Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

PMASCE-Polymorphic and Metamorphic Shellcode Creation Engine


Affiliations
1 Tilak Maharashtra Vidyapeeth, Pune, India
2 Sedulity Solutions and Technologies Delhi, India
     

   Subscribe/Renew Journal


Signature detection is ultimately going to be of no use in the future of AVs and IDS systems. The obfuscation of several parts of the exploit code is becoming so detailed that it could become almost impossible to uncover the various layers of obfuscation and reveal the actual malicious payload. In addition to obfuscation, there are sandbox evasion techniques being followed by attackers to hide from IDS if they try to study their behaviour in a simulated environment. Also, a worm may not attack in one go but in multiple stages, probably sending a small, innocent looking code first, which prepares the system for advance attacks. The worm may become polymorphic or metamorphic depending upon the attack complexity required. Polymorphic blending enables a worm to merge with normal traffic so well that anomaly-based IDS’ are unable to discern it from normal packets. To top it all, attackers are now able to create a M:N worm which means that a worm can have many signatures, many behaviours. This is done by changing the runtime behaviour of the shellcode. In this paper we propose an engine called PMASCE-Polymorphic and Metamorphic Shellcode Creation Engine. This engine enumerates all the steps which are required to be followed to create a strong polymorphic or metamorphic shellcode. This type of shellcode is created taking into account all the defence mechanisms carried out by the detection systems currently. Once all these steps are analysed, we aim to advance the research in IDS so that the existing IDS’ can be hardened to detect all malwarespolymorphic or metamorphic, employing all kinds of techniques of the present and the future.

Keywords

Malware, IDPs, Sandbox, Polymorphic Shellcodes, Obfuscation, Blending, Metamorphism.
User
Subscription Login to verify subscription
Notifications
Font Size

  • Prahbu, P. V., Song, Y., & Stolfo, S. J.,(2009). “Smashing the Stack with Hydra: The Many Heads of Advanced Polymorphic Shellcode”, Defcon, 17, 1-20.
  • Sarraute, C., Miranda, F., & Orlicki, J. I.,(2010) “Simulation of computer network attacks”, arXiv preprint arXiv:1006.2407.
  • Konstantinou, E., & Wolthusen, S., (2008) “Metamorphic virus: Analysis and detection”, Technical Report, Royal Holloway University of London, 15 .
  • x86 Instruction Sequence, Article, Accessed: 24 July 2017, Available via: http://x86.renejeschke.de/html/file_module_x86_id_217.html
  • Akritidis, P., Markatos, E. P., Polychronakis, M., & Anagnostakis, K., “Stride: Polymorphic sled detection through instruction sequence analysis”, IFIP International Information Security Conference, pp. 375-391, Springer, Boston, MA(2005, May).
  • Haugsness K., ”IDFAQ: What is polymorphic shell code and what can it do?”, Article, SANS, Accessed: 10 July 2017, Available via: https://www2.sans.org/security-resources/idfaq/what-is-polymorphic-shell-code-and-what-can-it-do/2/19
  • Johansson K., ”Re:pen testing & obfuscated shellcode(more neat stuff)”, Article, Accessed: 9 July 2017, Available via: http://seclists.org/pen-test/2004/Feb/69
  • CourseHero, “Trampolining despite the fact that nop sledding makes”, Article, Accessed: 26 June 2017, Available via: https://www.coursehero.com/file/p2o51ar/Trampolining-Despite-the-fact-that-NOP-sledding-makes-stack-based-buffer
  • Polychronakis, M., Anagnostakis, K. G., & Markatos, E. P., “Emulation-based detection of non-self-contained polymorphic shellcode”, International Workshop on Recent Advances in Intrusion Detection, pp. 87-106. Springer, Berlin, Heidelberg, September, 2007.
  • CERT UK
  • Sharif, M. I., Lanzi, A., Giffin, J. T., & Lee, W. , “Impeding Malware Analysis Using Conditional Code Obfuscation”, NDSS, February, 2008.
  • Christodorescu, M., & Jha, S. , “Static analysis of executables to detect malicious patterns”,. Wisconsin Univ-Madison Dept of Computer Sciences, 2006.
  • Song, Y., Locasto, M. E., Stavrou, A., Keromytis, A. D., & Stolfo, S. J., “On the infeasibility of modeling polymorphic shellcode”, Proceedings of the 14th ACM conference on Computer and communications security, pp. 541-551, ACM, 2007, October.
  • Li, X., Loh, P. K., & Tan, F,(2008) “Mechanisms of polymorphic and metamorphic viruses”, Intelligence and Security Informatics Conference (EISIC), 2011 European, pp. 149-154, IEEE, 2011, September.
  • Borello, J. M., & Mé, L., “Code obfuscation techniques for metamorphic viruses”. Journal in Computer Virology, 4(3), pp. 211-220 .
  • Crandall, J. R., Su, Z., Wu, S. F., & Chong, F. T. ,(2005) “On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits”, Proceedings of the 12th ACM conference on Computer and communications security, pp. 235-248, ACM, November.
  • Rad, B. B., Masrom, M., & Ibrahim, S.,(2012) “Camouflage in malware: from encryption to metamorphism”, International Journal of Computer Science and Network Security, 12(8), 74-83.
  • Song, Y., Locasto, M. E., Stavrou, A., Keromytis, A. D., & Stolfo, S. J.. “On the infeasibility of modeling polymorphic shellcode”, Proceedings of the 14th ACM conference on Computer and communications security (pp. 541-551). ACM, October, 2007.
  • Cheng, T. H., Lin, Y. D., Lai, Y. C., & Lin, P. C. , “Evasion techniques: Sneaking through your intrusion detection/prevention systems”. IEEE Communications Surveys & Tutorials, 14(4), 1011-1020, 2012.
  • Fogla, P., Sharif, M. I., Perdisci, R., Kolesnikov, O. M., & Lee, W. , “Polymorphic Blending Attacks”. In USENIX Security Symposium (pp. 241-256), 2006, July.
  • Balakrishnan, A., & Schulze, C. . “Code obfuscation literature survey”. CS701 Construction of compilers, 19, 2005.

Abstract Views: 545

PDF Views: 5




  • PMASCE-Polymorphic and Metamorphic Shellcode Creation Engine

Abstract Views: 545  |  PDF Views: 5

Authors

Navneet Kaur Popli
Tilak Maharashtra Vidyapeeth, Pune, India
Anup Girdhar
Sedulity Solutions and Technologies Delhi, India

Abstract


Signature detection is ultimately going to be of no use in the future of AVs and IDS systems. The obfuscation of several parts of the exploit code is becoming so detailed that it could become almost impossible to uncover the various layers of obfuscation and reveal the actual malicious payload. In addition to obfuscation, there are sandbox evasion techniques being followed by attackers to hide from IDS if they try to study their behaviour in a simulated environment. Also, a worm may not attack in one go but in multiple stages, probably sending a small, innocent looking code first, which prepares the system for advance attacks. The worm may become polymorphic or metamorphic depending upon the attack complexity required. Polymorphic blending enables a worm to merge with normal traffic so well that anomaly-based IDS’ are unable to discern it from normal packets. To top it all, attackers are now able to create a M:N worm which means that a worm can have many signatures, many behaviours. This is done by changing the runtime behaviour of the shellcode. In this paper we propose an engine called PMASCE-Polymorphic and Metamorphic Shellcode Creation Engine. This engine enumerates all the steps which are required to be followed to create a strong polymorphic or metamorphic shellcode. This type of shellcode is created taking into account all the defence mechanisms carried out by the detection systems currently. Once all these steps are analysed, we aim to advance the research in IDS so that the existing IDS’ can be hardened to detect all malwarespolymorphic or metamorphic, employing all kinds of techniques of the present and the future.

Keywords


Malware, IDPs, Sandbox, Polymorphic Shellcodes, Obfuscation, Blending, Metamorphism.

References





DOI: https://doi.org/10.25089/MERI%2F2017%2Fv11%2Fi1%2F164011