Untitled Document
   
You are from : ( )  
     
Untitled Document
Untitled Document
 

International Journal of Information Technology & Computer Science ( IJITCS )

Abstract :

One advanced tactic used to deliver a malware payload to a target operating system is Dynamic  Link Library (DLL) injection, which has the capabilities to bypass many security settings. In cases of  compromise involving DLL injection, volatile memory contains critical evidence, as these attacks typically  leave no footprint on the hard disk. In this paper, we describe the results of our comparative analysis  between a particular live response utility, Redline, and a particular memory image utility, Volatility, in  cases where malware is using DLL injection. We show that Redline is significantly limited, by comparison  with Volatility, in its ability to collect relevant evidence from memory. Based upon these observations, we  draw general conclusions about the advantages of memory image analysis over live response .

Keywords :

: DLL; Memory Image; Live Response; DLL Injection; Create Remote Thread

References :

  1. Scott Daly, “Preventing Malicious Dll Library Injection,” M.S. thesis, Dept. Comput and Eng Systems., Abertay Univ., Dundee, UK, 2011.
  2. Brian D. Carrier, Joe Grand (2004, March). Hardware – Based Memory Acquisition Procedure for Digital Investigations. [Online]. Available:http://www.digital-evidence.org/papers/tribble-preprint.pdf
  3. Cal Waits, Joseph Ayo Akinyele , Richard Nolan, Larry Rogers (2008): [Online]: ftp://ftp.sei.cmu.edu/pub/documents/08.reports/08tn017.pdf
  4. Amer Aljaedi , Dale Lindskog, Pavol Zavarsky, Ron Ruhl, Fares Almari ,“Comparative Analysis of  Volatile Memory Forensics” IEEE International Conference on Privacy, Security, Risk and Trust and  IEEE International Conference on Social Computing, Boston, USA , pp 1253-1258 ,Oct. 2011.
  5.  (2011) Windows Dynamic-Link Libraries [Online]: http://msdn.microsoft.com/en us/library/windows/desktop/ms682589(v=vs.85).aspx
  6.  (2011) The Dynamic-Link Library Search Order [Online]: http://msdn.microsoft.com/enus/ library/windows/desktop/ms682586(v=vs.85).aspx
  7. Jeffrey Richter, Christophe Nasarre “DLL Advanced Techniques” , “Windows via C/C++ (softcover)”, Fifth Edition, Microsoft Press,2011, ch 20 , pp 553-595.
  8. Skape, Jarkko Turkulainen (2004) Remote Library Injection [Online]. Available: http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf
  9. James Graham , Richard Howard, Ryan Olson (2011) “DLL Injection”, “Cyber Security Essentials”, CRC  Press, 2011 , ch 4, pp 253- 259.
  10.  (2011) Using Load-Time Dynamic Linking (2011), [Online].: http://msdn.microsoft.com/enus/library/ms684184(v=VS.85).aspx
  11. (2011) Using Run-Time Dynamic Linking , [Online]. http://msdn.microsoft.com/enus/
  12. library/windows/desktop/ms686944(v=vs.85).aspx
  13.  (2011) CreateRemoteThread function, [Online]: http://msdn.microsoft.com/enus/library/windows/desktop/ms682437(v=vs.85).aspx
  14. 2011) DllMain entry point [Online].  http://msdn.microsoft.com/enus/library/windows/desktop/ms682583(v=vs.85).aspx Hale Ligh, Adair,
  15. Michael Hale Ligh, Steven Adair, Blake Hartstein , Matthew Richard “Working with DLL” “Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code”, Wiley Publishing, Inc  2011,ch 13, pp 487- 510.
  16. Bill Blunden ”Hooking Call Table”, “The Rootkit Arsenal”, Wordware Publishing, Inc, 2009, ch 5, pp 246 .  255.
  17.  (2006) Volatility [Online]: https://www.volatilesystems.com/default/volatility#overview  (2011) IDA Pro, [Online] http://www.hex-rays.com/products/ida/index.shtml
  18. Ulrich Bayer, Andreas Moser, Christopher Kruegel , Engin Kirda(2006) [Online]. Available: Journal in  Computer Virology
  19. Abhishek Singh, Baibhav Singh “Assembly Language” ,”Identifying Malicious Reverse Engineering  Code”, (2009), Springer,2009, ch 1 , pp 1-28.
  20. Redline Mandiant [Online]: http://www.mandiant.com/products/free_software/redline/
  21. Nicolaou George, (2009) Win Vista DLL Injection (32bit) ,[Online]. Available: http://www.insecure.in/papers/vista_dll_injection.pdf
  22. Mark E Russinovich, David A. Solomon, Alex Ionescu “Processes, Threads, and Jobs” ,”Windows Internals”, 5th Edition Microsoft Press, 2009, ch 5, pp 320- 419.
  23.  Brendan Dolan Gavitt , “The VAD tree: A process-eye view of physical memory”, DFRWS, US , pp s62- s64, 2007.
  24. VirScan.org [Online]: http://r.virscan.org/bb9f65800c81c2c3c832ace29a966715
  25. Clampi trojan [Online]. http://www.kernelmode.info
  26. Win32.Scars trojan [Online]: http://contagiodump.blogspot.com
  27. Shylock trojan [Online]: http://contagiodump.blogspot.com
  28. StraceNT - A System Call Tracer for Windows [Online]. at http://www.intellectualheaven.com/default.asp?BH=projects&H=strace.htm
  29.  (2008) The WIN32 Memory Model, [Online]: http://grayscaleresearch.org/new/pdfs/The%20WIN32%20Memory%20Model.pdf
  30.  (2008) Reconstructing the Scene of the Crime, [Online]: http://www.blackhat.com/presentations/bh-usa-09/SILBERMAN/BHUSA09-Silberman-MetasploitAutopsy-PAPER.pdf
  31. Alex Ionescu ,“Processes, Threads, Fibers and Jobs” (2004), [Online]: http://www.alexionescu.com/part1.pdf
  32. James Shewmaker , “Analyzing DLL Injection” (2006), [Online]: http://www.scribd.com/rahul_agarwal_42/d/75989904-Analyzing-DLL-Injection-by-James-Shewmaker- 2006

Untitled Document
     
Untitled Document
   
  Copyright © 2013 IJITCS.  All rights reserved. IISRC® is a registered trademark of IJITCS Properties.