BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection

  • Brian M. Bowen
  • Pratap Prabhu
  • Vasileios P. Kemerlis
  • Stelios Sidiroglou
  • Angelos D. Keromytis
  • Salvatore J. Stolfo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)


We introduce BotSwindler, a bait injection system designed to delude and detect crimeware by forcing it to reveal during the exploitation of monitored information. The implementation of BotSwindler relies upon an out-of-host software agent that drives user-like interactions in a virtual machine, seeking to convince malware residing within the guest OS that it has captured legitimate credentials. To aid in the accuracy and realism of the simulations, we propose a low overhead approach, called virtual machine verification, for verifying whether the guest OS is in one of a predefined set of states. We present results from experiments with real credential-collecting malware that demonstrate the injection of monitored financial bait for detecting compromises. Additionally, using a computational analysis and a user study, we illustrate the believability of the simulations and we demonstrate that they are sufficiently human-like. Finally, we provide results from performance measurements to show our approach does not impose a performance burden.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Holz, T., Engelberth, M., Freiling, F.: Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. 2.
    Stahlberg, M.: The Trojan Money Spinner. In: 17th Virus Bulletin International Conference (VB) (September 2007),
  3. 3.
    Researcher Uncovers Massive, Sophisticated Trojan Targeting Top Businesses. Darkreading (July 2009),
  4. 4.
    Higgins, K.J.: Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected. Darkreading (September 2009),
  5. 5.
    Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the Infeasibility of Modeling Polymorphic Shellcode. In: 14th ACM Conference on Computer and Communications Security (CCS), pp. 541–551. ACM, New York (2007)CrossRefGoogle Scholar
  6. 6.
    Blog, T.S.S.: ZeuS Tracker,
  7. 7.
    Messmer, E.: America’s 10 most wanted botnets. Network World (July 2009),
  8. 8.
    Measuring the in-the-wild effectiveness of Antivirus against Zeus. Technical report, Trusteer (September 2009),
  9. 9.
    Ilett, D.: Trojan attacks Microsoft’s anti-spyware (February 2005),
  10. 10.
    Turing, A.M.: Computing Machinery and Intelligence. Mind, New Series 59(236), 433–460 (1950)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: USENIX Annual Technical Conference, pp. 41–46. USENIX Association, Berkeley (April 2005)Google Scholar
  12. 12.
    Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is Not Transparency: VMM Detection Myths and Realities. In: 11th Workshop on Hot Topics in Operating System (HotOS). USENIX Association, Berkeley (May 2007)Google Scholar
  13. 13.
    Spitzner, L.: Honeytokens: The Other Honeypot (July 2003),
  14. 14.
    Borders, K., Zhao, X., Prakash, A.: Siren: Catching Evasive Malware. In: IEEE Symposium on Security and Privacy (S&P), pp. 78–85. IEEE Computer Society, Washington (May 2006)CrossRefGoogle Scholar
  15. 15.
    Chandrasekaran, M., Vidyaraman, S., Upadhyaya, S.: SpyCon: Emulating User Activities to Detect Evasive Spyware. In: Performance, Computing, and Communications Conference (IPCCC), pp. 502–509. IEEE Computer Society, Los Alamitos (May 2007)CrossRefGoogle Scholar
  16. 16.
    Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. In: IEEE Symposium on Security and Privacy (S&P), pp. 32–39. IEEE Computer Society, Washington (March 2007)Google Scholar
  17. 17.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic Spyware Analysis. In: USENIX Annual Technical Conference, pp. 233–246. USENIX Association, Berkeley (June 2007)Google Scholar
  18. 18.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: 14th ACM Conference on Computer and Communications Security (CCS), pp. 116–127. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: 10th Annual Network and Distributed System Security Symposium (NDSS). Internet Society, Reston (February 2003)Google Scholar
  20. 20.
    Chen, P.M., Noble, B.D.: When Virtual Is Better Than Real. In: 8th Workshop on Hot Topics in Operating System (HotOS), pp. 133–138. IEEE Computer Society, Washington (May 2001)CrossRefGoogle Scholar
  21. 21.
    Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: Tracking Processes in a Virtual Machine Environment. In: USENIX Annual Technical Conference, pp. 1–14. USENIX Association, Berkeley (March 2006)Google Scholar
  22. 22.
    Jiang, X., Wang, X.: “Out-of-the-Box” Monitoring of VM-Based High-Interaction Honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Srivastava, A., Giffin, J.: Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Monrose, F., Rubin, A.: Authentication via Keystroke Dynamics. In: 4th ACM Conference on Computer and Communications Security (CCS). ACM, New York (April 1997)Google Scholar
  25. 25.
    Ahmed, A.A.E., Traore, I.: A New Biometric Technology Based on Mouse Dynamics. IEEE Transactions on Dependable and Secure Computing (TDSC) 4(3), 165–179 (2007)CrossRefGoogle Scholar
  26. 26.
    The XFree86 Project: XVFB(1),
  27. 27.
    Symantec: Trends for July - December 2007. White paper (April 2008)Google Scholar
  28. 28.
    Killourhy, K.S., Maxion, R.A.: Comparing Anomaly Detectors for Keystroke Dynamics. In: 39th Annual International Conference on Dependable Systems and Networks (DSN). IEEE Computer Society Press, Los Alamitos (June-July 2009)Google Scholar
  29. 29.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA Data Mining Software: An Update. ACM SIGKDD Explorations Newsletter 11(1), 10–18 (2009)CrossRefGoogle Scholar
  30. 30.
    Lee, W., Xiang, D.: Information-Theoretic Measures for Anomaly Detection. In: IEEE Symposium on Security and Privacy (S&P), pp. 130–143. IEEE Computer Society, Washington (2001)Google Scholar
  31. 31.
    Cully, B., Lefebvre, G., Meyer, D., Feeley, M., Hutchinson, N., Warfield, A.: Remus: High Availability via Asynchronous Virtual Machine Replication. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI), pp. 161–174. USENIX Association, Berkeley (April 2008)Google Scholar
  32. 32.
    Bond, M., Danezis, G.: A Pact with the Devil. In: New Security Paradigms Workshop (NSPW), pp. 77–82. ACM, New York (September 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Brian M. Bowen
    • 1
  • Pratap Prabhu
    • 1
  • Vasileios P. Kemerlis
    • 1
  • Stelios Sidiroglou
    • 2
  • Angelos D. Keromytis
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Department of Computer ScienceColumbia University 
  2. 2.MITComputer Science and Artificial Intelligence Laboratory 

Personalised recommendations