Article

Dynamic spyware analysis

Authors:

Christopher Kruegel,

Dawn SongAuthors Info & Claims

ATC'07: 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference

Article No.: 18, Pages 1 - 14

Published: 17 June 2007 Publication History

Abstract

Spyware is a class of malicious code that is surreptitiously installed on victims' machines. Once active, it silently monitors the behavior of users, records their web surfing habits, and steals their passwords. Current anti-spyware tools operate in a way similar to traditional virus scanners. That is, they check unknown programs against signatures associated with known spyware instances. Unfortunately, these techniques cannot identify novel spyware, require frequent updates to signature databases, and are easy to evade by code obfuscation.

In this paper, we present a novel dynamic analysis approach that precisely tracks the flow of sensitive information as it is processed by the web browser and any loaded browser helper objects. Using the results of our analysis, we can identify unknown components as spyware and provide comprehensive reports on their behavior. The techniques presented in this paper address limitations of our previouswork on spyware detection and significantly improve the quality and richness of our analysis. In particular, our approach allows a human analyst to observe the actual flows of sensitive data in the system. Based on this information, it is possible to precisely determine which sensitive data is accessed and where this data is sent to. To demonstrate the effectiveness of the detection and the comprehensiveness of the generated reports, we evaluated our system on a substantial body of spyware and benign samples.

References

[1]

{1} BELLARD, F. QEMU, a Fast and Portable Dynamic Translator. In Usenix Annual Technical Conference, Freenix Track (2005).

Digital Library

[2]

{2} CHOW, J., PFAFF, B., GARFINKEL, T., CHRISTOPHER, K., AND ROSENBLUM, M. Understanding Data Lifetime via Whole System Simulation. In Usenix Security Symposium (2004).

Digital Library

[3]

{3} CHRISTODORESCU, M., AND JHA, S. Testing Malware Detectors. In ACM International Symposium on Software Testing and Analysis (ISSTA) (2004).

Digital Library

[4]

{4} CHRISTODORESCU, M., JHA, S., SESHIA, S., SONG, D., AND BRYANT, R. Semantics-Aware Malware Detection. In IEEE Symposium on Security and Privacy (Oakland) (2005).

Digital Library

[5]

{5} COLLBERG, C., THOMBORSON, C., AND LOW, D. Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In Conference on Principles of Programming Languages (POPL) (1998).

Digital Library

[6]

{6} COSTA, M., CROWCROFT, J., CASTRO, M., ROWSTRON, A., ZHOU, L., ZHANG, L., AND BARHAM, P. Vigilante: End-to-End Containment of Internet Worms. In 20th ACM Symposium on Operating Systems Principles (SOSP) (2005).

Digital Library

[7]

{7} CRANDALL, J., AND CHONG, F. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In 37th International Symposium on Microarchitecture (MICRO) (2004).

Digital Library

[8]

{8} DUNLAP, G., KING, S., CINAR, S., BASRAI, M., AND CHEN, P. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Symposium on Operating Systems Design and Implementation (OSDI) (2002).

Digital Library

[9]

{9} GARFINKEL, T., AND ROSENBLUM, M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Network and Distributed Systems Security Symposium (2003).

[10]

{10} HACKWORTH, A. Spyware. US CERT Publications, 2005.

[11]

{11} HO, A., FETTERMAN, M., CLARK, C., WARFIELD, A., AND HAND, S. Practical Taint-based Protection using Demand Emulation. In EuroSys Conference (2006).

Digital Library

[12]

{12} JOSHI, A., KING, S., DUNLAP, G., AND CHEN, P. Detecting past and present intrusions through vulnerability-specific predicates. In Symposium on Operating Systems Principles (2005).

Digital Library

[13]

{13} KING, S., AND CHEN, P. Backtracking Intrusions. In Symposium on Operating Systems Principles (SOSP) (2003).

Digital Library

[14]

{14} KIRDA, E., KRUEGEL, C., BANKS, G., VIGNA, G., AND KEMMERER, R. Behavior-Based Spyware Detection. In Usenix Security Symposium (2006).

Digital Library

[15]

{15} KOLLA, P. Spybot Search & Destroy. http://www. safer-networking.org/, 2006.

[16]

{16} KRUEGEL, C., ROBERTSON, W., AND VIGNA, G. Detecting Kernel-Level Rootkits Through Binary Analysis. In Annual Computer Security Applications Conference (ACSAC) (2004).

Digital Library

[17]

{17} KRUEGEL, C., VALEUR, F., ROBERTSON, W., AND VIGNA, G. Static Analysis of Obfuscated Binaries. In Usenix Security Symposium (2004).

Digital Library

[18]

{18} LAVASOFT. Ad-Aware. http://www.lavasoftusa.com/ software/adaware/, 2006.

[19]

{19} LENGAUER, T., AND TARJAN, R. A fast algorithm for finding dominators in a flowgraph. ACM Transactions on Programming Languages and Systems (TOPLAS) 1, 1 (1979).

Digital Library

[20]

{20} LINN, C., AND DEBRAY, S. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In ACM Conference on Computer and Communications Security (CCS) (2003).

Digital Library

[21]

{21} MOSHCHUK, A., BRAGIN, T., GRIBBLE, S., AND LEVY, H. A Crawler-based Study of Spyware on the Web. In Network and Distributed Systems Security Symposium (NDSS) (2006).

[22]

{22} NEWSOME, J., AND SONG, D. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium (NDSS) (2005).

[23]

{23} PORTOKALIDIS, G., SLOWINSKA, A., AND BOS, H. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In ACM SIGOPS EUROSYS (2006).

Digital Library

[24]

{24} SAROIU, S., GRIBBLE, S., AND LEVY, H. Measurement and Analysis of Spyware in a University Environment. In Usenix NSDI (2004).

Digital Library

[25]

{25} THOMPSON, R. Why Spyware Poses Multiple Threats to Security. Communications of the ACM 48, 8 (2005).

Digital Library

[26]

{26} WANG, Y., ROUSSEV, R., VERBOWSKI, C., JOHNSON, A., WU, M., HUANG, Y., AND KUO, S. Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management. In Usenix Large Installation System Administration Conference (LISA) (2004).

Digital Library

[27]

{27} WROBLEWSKI, G. General Method of Program Code Obfuscation . PhD thesis, Wroclaw University of Technology, 2002.

Cited By

Derasari PGogineni KVenkataramani GThapliyal HDeMara RPartin-Vaisband IKatkoori S(2023)MAYAVI: A Cyber-Deception Hardware for Memory Load-StoresProceedings of the Great Lakes Symposium on VLSI 202310.1145/3583781.3590272(563-568)Online publication date: 5-Jun-2023
https://dl.acm.org/doi/10.1145/3583781.3590272
Brant CShrestha PMixon-Baca BChen KVarlioglu SElsayed NJin YCrandall JOliveira D(2021)Challenges and Opportunities for Practical and Effective Dynamic Information Flow TrackingACM Computing Surveys10.1145/348379055:1(1-33)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3483790
Jiang MMa LZhou YLiu QZhang CWang ZLuo XWu LRen KKim YKim JVigna GShi E(2021)ECMO: Peripheral Transplantation to Rehost Embedded Linux KernelsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484753(734-748)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484753
Show More Cited By

Index Terms

Dynamic spyware analysis

Recommendations

Spyware: Spyware: more than a costly annoyance

A chronic reduction in system performance caused by spyware translates alone into harmful effects for the organisation. But for those relying on a distributed network, a spyware epidemic can also pose serious risks of information loss. Originally the ...
Automated Spyware Collection and Analysis
ISC '09: Proceedings of the 12th International Conference on Information Security

Various online studies on the prevalence of spyware attest overwhelming numbers (up to 80%) of infected home computers. However, the term spyware is ambiguous and can refer to anything from plug-ins that display advertisements to software that records ...
Interests-Based Spyware Detection
IFCSTA '09: Proceedings of the 2009 International Forum on Computer Science-Technology and Applications - Volume 02

Spyware is a rapidly spreading security issue. Traditional spyware detection can mainly be classified into two categories: signature based detection and behavior based detection. The former is not able to detect unknown spyware and variants of known ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ATC'07: 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference

June 2007

31 pages

ISBN:9998888776

Editors:
Jeff Chase
Duke University
,
Srinivasan Seshan
Carnegie Mellon University

Publisher

USENIX Association

United States

Publication History

Published: 17 June 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
15
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Derasari PGogineni KVenkataramani GThapliyal HDeMara RPartin-Vaisband IKatkoori S(2023)MAYAVI: A Cyber-Deception Hardware for Memory Load-StoresProceedings of the Great Lakes Symposium on VLSI 202310.1145/3583781.3590272(563-568)Online publication date: 5-Jun-2023
https://dl.acm.org/doi/10.1145/3583781.3590272
Brant CShrestha PMixon-Baca BChen KVarlioglu SElsayed NJin YCrandall JOliveira D(2021)Challenges and Opportunities for Practical and Effective Dynamic Information Flow TrackingACM Computing Surveys10.1145/348379055:1(1-33)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3483790
Jiang MMa LZhou YLiu QZhang CWang ZLuo XWu LRen KKim YKim JVigna GShi E(2021)ECMO: Peripheral Transplantation to Rehost Embedded Linux KernelsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484753(734-748)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484753
Kreindl JBonetta DStadler LLeopoldseder DMössenböck HMarr S(2020)Multi-language dynamic taint analysis in a polyglot virtual machineProceedings of the 17th International Conference on Managed Programming Languages and Runtimes10.1145/3426182.3426184(15-29)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.1145/3426182.3426184
Dam KTouili T(2019)STAMADProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3339274(1-6)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3339274
Or-Meir ONissim NElovici YRokach L(2019)Dynamic Malware Analysis in the Modern Era—A State of the Art SurveyACM Computing Surveys10.1145/332978652:5(1-48)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3329786
Weissbacher MMariconti ESuarez-Tangil GStringhini GRobertson WKirda E(2017)Ex-RayProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134632(590-602)Online publication date: 4-Dec-2017
https://dl.acm.org/doi/10.1145/3134600.3134632
Korczynski DYin HThuraisingham BEvans DMalkin TXu D(2017)Capturing Malware Propagations with Code Injections and Code-Reuse AttacksProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3134099(1691-1708)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3134099
Tchamgoue GFischmeister S(2016)Lessons learned on assumptions and scalability with time-aware instrumentationProceedings of the 13th International Conference on Embedded Software10.1145/2968478.2975584(1-7)Online publication date: 1-Oct-2016
https://dl.acm.org/doi/10.1145/2968478.2975584
Hasabnis NSekar RZimmermann TCleland-Huang JSu Z(2016)Extracting instruction semantics via symbolic execution of code generatorsProceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering10.1145/2950290.2950335(301-313)Online publication date: 1-Nov-2016
https://dl.acm.org/doi/10.1145/2950290.2950335
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents