University of Twente Student Theses


Analyzing fileless malware for the .NET Framework through CLR profiling

Leemreize, T. (2021) Analyzing fileless malware for the .NET Framework through CLR profiling.

[img] PDF
Abstract:Fileless malware is a currently ongoing threat, with high success rates at bypassing detection methods and infecting machines. Anti-malware solutions are continuously improving to tackle this threat by introducing new detection mechanisms. One of these mechanisms is the Antimalware Scan Interface, better known as AMSI, which has been a significant improvement to security in the .NET world. A new fileless malware technique based on the Dynamic Language Runtime is however able to bypass these new mechanisms, including AMSI. Therefore, a new method to tackle this threat is required. As a response, we propose a new method for analyzing fileless malware for the .NET Framework based on CLR profiling. As our method builds on top of the .NET profiling API, it is applicable to any application written for the .NET Framework. Our method has been successfully applied to current state-of-the-art malware samples to both analyze the samples and create signatures for their techniques. This in turn allows us to detect the usage of these techniques in new, unknown samples. From our analysis we discovered four distinct types of fileless malware techniques that are currently being used in the wild. These four types of techniques are reflection-based techniques, techniques statically invoking unmanaged code, techniques dynamically invoking unmanaged code, and techniques utilizing an embedded interpreter. Additionally, we also provide insights into the behaviour of these techniques by comparing their characteristics in more detail.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page