Anlysis and Automated Detection of Code Injection Techniques in Malware

MASTER Assignment

analysis and Automated Detection of Code Injection Techniques in Malware

Type : Master M-CS

Period: Feb, 2021 - Sep, 2021

Student : Starink, J.A.L. (Jerre, Student M-CS)

Date Final project: Sep 27, 2021

Thesis

Supervisors:

Abstract:

For malware to be successful, it should stay undetected by anti-virus software for as long as possible. One method for avoiding detection is the use of code injection, which is the process of injecting code into another running application. Despite code injection becoming one of the main features of today's malware, there has been a general lack of a systematic approach in analyzing and detecting the use of it. In this research, we conduct a study on well-known methods for performing code injection, and propose a taxonomy that groups these methods into classes based on common characteristics. We then introduce Behavior Nets, our novel modelling language that we use to express these methods in terms of observable events. We continue by implementing a system that uses these models to collect empirical evidence for the prevalence of code injection in the malware scene. Our experiments suggest that at least 11.15% of malware between 2017 and 2020 performs some type of injection. They also show that Process Hollowing is the most commonly used technique, but that this trend is slowly shifting towards other, less traditional methods.