Abstract
Malicious programs spy on users’ behavior and compromise their privacy. Even software from reputable vendors, such as Google Desktop and Sony DRM media player, may perform undesirable actions. Unfortunately, existing techniques for detecting malware and analyzing unknown code samples are insufficient and have significant shortcomings. We observe that malicious information access and processing behavior is the fundamental trait of numerous malware categories breaching users’ privacy (including keyloggers, password thieves, network sniffers, stealth backdoors, spyware and rootkits), which separates these malicious applications from benign software. We propose a system, Panorama, to detect and analyze malware by capturing this fundamental trait. In our extensive experiments, Panorama successfully detected all the malware samples and had very few false positives. Furthermore, by using Google Desktop as a case study, we show that our system can accurately capture its information access and processing behavior, and we can confirm that it does send back sensitive information to remote servers in certain settings. We believe that a system such as Panorama will offer indispensable assistance to code analysts and malware researchers by enabling them to quickly comprehend the behavior and innerworkings of an unknown sample.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In other words, the presence of a module node in a taint graph indicates at least one instruction of this module stems from the sample.
References
AutoHotkey. http://www.autohotkey.com/
Beck, D., Vo, B., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05), pp. 368–377 (2005)
Blacklight. http://www.europe.f-secure.com/exclude/blacklight/
Butler, J., Hoglund, G.: VICE–catch the hookers! In: Black Hat USA (2004). http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf
Butler, J., Sparks, S.: Shadow walker: Rasing the bar for windows rootkit detection. In: Phrack 63 (2005)
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proceedings of the 13th USENIX Security Symposium (Security’03) (2004)
Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Security and Privacy Conference (2005)
Cost, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: 20th ACM Symposium on Operating System Principles (SOSP 2005) (2005)
Crandall, J.R., Chong, F.T.: Minos: Control data attack prevention orthogonal to memory model. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO’04) (2004)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic Spyware Analysis. In: Proceedings of the 2007 Usenix Annual Conference (Usenix’07) (2007)
Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles(SOSP’05) (2005)
Google’s desktop search red flag. http://www.internetnews.com/xSP/article.php/3584131
Google Desktop - Privacy Policy. http://desktop.google.com/en/privacypolicy.html
Hsu, F., Chen, H., Ristenpart, T., Li, J., Su, Z.: Back to the future: A framework for automatic malware removal and system repair. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC’06) (2006)
King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03), pp. 223–236 (2003)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS) (2005)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: EuroSys 2006 (2006)
Rootkit revealer. http://www.sysinternals.com/Files/RootkitRevealer.zip
Rutkowska, J.: System virginity verifier: Defining the roadmap for malware detection on windows systems. In: Hack In The Box Security Conference (2005). http://www.invisiblethings.org/papers/hitb05_virginity_verifier.ppt
Sony’s DRM Rootkit: The Real Story. http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’04) (2004)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS’07) (2007)
Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for spyware management. In: Proceedings of the Large Installation System Administration Conference (LISA’04) (2004)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2013 The Author(s)
About this chapter
Cite this chapter
Yin, H., Song, D. (2013). Privacy-breaching Behavior Analysis. In: Automatic Malware Analysis. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5523-3_4
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5523-3_4
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5522-6
Online ISBN: 978-1-4614-5523-3
eBook Packages: Computer ScienceComputer Science (R0)