BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection

  • Brian M. Bowen
  • Pratap Prabhu
  • Vasileios P. Kemerlis
  • Stelios Sidiroglou
  • Angelos D. Keromytis
  • Salvatore J. Stolfo
Conference paper

DOI: 10.1007/978-3-642-15512-3_7

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)
Cite this paper as:
Bowen B.M., Prabhu P., Kemerlis V.P., Sidiroglou S., Keromytis A.D., Stolfo S.J. (2010) BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection. In: Jha S., Sommer R., Kreibich C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg

Abstract

We introduce BotSwindler, a bait injection system designed to delude and detect crimeware by forcing it to reveal during the exploitation of monitored information. The implementation of BotSwindler relies upon an out-of-host software agent that drives user-like interactions in a virtual machine, seeking to convince malware residing within the guest OS that it has captured legitimate credentials. To aid in the accuracy and realism of the simulations, we propose a low overhead approach, called virtual machine verification, for verifying whether the guest OS is in one of a predefined set of states. We present results from experiments with real credential-collecting malware that demonstrate the injection of monitored financial bait for detecting compromises. Additionally, using a computational analysis and a user study, we illustrate the believability of the simulations and we demonstrate that they are sufficiently human-like. Finally, we provide results from performance measurements to show our approach does not impose a performance burden.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Brian M. Bowen
    • 1
  • Pratap Prabhu
    • 1
  • Vasileios P. Kemerlis
    • 1
  • Stelios Sidiroglou
    • 2
  • Angelos D. Keromytis
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Department of Computer ScienceColumbia University 
  2. 2.MITComputer Science and Artificial Intelligence Laboratory 

Personalised recommendations