Sensors (Aug 2024)

Detection Strategies for COM, WMI, and ALPC-Based Multi-Process Malware

  • Radu Marian Portase,
  • Andrei Marius Muntea,
  • Andrei Mermeze,
  • Adrian Colesa,
  • Gheorghe Sebestyen

DOI
https://doi.org/10.3390/s24165118
Journal volume & issue
Vol. 24, no. 16
p. 5118

Abstract

Read online

Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to create such spoofing attacks. We discuss the internals of COM and WMI and Asynchronous Local Procedure Call (ALPC). We present multiple functional monitoring techniques to identify the spoofing and discuss the strong and weak points of each technique. We create a robust process monitoring system that can correctly identify the source of malicious actions spoofed via COM, WMI and ALPC with a low performance impact. Finally, we discuss how malicious actors use COM, WMI and ALPC by examining real-world malware detected by our monitoring system.

Keywords