About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
Security and Privacy in Communication Networks. 19th EAI International Conference, SecureComm 2023, Hong Kong, China, October 19-21, 2023, Proceedings, Part II

Research Article

Understanding and Measuring Inter-process Code Injection in Windows Malware

Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-031-64954-7_25,
        author={Jerre Starink and Marieke Huisman and Andreas Peter and Andrea Continella},
        title={Understanding and Measuring Inter-process Code Injection in Windows Malware},
        proceedings={Security and Privacy in Communication Networks. 19th EAI International Conference, SecureComm 2023, Hong Kong, China, October 19-21, 2023, Proceedings, Part II},
        proceedings_a={SECURECOMM PART 2},
        year={2024},
        month={10},
        keywords={Malware Code Injection Malicious Behaviors},
        doi={10.1007/978-3-031-64954-7_25}
    }
    
  • Jerre Starink
    Marieke Huisman
    Andreas Peter
    Andrea Continella
    Year: 2024
    Understanding and Measuring Inter-process Code Injection in Windows Malware
    SECURECOMM PART 2
    Springer
    DOI: 10.1007/978-3-031-64954-7_25
Jerre Starink,*, Marieke Huisman, Andreas Peter, Andrea Continella
    *Contact email: j.a.l.starink@utwente.nl

    Abstract

    Malware aims to stay undetected for as long as possible. One common method for avoiding or delaying detection is the use of code injection, by which a malicious process injects code into another running application. Despite code injection being known as one of the main features of today’s malware, it is often overlooked and no prior research performed a comprehensive study to fundamentally understand and measure code injection in Windows malware. In this paper, we conduct a systematic study of code injection techniques and propose the first taxonomy to group these methods into classes based on common traits. Then, we leverage our taxonomy to implement models of the studied techniques and collect empirical evidence for the prevalence of each specific technique in the malware scene. Finally, we perform a large-scale, longitudinal measurement of the adoption of code injection, highlighting that at least 9.1% of Windows malware between 2017 and 2021 performs code injection. Our systematization and results show that Process Hollowing is the most commonly used technique across different malware families, but, more importantly, this trend is shifting towards other, less traditional methods. We conclude with takeaways that impact how future malware research should be conducted. Without comprehensively accounting for code injection and modeling emerging techniques, future studies based on dynamic analysis are bound to limited observations.

    Keywords
    Malware Code Injection Malicious Behaviors
    Published
    2024-10-15
    Appears in
    SpringerLink
    http://dx.doi.org/10.1007/978-3-031-64954-7_25
    Copyright © 2023–2025 ICST
    EBSCOProQuestDBLPDOAJPortico
    EAI Logo

    About EAI

    • Who We Are
    • Leadership
    • Research Areas
    • Partners
    • Media Center

    Community

    • Membership
    • Conference
    • Recognition
    • Sponsor Us

    Publish with EAI

    • Publishing
    • Journals
    • Proceedings
    • Books
    • EUDL