Behavior-based Spyware Detection

ByEngin Kirda and Christopher Kruegel

Secure Systems LabTechnical University Vienna

Greg Banks, Giovanni Vigna, and Richard A. KemmererDepartment of Computer Science

University of California, Santa Barbara

Presenting : Majed Alhudaib

Introduction

• Spyware is growing.• In a study that I made on campus over 50 students I

found that:• 6 out of each 10 students encountered some sort of

spyware infect over the past three years.• Only 3 out of 50 know what a spyware is.• 20 asked for help removing what they call a “virus” and

we call spyware. • some blamed the manufacturer of their computers for

adding all these adds in the browser!!.

Overview

• Current anti-Spyware detectors.• Behavior based spyware detection.• BHO’s, toolbars and COM.• Spyware characterization.• The Big picture.• Dynamic Analysis.• Static Analysis.• Evading Detection.• Evaluation.• Conclusion.

Current anti-Spyware detectors

• Signature based mechanism.

Behavior based spyware detection

• a new spyware detection technique that overcomes some of the limitations of existing anti-spyware approaches. This technique is based on an abstract characterization of the behavior of a popular class of spyware programs that relies on Internet Explorer’s Browser Helper Object (BHO) and toolbar interfaces to monitor a user’s browsing behavior.

• Why Internet Explorer’s BHO and toolbar?• How about other web browsers?

BHO’s, toolbars and COM

• What are BHO’s and Toolbars?

• What is COM?

• How do they interact?

• How can spyware applications take advantage of all this?

Spyware characterization

• we classify a browser helper object or a toolbar as spyware if the component, in response to browser events:

1. monitors user behavior by interacting with the web browser and

2. Invokes Windows API calls that can potentially leak information about this behavior (e.g., calls to save the data to a file or transmit information to a remote host).

The Big picture

• Behavior based spyware detection consists of two major parts:

• 1- Dynamic analysis: exposes a suspicious component to crafted browser events (which simulate user activity) and analyzes the component’s response. In particular, we dynamically record both the browser COM functions and the Windows API functions that the component calls.

• 2- Static analysis: extracts the control flow graph of all code regions that are responsible for handling events.

Dynamic Analysis

• The goal of the dynamic analysis step is two things:• First, it has to monitor the interaction of the

component with the browser and record all the browser’s COM functions that are invoked in response to events.

• Second, it has to determine the code regions that are responsible for handling events, thereby providing the necessary starting points for the static analysis step.

Dynamic Analysis: Core elements

• “fake” WebBrowser COM object: which provides the component under analysis with an environment similar to the one that would be present when being hosted by an instance of Internet Explorer.

• COM object host application: which properly instantiates all involved components and sends the relevant browser events to the BHO or toolbar component under evaluation.

• A program that traces the execution of our host application to extract those code regions that handle the various browser events that are delivered.

Dynamic Analysis: Locating event-handling code

• An instruction that handles an event is called “event-specific instruction”.

• How to get the first event-specific instruction?

Dynamic Analysis: Locating event-handling code

• Example.

Static Analysis

• first task: of the static analysis step is to disassemble the target binary and generate a control flow graph from the disassembled code. A control flow graph (CFG) is defined as a directed graph.

• Next task: Based on the CFG for the entire component, we isolate those parts of the graph that are responsible for handling events. In particular, we are interested in all sub-graphs of the CFG that contain the code to handle the different events. Using the event-specific addresses collected during dynamic analysis.

• Finally: the event specific lists are merged to obtain a list of all API calls that are invoked in response to events.

Evading Detection

• How can a spyware bypass this kind of detection?

1- a spyware component could attempt to leak information using means other than API calls, or it could prevent the static analysis process from finding their invocations in the code of the BHO. How?

• 2- evasion venue is to craft the BHO code such that it can resist static analysis.

Evaluation

• total of 51 samples (33 malicious and 18 benign); 34 of them were BHOs and 17 were toolbars.

Conclusion

• This mechanism does need more work, thus, it definitely raises the bar for spyware writers.

• The potential is very high and the outcome could benefit in deferent malware types detection.

Questions?

• Thank You