research-article

Blacksheep: detecting compromised hosts in homogeneous crowds

Authors:

Antonio Bianchi,

Yan Shoshitaishvili,

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 341 - 352

https://doi.org/10.1145/2382196.2382234

Published: 16 October 2012 Publication History

Abstract

The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions.

In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host.

We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.

References

[1]

Gmer. http://www.gmer.net/, May 2012.

[2]

Hbgary responder pro. http://www.hbgary.com/responder-pro-2, May 2012.

[3]

Qemu website. http://qemu.org, May 2012.

[4]

Windows academic program. http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416, Apr. 2012.

[5]

A. Baliga, V. Ganapathy, and L. Iftode. Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing, Vol. 8, No. 5, Sept. 2010.

Digital Library

[6]

B. Blunden. The Rootkit Arsenal. Wordware Publishing, 2009. Chapter 7.9.

[7]

M. Burdach. Finding digital evidence in physical memory. In Black Hat Federal Conference, 2006.

[8]

M. Carbone, W. Lee, W. Cui, M. Peinado, L. Lu, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In ACM Conf. on Computer and Communications Security, 2009.

Digital Library

[9]

B. Cogswell and M. Russinovich. Rootkitrevealer. http://technet.microsoft.com/en-us/sysinternals/bb897445, Nov. 2008.

[10]

M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. The daikon system for dynamic detection of likely invariants. Science of Computer Programming, 69, Dec. 2007.

Digital Library

[11]

F. Gadaleta, N. Nikiforakis, J. Mühlberg, and W. Joosen. Hyperforce: Hypervisor-enforced execution of security-critical code. Information Security and Privacy Research, pages 126--137, 2012.

[12]

F. Gadaleta, N. Nikiforakis, Y. Younan, and W. Joosen. Hello rootkitty: a lightweight invariance-enforcing framework. Information Security, pages 213--228, 2011.

Digital Library

[13]

G. L. Garcia. Forensic physical memory analysis: an overview of tools and techniques. In TKK T- 110.5290 Seminar on Network Security, 2007.

[14]

K. Griffin, S. Schneider, X. Hu, and T. cker Chiueh. Automatic generation of string signatures for malware detection.

[15]

G. Hoglund. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005.

Digital Library

[16]

G. Jacob, H. Debar, and E. Filiol. Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4:251--266, 2008. 10.1007/s11416-008-0086-0.

[17]

A. Kapoor and R. Mathur. Predicting the future of stealth attacks. Virus Bulletin conference, Oct. 2011.

[18]

J. D. Kornblum. Exploiting the rootkit paradox with windows memory analysis. International Journal of Digital Evidence, 2006.

[19]

J. D. Kornblum. Using every part of the buffalo in windows memory analysis. Digital Investigation, Mar. 2007.

Digital Library

[20]

Z. Li, M. Sanghi, Y. Chen, M. yang Kao, and B. Chavez. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 32--47. IEEE Computer Society, 2006.

Digital Library

[21]

M. H. Ligh. Volatility malware plugins. http://code.google.com/p/malwarecookbook.

[22]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In the 17th Network and Distributed System Security Symposium, 2011.

[23]

McAfee. Mcafee deepsafe. http://www.mcafee.com/us/solutions/mcafee-deepsafe.aspx, 2011.

[24]

Microsoft. Kernel patch protection: Faq. http://msdn.microsoft.com/en-us/windows/hardware/gg487353, Sept. 2007.

[25]

N. L. Petroni, J. Timothy, F. Aaron, W. William, and A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the USENIX Security Symposium, pages 289--304, 2006.

Digital Library

[26]

M. E. Russinovich and D. A. Solomon. Windows Internals. Microsoft, 5th edition, June 2009.

[27]

J. Rutkowska. Rootkits vs. stealth by design malware. https://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rutkowska.pdf, 2006.

[28]

J. Rutkowska. Beyond the cpu: Defeating hardware based ram acquisition (part i: Amd case). In Black Hat DC, 2007.

[29]

A. Schuster. Pool allocations as an information source in windows memory forensics. In Pool Allocations as an Information Source in Windows Memory Forensics, 2006.

[30]

A. Schuster. Searching for processes and threads in microsoft windows memory dumps. In Digital Investigation, 2006.

Digital Library

[31]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses, 2007.

[32]

R. Treit. Some observations on rootkits. http://blogs.technet.com/b/mmpc/archive/2010/01/07/some-observations-on-rootkits.aspx, Jan. 2010.

[33]

D. Wagner. Mimicry attacks on host-based intrusion detection systems. Proceedings of the 9th ACM conference on computer and communications security, 2002.

Digital Library

[34]

A. Walters. The volatility framework: Volatile memory artifact extraction utility framework. https://www. volatilesystems.com/default/volatility.

[35]

Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In ACM Conf. on Computer and Communications Security, Nov. 2009.

Digital Library

[36]

Y. Xie, H. Kim, D. O'Hallaron, M. Reiter, and H. Zhang. Seurat: A pointillist approach to anomaly detection. In Recent Advances in Intrusion Detection, pages 238--257. Springer, 2004.

[37]

H. Yin, P. Poosankam, S. Hanna, and D. Song. Hookscout: Proactive binary-centric hook detection. In Proceedings of the 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Bonn, Germany, July 2010.

Digital Library

Cited By

AghamirMohammadAli SMomeni BSalimi SKharrazi M(2023)Blue-Pill Oxpecker: A VMI Platform for Transactional ModificationIEEE Transactions on Cloud Computing10.1109/TCC.2021.306782911:1(1-12)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3067829
Chen JChen JHe KDu R(2021)SeCrowd: Efficient secure interactive crowdsourcing via permission-based signaturesFuture Generation Computer Systems10.1016/j.future.2020.09.033115(448-458)Online publication date: Feb-2021
https://doi.org/10.1016/j.future.2020.09.033
Arzani BCiraci SSaroiu SWolman AStokes JOuthred GDiwu LBhagwan RPorter G(2020)PrivateEyeProceedings of the 17th Usenix Conference on Networked Systems Design and Implementation10.5555/3388242.3388300(797-816)Online publication date: 25-Feb-2020
https://dl.acm.org/doi/10.5555/3388242.3388300
Show More Cited By

Index Terms

Blacksheep: detecting compromised hosts in homogeneous crowds
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Idea: opcode-sequence-based malware detection
ESSoS'10: Proceedings of the Second international conference on Engineering Secure Software and Systems

Malware is every malicious code that has the potential to harm any computer or network. The amount of malware is increasing faster every year and poses a serious security threat. Hence, malware detection has become a critical topic in computer security. ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
POSTER: Scanning-free Personalized Malware Warning System by Learning Implicit Feedback from Detection Logs
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Nowadays, World Wide Web connects people to each other in many ways ubiquitously. Followed along with the convenience and usability, millions of malware infect various devices of numerous users through the web every day. In contrast, traditional anti-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
700
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)3

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

AghamirMohammadAli SMomeni BSalimi SKharrazi M(2023)Blue-Pill Oxpecker: A VMI Platform for Transactional ModificationIEEE Transactions on Cloud Computing10.1109/TCC.2021.306782911:1(1-12)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3067829
Chen JChen JHe KDu R(2021)SeCrowd: Efficient secure interactive crowdsourcing via permission-based signaturesFuture Generation Computer Systems10.1016/j.future.2020.09.033115(448-458)Online publication date: Feb-2021
https://doi.org/10.1016/j.future.2020.09.033
Arzani BCiraci SSaroiu SWolman AStokes JOuthred GDiwu LBhagwan RPorter G(2020)PrivateEyeProceedings of the 17th Usenix Conference on Networked Systems Design and Implementation10.5555/3388242.3388300(797-816)Online publication date: 25-Feb-2020
https://dl.acm.org/doi/10.5555/3388242.3388300
Du MLi F(2017)ATOM: Efficient Tracking, Monitoring, and Orchestration of Cloud ResourcesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2017.265246728:8(2172-2189)Online publication date: 1-Aug-2017
https://doi.org/10.1109/TPDS.2017.2652467
Zhang NZhang RYan QLou WHou YYao D(2017)Black penguin: On the feasibility of detecting intrusion with homogeneous memory2017 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2017.8228671(586-594)Online publication date: Oct-2017
https://doi.org/10.1109/CNS.2017.8228671
Buyukkayhan AOprea ALi ZRobertson W(2017)Lens on the Endpoint: Hunting for Malicious Software Through Endpoint Data AnalysisResearch in Attacks, Intrusions, and Defenses10.1007/978-3-319-66332-6_4(73-97)Online publication date: 12-Oct-2017
https://doi.org/10.1007/978-3-319-66332-6_4
Zeng JFu YLin Z(2016)Automatic Uncovering of Tap Points from Kernel ExecutionsResearch in Attacks, Intrusions, and Defenses10.1007/978-3-319-45719-2_3(49-70)Online publication date: 7-Sep-2016
https://doi.org/10.1007/978-3-319-45719-2_3
Lombardi FDi Pietro R(2016)Trusted, Heterogeneous, and Autonomic Mobile CloudSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_14(439-455)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_14
Lombardi FDi Pietro R(2016)Heterogeneous Architectures: Malware and CountermeasuresSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_13(421-438)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_13
Suneja SIsci Cde Lara EBala V(2015)Exploring VM IntrospectionACM SIGPLAN Notices10.1145/2817817.273119650:7(133-146)Online publication date: 14-Mar-2015
https://dl.acm.org/doi/10.1145/2817817.2731196
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents