrado Leita

  2. Columbia University, New York, USA

    Michalis Polychronakis

  3. EURECOM, France

    Jakob Fritz

Authors
  1. Jakob Fritz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Corrado Leita
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Fritz, J., Leita, C., Polychronakis, M. (2013). Server-Side Code Injection Attacks: A Historical Perspective. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation