Two Methods for Detecting Malware

  • Maciej Korczyński
  • Gilles Berger-Sabbatel
  • Andrzej Duda
Part of the Communications in Computer and Information Science book series (CCIS, volume 368)

Abstract

In this paper, we present two ways of detecting malware. The first one takes advantage of a platform that we have developed. The platform includes tools for capturing malware, running code in a controlled environment, and analyzing its interactions with external entities. The platform enables us to detect malware based on the observation of its communication behavior. The second approach uses a method for detecting encrypted Skype traffic and classifying Skype service flows such as voice calls, skypeOut, video conferencing, chat, file upload and download in Skype traffic. The method is based on the Statistical Protocol IDentification (SPID) that analyzes statistical values of some traffic attributes. We apply the method to identify malicious traffic—we have successfully detected the propagation of Worm.Win32.Skipi.b that spreads over the Skype messenger by sending infected messages to all Skype contacts on a victim machine.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Berger-Sabbatel, G., Korczyński, M., Duda, A.: Architecture of a Platform for Malware Analysis and Confinement. In: Proceedings MCSS 2010: Multimedia Communications, Services and Security, Cracow, Poland (June 2010)Google Scholar
  2. 2.
    Berger-Sabbatel, G., Duda, A.: Analysis of Malware Network Activity. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2011. CCIS, vol. 149, pp. 207–215. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Berger-Sabbatel, G., Duda, A.: Classification of Malware Network Activity. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2012. CCIS, vol. 287, pp. 24–35. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.2. RFC 5246 (August 2008)Google Scholar
  5. 5.
    Cuong, N.C.: Skype-New Target of the Worm Spreading via IM (May 2010), http://blog.bkav.com
  6. 6.
    Korczyński, M.: Classifying Application Flows and Intrusion Detection in the Internet Traffic. PhD thesis, École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique (EDMSTII), Grenoble, France (November 2012)Google Scholar
  7. 7.
    Korczyński, M., Duda, A.: Classifying Service Flows in the Encrypted Skype Traffic. In: 2012 IEEE International Conference on Communications, ICC 2012, pp. 1064–1068 (June 2012)Google Scholar
  8. 8.
    Hjelmvik, E., John, W.: Statistical Protocol Identification with SPID: Preliminary Results. In: Proceedings of 6th Swedish National Computer Networking Workshop (May 2009)Google Scholar
  9. 9.
    Kullback, S., Leibler, R.A.: On information and sufficiency. Annals of Mathematical Statistics 22, 49–86 (1951)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Leavitt, N.: Instant Messaging: A New Target for Hackers. Computer 38(7), 20–23 (2005)CrossRefGoogle Scholar
  11. 11.
    Swoyer, S.: Enterprise Systems: IM Security Exploits Explode in 2007 (August 2008), http://www.esj.com
  12. 12.
    Kaspersky Lab Detects New IM Worms Capable of Spreading via Almost All Instant Messengers (August 2010), http://www.kaspersky.com
  13. 13.
    Yan, G., Xiao, Z., Eidenbenz, S.: Catching Instant Messaging Worms with Change-Point Detection Techniques. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–10. USENIX Association (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Maciej Korczyński
    • 1
  • Gilles Berger-Sabbatel
    • 1
  • Andrzej Duda
    • 1
  1. 1.CNRS Grenoble Informatics Laboratory UMR 5217Grenoble Institute of TechnologySaint Martin d’Hères CedexFrance

Personalised recommendations