Two Methods for Detecting Malware
In this paper, we present two ways of detecting malware. The first one takes advantage of a platform that we have developed. The platform includes tools for capturing malware, running code in a controlled environment, and analyzing its interactions with external entities. The platform enables us to detect malware based on the observation of its communication behavior. The second approach uses a method for detecting encrypted Skype traffic and classifying Skype service flows such as voice calls, skypeOut, video conferencing, chat, file upload and download in Skype traffic. The method is based on the Statistical Protocol IDentification (SPID) that analyzes statistical values of some traffic attributes. We apply the method to identify malicious traffic—we have successfully detected the propagation of Worm.Win32.Skipi.b that spreads over the Skype messenger by sending infected messages to all Skype contacts on a victim machine.
Unable to display preview. Download preview PDF.
- 1.Berger-Sabbatel, G., Korczyński, M., Duda, A.: Architecture of a Platform for Malware Analysis and Confinement. In: Proceedings MCSS 2010: Multimedia Communications, Services and Security, Cracow, Poland (June 2010)Google Scholar
- 4.Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.2. RFC 5246 (August 2008)Google Scholar
- 5.Cuong, N.C.: Skype-New Target of the Worm Spreading via IM (May 2010), http://blog.bkav.com
- 6.Korczyński, M.: Classifying Application Flows and Intrusion Detection in the Internet Traffic. PhD thesis, École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique (EDMSTII), Grenoble, France (November 2012)Google Scholar
- 7.Korczyński, M., Duda, A.: Classifying Service Flows in the Encrypted Skype Traffic. In: 2012 IEEE International Conference on Communications, ICC 2012, pp. 1064–1068 (June 2012)Google Scholar
- 8.Hjelmvik, E., John, W.: Statistical Protocol Identification with SPID: Preliminary Results. In: Proceedings of 6th Swedish National Computer Networking Workshop (May 2009)Google Scholar
- 11.Swoyer, S.: Enterprise Systems: IM Security Exploits Explode in 2007 (August 2008), http://www.esj.com
- 12.Kaspersky Lab Detects New IM Worms Capable of Spreading via Almost All Instant Messengers (August 2010), http://www.kaspersky.com
- 13.Yan, G., Xiao, Z., Eidenbenz, S.: Catching Instant Messaging Worms with Change-Point Detection Techniques. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–10. USENIX Association (2008)Google Scholar