The ROP Needle: Hiding Trigger-based Injection Vectors via Code Reuse

In recent years, researchers have come up with proof of concepts of seemingly benign applications such as InstaStock and Jekyll that remain dormant until triggered by an attacker-crafted condition, which activates a malicious behavior, eluding code review and signing mechanisms. In this paper, we make a step forward by describing a stealthy injection vector design approach based on Return Oriented Programming (ROP) code reuse that provides two main novel features: 1) the ability to defer the specification of the malicious behavior until the attack is struck, allowing fine-grained targeting of the malware and reuse of the same infection vector for delivering multiple payloads over time; 2) the ability to conceal the ROP chain that specifies the malicious behavior to an analyst by using encryption. We argue that such an infection vector might be a dangerous weapon in the hands of advanced persistent threat actors. As an additional contribution, we report on a preliminary experimental investigation that seems to suggest that ROP-encoded malicious payloads are likely to pass unnoticed by current security solutions, making ROP an effective malware design ingredient.