Banksafe Information Stealer Detection Inside the Web Browser

  • Armin Buescher
  • Felix Leder
  • Thomas Siebert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)


Information stealing and banking trojans have become the tool of choice for cyber criminals for various kinds of cyber fraud. Traditional security measures like common antivirus solutions currently do not provide sufficient reactive nor proactive detection for this type of malware. In this paper, we propose a new approach on detecting banking trojan infections from inside the web browser called Banksafe. Banksafe detects the attempts of illegitimate software to manipulate the browsers‘ networking libraries, a common technique used in widespread information stealer trojans. We demonstrate the effectiveness of our solution with evaluations of the detection and classification of samplesets consisting of several malware families targetting the Microsoft Windows operating system. Furthermore we show the effective prevention of possible false positives of the approach.


Virtual Machine Code Section Internet Security Antivirus Software Distribute System Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Understanding Shims, (last visit March 2011)
  3. 3.
    Virustotal web antivirus scan service by hispasec sistemas, (last visit March 2011)
  4. 4.
    Windows XP Application Compatibility Technologies, (last visit March 2011)
  5. 5. spyeye tracker, (last visit March 2011)
  6. 6. zeus tracker, (last visit March 2011)
  7. 7.
    Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: Proceedings of the IEEE 34th Conference on Local Computer Networks, pp. 891–898 (2009)Google Scholar
  8. 8.
    Bailey, M., Andersen, J., Morleymao, Z., Jahanian, F.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Blunden, B.: The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Jones and Bartlett Publishers, Inc., USA (2009)Google Scholar
  10. 10.
    Butler, J., Hoglund, G.: System virginity verifier. In: Black Hat 2004, Las Vegas, USA (2004)Google Scholar
  11. 11.
    Coogan, P.: Symantec blog - spyeye bot versus zeus bot, (last visit March 2011)
  12. 12.
    F-Secure. ZeuS Variants Targeting Mobile Banking, (last visit March 2011)
  13. 13.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)Google Scholar
  14. 14.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)Google Scholar
  15. 15.
    Hunt, G., Brubacher, D.: Detours: binary interception of win32 functions. In: Proceedings of the 3rd Conference on USENIX Windows NT Symposium, vol. 3, p. 14. USENIX Association, Berkeley (1999)Google Scholar
  16. 16.
    Husse, C.: Easyhook library, (last visit March 2011)
  17. 17.
    keung Luk, C., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Janapa, V., Hazelwood, R.K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Programming Language Design and Implementation, pp. 190–200. ACM Press, New York (2005)Google Scholar
  18. 18.
    Krebs, B.: Operation trident breach, (last visit March 2011)
  19. 19.
    Stevens, K., Jackson, D.: Zeus banking trojan report. Technical report, Dell SecureWorks (March 2010)Google Scholar
  20. 20.
    Lanzi, A., Sharif, M.I., Lee, W.: K-tracer: A system for extracting kernel malware behavior. In: Network and Distributed System Security Symposium, San Diego, California (2009)Google Scholar
  21. 21.
    Leder, F., Plohmann, D.: Pybox - a python approach to sandboxing. In: 5th SPRING Workshop, Bonn, Germany (April 2010) (GI SIG SIDAR)Google Scholar
  22. 22.
    Leder, F., Steinbock, B., Martini, P.: Classification and detection of metamorphic malware using value set analysis. In: Proceedings of the 4th International Conference on Malicious and Unwanted Software (October 2009)Google Scholar
  23. 23.
    Levine, J.G., Grizzard, J.B., Owen, H.L.: Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security and Privacy 4, 24 (2006)CrossRefGoogle Scholar
  24. 24.
    Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Conference on Security Symposium, pp. 243–258. USENIX Association, Berkeley (2008)Google Scholar
  25. 25.
    Lobo, D., Watters, P., Wu, X.: Rbacs: Rootkit behavioral analysis and classification system. In: International Workshop on Knowledge Discovery and Data Mining, pp. 75–80 (2010)Google Scholar
  26. 26.
    Lobo, D., Watters, P., Wu, X.-W.: Identifying rootkit infections using data mining. In: 2010 International Conference on Information Science and Applications (ICISA), pp. 1–7 (April 2010)Google Scholar
  27. 27.
    Lobo, D., Watters, P., Wu, X.-W.: A new procedure to help system/network administrators identify multiple rootkit infections. In: Proceedings of the 2010 Second International Conference on Communication Software and Networks, ICCSN 2010, Washington, DC, USA, pp. 124–128 (2010)Google Scholar
  28. 28.
    Pietrek, M.: An in-depth look into the win32 portable executable file format, (last visit March 2011)
  29. 29.
    Rieck, K., Holz, T., Willems, C., Duessel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. 31.
    Riley, R., Jiang, X., Xu, D.: Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European Conference on Computer Systems, EuroSys 2009, pp. 47–60. ACM, New York (2009)Google Scholar
  32. 32.
    Rutkowska, J.: System virginity verifier. In: Black Hat 2006, Washington, D.C. USA (2006)Google Scholar
  33. 33.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. SIGOPS Oper. Syst. Rev. 41, 335–350 (2007)CrossRefGoogle Scholar
  34. 34.
    Tereshkin, A., Wojtczuk, R.: Introducing ring -3 rootkits. Technical report, Invisible Things Lab, Wisconsin, USA (July 2009)Google Scholar
  35. 35.
    Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel rootkits through systematic hook discovery. In: Recent Advances in Intrusion Detection (2008)Google Scholar
  36. 36.
    Wicherski, G.: pehash: A novel approach to fast malware clustering. In: Proceedings of the 2nd Usenix Workshop on Large-scale Exploits and Emergent Threats (2009)Google Scholar
  37. 37.
    Yin, H., Liang, Z., Song, D.: Hookfinder: Identifying and understanding malware hooking behaviors. In: Network and Distributed System Security Symposium (2008)Google Scholar
  38. 38.
    Yin, H., Poosankam, P., Hanna, S., Song, D.: HookScout: Proactive and binary centric hook detection. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 1–20. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  39. 39.
    Zhang, Q., Reeves, D.S.: Metaaware: Identifying metamorphic malware. In: Proceedings of the 23rd Annual Computer Security Applications Conference, pp. 411–420 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Armin Buescher
    • 1
  • Felix Leder
    • 2
  • Thomas Siebert
    • 1
  1. 1.G Data Security LabsBochumGermany
  2. 2.Institute of Computer Science 4University of BonnGermany

Personalised recommendations