|
 ABSTRACT
Malicious programs spy on users' behavior and compromise their privacy. Even software from reputable vendors, such as Google Desktop and Sony DRM media player, may perform undesirable actions. Unfortunately, existing techniques for detecting malware and analyzing unknown code samples are insufficient and have significant shortcomings. We observe that malicious information access and processing behavior is the fundamental trait of numerous malware categories breaching users' privacy (including keyloggers, password thieves, network sniffers, stealth backdoors, spyware and rootkits), which separates these malicious applications from benign software. We propose a system, Panorama, to detect and analyze malware by capturing this fundamental trait. In our extensive experiments, Panorama successfully detected all the malware samples and had very few false positives. Furthermore, by using Google Desktop as a case study, we show that our system can accurately capture its information access and processing behavior, and we can confirm that it does send back sensitive information to remote servers in certain settings. We believe that a system such as Panorama will offer indispensable assistance to code analysts and malware researchers by enabling them to quickly comprehend the behavior and innerworkings of an unknown sample.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
AutoHotkey. http://www.autohotkey.com/.
|
| |
2
|
|
| |
3
|
|
| |
4
|
Blacklight. http://www.europe.f-secure.com/exclude/blacklight/.
|
| |
5
|
Bochs: The open source IA-32 emulation project. http://bochs.sourceforge.net/.
|
| |
6
|
D. Brumley, C. Hartwig, M. G. Kang, Z. Liang, J. Newsome, D. Song, and H. Yin. BitScope: Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133, School of Computer Science, Carnegie Mellon University, March 2007.
|
| |
7
|
D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Botnet Analysis, chapter Automatically Identifying Trigger-based Behavior in Malware. 2007.
|
| |
8
|
J. Butler and G. Hoglund. VICE - catch the hookers! In Black Hat USA, July 2004. http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf.
|
| |
9
|
J. Butler and S. Sparks. Shadow walker: Raising the bar for windows rootkit detection. In Phrack 63, July 2005.
|
| |
10
|
Jim Chow , Ben Pfaff , Tal Garfinkel , Kevin Christopher , Mendel Rosenblum, Understanding data lifetime via whole system simulation, Proceedings of the 13th conference on USENIX Security Symposium, p.22-22, August 09-13, 2004, San Diego, CA
|
| |
11
|
|
 |
12
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
13
|
|
| |
14
|
Manuel Egele , Christopher Kruegel , Engin Kirda , Heng Yin , Dawn Song, Dynamic spyware analysis, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
|
| |
15
|
P. Ferrie. Attacks on virtual machine emulators. Symantec Security Response, December 2006.
|
| |
16
|
GINA spy. http://www.codeproject.com/useritems/GINA_SPY.Asp.
|
| |
17
|
Ashvin Goel , Kenneth Po , Kamran Farhadi , Zheng Li , Eyal de Lara, The taser intrusion recovery system, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
18
|
Google's desktop search red flag. http://www.internetnews.com/xSP/article.php/3584131.
|
| |
19
|
Google Desktop - Privacy Policy. http://desktop.google.com/en/privacypolicy.html.
|
| |
20
|
Alex Ho , Michael Fetterman , Christopher Clark , Andrew Warfield , Steven Hand, Practical taint-based protection using demand emulation, Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, April 18-21, 2006, Leuven, Belgium
|
| |
21
|
|
| |
22
|
The IDA Pro Disassembler and Debugger. http://www.datarescue.com/idabase/.
|
| |
23
|
|
| |
24
|
|
| |
25
|
A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In Proceeding of the 13th Network and Distributed System Security (NDSS '06), February 2006.
|
| |
26
|
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), February 2005.
|
| |
27
|
T. Ormandy. An Empirical Study into the Security Exposure to Host of Hostile Virtualized Environments. http://taviso.decsystem.org/virtsec.pdf.
|
| |
28
|
|
| |
29
|
Qemu. http://fabrice.bellard.free.fr/qemu/.
|
| |
30
|
|
| |
31
|
Feng Qin , Cheng Wang , Zhenmin Li , Ho-seop Kim , Yuanyuan Zhou , Youfeng Wu, LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks, Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, p.135-148, December 09-13, 2006
[doi> 10.1109/MICRO.2006.29]
|
| |
32
|
Rootkit revealer. http://www.sysinternals.com/Files/RootkitRevealer.zip.
|
| |
33
|
J. Rutkowska. System virginity verifier: Defining the roadmap for malware detection on windows systems. In Hack In The Box Security Conference, September 2005. http://www.invisiblethings.org/papers/hitb05_virginity_verifier.ppt.
|
| |
34
|
Sony's DRM Rootkit: The Real Story. http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html.
|
| |
35
|
G. Edward Suh , Jae W. Lee , David Zhang , Srinivas Devadas, Secure program execution via dynamic information flow tracking, Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, October 07-13, 2004, Boston, MA, USA
|
| |
36
|
The Sleuth Kit (TSK). http://www.sleuthkit.org/sleuthkit/.
|
| |
37
|
|
| |
38
|
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS '07), February 2007.
|
| |
39
|
Yi-Min Wang , Roussi Roussev , Chad Verbowski , Aaron Johnson , Ming-Wei Wu , Yennun Huang , Sy-Yen Kuo, Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
|
CITED BY 18
|
|
Xiaoqi Jia , Shengzhi Zhang , Jiwu Jing , Peng Liu, Using virtual machines to do cross-layer damage assessment, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
|
|
|
Xiaoqi Jia , Shengzhi Zhang , Jiwu Jing , Peng Liu, Using virtual machines to do cross-layer damage assessment, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
|
|
|
|
|
|
|
|
|
|
|
|
Juan Caballero , Heng Yin , Zhenkai Liang , Dawn Song, Polyglot: automatic extraction of protocol message format using dynamic binary analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
Niels Provos , Panayiotis Mavrommatis , Moheeb Abu Rajab , Fabian Monrose, All your iFRAMEs point to Us, Proceedings of the 17th conference on Security symposium, p.1-15, July 28-August 01, 2008, San Jose, CA
|
|
|
Rui Wang , XiaoFeng Wang , Kehuan Zhang , Zhuowei Li, Towards automatic reverse engineering of software security configurations, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
|
|
|
Artem Dinaburg , Paul Royal , Monirul Sharif , Wenke Lee, Ether: malware analysis via hardware virtualization extensions, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
|
|
|
Jaeyeon Jung , Anmol Sheth , Ben Greenstein , David Wetherall , Gabriel Maganis , Tadayoshi Kohno, Privacy oracle: a system for finding application leaks with black box differential testing, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
|
|
|
|
|
|
|
|
|
Mohit Tiwari , Banit Agrawal , Shashidhar Mysore , Jonathan Valamehr , Timothy Sherwood, A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags, Proceedings of the 2008 41st IEEE/ACM International Symposium on Microarchitecture, p.94-105, November 08-12, 2008
|
|
|
|
|
|
|
|
|
|
|
|
Andreas Sæbjørnsen , Jeremiah Willcock , Thomas Panas , Daniel Quinlan , Zhendong Su, Detecting code clones in binary executables, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.4