A Countermeasure Against a Whitelist-Based Access Control Bypass Attack Using Dynamic DLL Injection Scheme
Keywords:
Malware, Ransomware, Blacklist, Whitelist, DLL injectionAbstract
Traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then, a blacklist is made based on the malicious characteristics detected. The user’s program is then checked based on the blacklist to determine the presence of malware. However, such an approach can only detect known malicious programs but not unknown ones. In addition, since such detection technologies generally monitor all programs in the system in real time, they might affect the system’s performance. In order to solve such problems, various methods have been proposed to analyze the major behaviors of malicious programs and how to respond to them. Ransomware is designed to access and encrypt the user’s file. Therefore, a new approach is to produce a whitelist of programs installed in the user’s system and to only allow the programs listed on the whitelist to access the user’s files. However, even with this approach, attackers can still launch a dynamic link library (DLL) injection attack on a regular program registered on the whitelist. Hence, this paper proposes a method to respond effectively to DLL injection attacks.
References
Chakkaravarthy S, Sangeetha D, Vaidehi V, 2019, A Survey on Malware Analysis and Mitigation Techniques. Computer Science Review, 32: 1–23. https://doi.org/10.1016/j.cosrev.2019.01.002
Gibert D, Mateu C, Planes J, 2020, The Rise of Machine Learning for Detection and Classification of Malware: Research Developments, Trends and Challenges. Journal of Network and Computer Applications, 153(1): 102526. https://doi.org/10.1016/j.jnca.2019.102526
Khammas B, 2020, Ransomware Detection using Random Forest Technique, ICT Express, vol.6, no.4,. https://doi.org/10.1016/j.icte.2020.11.001
Ko BS, Choi WH, Jeong DJ, 2020, A Study on the Tracking and Blocking of Malicious Actors through Thread Based Monitoring, Korea Institute of Information Security and Cryptology, 30(1): 75–86. https://doi.org/10.13089/JKIISC.2020.30.1.75
Kim D, Lee J, 2020, Blacklist vs. Whitelist-Based Ransomware Solutions. IEEE Consumer Electronics Magazine, 9(3): 22–28. https://doi.org/10.1109/MCE.2019.2956192
McIntosh T, Kayes A, Chen Y, et al., 2021, Ransomware Mitigation in the Modern Era: A Comprehensive Review, Research Challenges, and Future Directions. Computer Science ACM Computing Surveys (CSUR), 7(9): 1–36. https://doi.org/10.1145/3479393
Kim S, Hwang I, Kim D, 2021, A Study on Creation of Secure Storage Area and Access Control to Protect Data from Unspecified Threats. Journal of the Society of Disaster Information, 17(4): 897–903. https://doi.org/10.15683/kosdi.2021.12.31.897
Enable Controlled Folder Access, n.d., https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide
Abrams L, 2018, Windows 10 Ransomware Protection Bypassed Using DLL Injection, BLEEPINGCOMPUTER, https://www.bleepingcomputer.com/news/security/windows-10-ransomware-protection-bypassed-using-dll-injection/
Filter Manager and Minifilter Driver Architecture, n.d., https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ifs/filtermanager-concepts