Dynamic Spyware Analysis M. Egele 1 & C. Kruegel 1 & E. Kirda - - PowerPoint PPT Presentation

dynamic spyware analysis
SMART_READER_LITE
LIVE PREVIEW

Dynamic Spyware Analysis M. Egele 1 & C. Kruegel 1 & E. Kirda - - PowerPoint PPT Presentation

Nov 26, 2023 33 likes •776 views

Motivation Our Solution System Design & Implementation Evaluation Dynamic Spyware Analysis M. Egele 1 & C. Kruegel 1 & E. Kirda 1 & H. Yin 2 , 3 & D. Song 2 1 Secure Systems Lab Vienna University of Technology 2 Carnegie

slide-1
SLIDE 1

Motivation Our Solution System Design & Implementation Evaluation

Dynamic Spyware Analysis

  • M. Egele1 & C. Kruegel1 & E. Kirda1 &
  • H. Yin2,3 & D. Song2

1Secure Systems Lab

Vienna University of Technology

2Carnegie Mellon University 3College of William and Mary

USENIX Annual Technical Conference, June 21, 2007

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-2
SLIDE 2

Motivation Our Solution System Design & Implementation Evaluation

spyware - a threat to internet users

Spyware is malware that is installed on a computer to monitor user actions Spyware is an important threat to the security and privacy of Internet users

An analysis by Webroot and Earthlink showed that a large portion of Internet-connected computers are infected with spyware Spyware also degrades performance and causes unexpected side-effects

BHOs are a very popular kind of spyware (Weng et al, 90 of 120 spyware samples use BHO architecture)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-3
SLIDE 3

Motivation Our Solution System Design & Implementation Evaluation

spyware - a threat to internet users

Spyware is malware that is installed on a computer to monitor user actions Spyware is an important threat to the security and privacy of Internet users

An analysis by Webroot and Earthlink showed that a large portion of Internet-connected computers are infected with spyware Spyware also degrades performance and causes unexpected side-effects

BHOs are a very popular kind of spyware (Weng et al, 90 of 120 spyware samples use BHO architecture)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-4
SLIDE 4

Motivation Our Solution System Design & Implementation Evaluation

spyware - a threat to internet users

Spyware is malware that is installed on a computer to monitor user actions Spyware is an important threat to the security and privacy of Internet users

An analysis by Webroot and Earthlink showed that a large portion of Internet-connected computers are infected with spyware Spyware also degrades performance and causes unexpected side-effects

BHOs are a very popular kind of spyware (Weng et al, 90 of 120 spyware samples use BHO architecture)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-5
SLIDE 5

Motivation Our Solution System Design & Implementation Evaluation

spyware - a threat to internet users

Spyware is malware that is installed on a computer to monitor user actions Spyware is an important threat to the security and privacy of Internet users

An analysis by Webroot and Earthlink showed that a large portion of Internet-connected computers are infected with spyware Spyware also degrades performance and causes unexpected side-effects

BHOs are a very popular kind of spyware (Weng et al, 90 of 120 spyware samples use BHO architecture)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-6
SLIDE 6

Motivation Our Solution System Design & Implementation Evaluation

spyware - a threat to internet users

Spyware is malware that is installed on a computer to monitor user actions Spyware is an important threat to the security and privacy of Internet users

An analysis by Webroot and Earthlink showed that a large portion of Internet-connected computers are infected with spyware Spyware also degrades performance and causes unexpected side-effects

BHOs are a very popular kind of spyware (Weng et al, 90 of 120 spyware samples use BHO architecture)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-7
SLIDE 7

Motivation Our Solution System Design & Implementation Evaluation

drawbacks of existing signature-based tools

A number of signature-based anti-spyware products exist that share some drawbacks of that approach Unable to detect previously unknown threats Need continuous signature updates Often require human analysis before creating signatures

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-8
SLIDE 8

Motivation Our Solution System Design & Implementation Evaluation

drawbacks of existing signature-based tools

A number of signature-based anti-spyware products exist that share some drawbacks of that approach Unable to detect previously unknown threats Need continuous signature updates Often require human analysis before creating signatures

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-9
SLIDE 9

Motivation Our Solution System Design & Implementation Evaluation

drawbacks of existing signature-based tools

A number of signature-based anti-spyware products exist that share some drawbacks of that approach Unable to detect previously unknown threats Need continuous signature updates Often require human analysis before creating signatures

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-10
SLIDE 10

Motivation Our Solution System Design & Implementation Evaluation

behavior-based detection

To overcome the shortcomings of signature-based detectors We implemented a behavioral-based detection technique That classifies a program as spyware if

1

It monitors user behavior

2

And then leaks the gathered information to a third party (the attacker)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-11
SLIDE 11

Motivation Our Solution System Design & Implementation Evaluation

behavior-based detection

To overcome the shortcomings of signature-based detectors We implemented a behavioral-based detection technique That classifies a program as spyware if

1

It monitors user behavior

2

And then leaks the gathered information to a third party (the attacker)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-12
SLIDE 12

Motivation Our Solution System Design & Implementation Evaluation

behavior-based detection

To overcome the shortcomings of signature-based detectors We implemented a behavioral-based detection technique That classifies a program as spyware if

1

It monitors user behavior

2

And then leaks the gathered information to a third party (the attacker)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-13
SLIDE 13

Motivation Our Solution System Design & Implementation Evaluation

behavior-based detection

To overcome the shortcomings of signature-based detectors We implemented a behavioral-based detection technique That classifies a program as spyware if

1

It monitors user behavior

2

And then leaks the gathered information to a third party (the attacker)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-14
SLIDE 14

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Focus of analysis on BHOs We use dynamic analysis to monitor BHO for presence of malicious behavior Two challenges need to be solved

1

Track the flow of sensitive data throughout the system

2

Observe what actions are performed by the BHO under analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-15
SLIDE 15

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Focus of analysis on BHOs We use dynamic analysis to monitor BHO for presence of malicious behavior Two challenges need to be solved

1

Track the flow of sensitive data throughout the system

2

Observe what actions are performed by the BHO under analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-16
SLIDE 16

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Focus of analysis on BHOs We use dynamic analysis to monitor BHO for presence of malicious behavior Two challenges need to be solved

1

Track the flow of sensitive data throughout the system

2

Observe what actions are performed by the BHO under analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-17
SLIDE 17

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Focus of analysis on BHOs We use dynamic analysis to monitor BHO for presence of malicious behavior Two challenges need to be solved

1

Track the flow of sensitive data throughout the system

2

Observe what actions are performed by the BHO under analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-18
SLIDE 18

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Focus of analysis on BHOs We use dynamic analysis to monitor BHO for presence of malicious behavior Two challenges need to be solved

1

Track the flow of sensitive data throughout the system

2

Observe what actions are performed by the BHO under analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-19
SLIDE 19

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Our solution features three key components

1 URLs and page contents considered to contain sensitive

information

2 The propagation of this data throughout the system is

  • bserved by taint tracking

3 By monitoring system calls, attempts of leaking sensitive

information can be identified

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-20
SLIDE 20

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Our solution features three key components

1 URLs and page contents considered to contain sensitive

information

2 The propagation of this data throughout the system is

  • bserved by taint tracking

3 By monitoring system calls, attempts of leaking sensitive

information can be identified

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-21
SLIDE 21

Motivation Our Solution System Design & Implementation Evaluation

  • ur approach

Our solution features three key components

1 URLs and page contents considered to contain sensitive

information

2 The propagation of this data throughout the system is

  • bserved by taint tracking

3 By monitoring system calls, attempts of leaking sensitive

information can be identified

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-22
SLIDE 22

Motivation Our Solution System Design & Implementation Evaluation

analysis output

The system classifies BHOs as spyware or legitimate software. Additionally comprehensive reports File actions Network actions Interprocess communication Operating system actions Enrich the reports with more details when sensitive data is involved

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-23
SLIDE 23

Motivation Our Solution System Design & Implementation Evaluation

analysis output

The system classifies BHOs as spyware or legitimate software. Additionally comprehensive reports File actions Network actions Interprocess communication Operating system actions Enrich the reports with more details when sensitive data is involved

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-24
SLIDE 24

Motivation Our Solution System Design & Implementation Evaluation

analysis output

The system classifies BHOs as spyware or legitimate software. Additionally comprehensive reports File actions Network actions Interprocess communication Operating system actions Enrich the reports with more details when sensitive data is involved

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-25
SLIDE 25

Motivation Our Solution System Design & Implementation Evaluation

analysis output

The system classifies BHOs as spyware or legitimate software. Additionally comprehensive reports File actions Network actions Interprocess communication Operating system actions Enrich the reports with more details when sensitive data is involved

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-26
SLIDE 26

Motivation Our Solution System Design & Implementation Evaluation

analysis output

The system classifies BHOs as spyware or legitimate software. Additionally comprehensive reports File actions Network actions Interprocess communication Operating system actions Enrich the reports with more details when sensitive data is involved

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-27
SLIDE 27

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

system overview

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-28
SLIDE 28

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

system overview

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-29
SLIDE 29

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

system overview

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-30
SLIDE 30

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

system overview

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-31
SLIDE 31

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

system overview

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-32
SLIDE 32

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

system overview

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-33
SLIDE 33

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

qemu x86 system emulator

Qemu was enhanced to perform additional tasks Perform taint tracking operations Provide hooking capabilities for system / function calls Monitoring capabilities for system actions

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-34
SLIDE 34

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

qemu x86 system emulator

Qemu was enhanced to perform additional tasks Perform taint tracking operations Provide hooking capabilities for system / function calls Monitoring capabilities for system actions

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-35
SLIDE 35

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

qemu x86 system emulator

Qemu was enhanced to perform additional tasks Perform taint tracking operations Provide hooking capabilities for system / function calls Monitoring capabilities for system actions

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-36
SLIDE 36

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint tracking

Tainting allows to tag data elements of interest and track their propagation throughout the

  • system. Our system covers

Data dependencies (mov %eax, %ebx) Address dependencies (mov %eax, (%ebx, 2, 1)) Control dependencies (if (x == ’a’) {y = ’a’}) Untainting with simple constant functions (xor %eax, %eax)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-37
SLIDE 37

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint tracking

Tainting allows to tag data elements of interest and track their propagation throughout the

  • system. Our system covers

Data dependencies (mov %eax, %ebx) Address dependencies (mov %eax, (%ebx, 2, 1)) Control dependencies (if (x == ’a’) {y = ’a’}) Untainting with simple constant functions (xor %eax, %eax)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-38
SLIDE 38

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint tracking

Tainting allows to tag data elements of interest and track their propagation throughout the

  • system. Our system covers

Data dependencies (mov %eax, %ebx) Address dependencies (mov %eax, (%ebx, 2, 1)) Control dependencies (if (x == ’a’) {y = ’a’}) Untainting with simple constant functions (xor %eax, %eax)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-39
SLIDE 39

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint tracking

Tainting allows to tag data elements of interest and track their propagation throughout the

  • system. Our system covers

Data dependencies (mov %eax, %ebx) Address dependencies (mov %eax, (%ebx, 2, 1)) Control dependencies (if (x == ’a’) {y = ’a’}) Untainting with simple constant functions (xor %eax, %eax)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-40
SLIDE 40

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

control dependencies

While data and address dependencies can be handled on a per instruction basis, control dependencies cannot. Instead Whenever a branch depends on tainted data, the scope for this branch is calculated (static analysis) In this scope, targets of all write operations are tainted (independent of taint status of operands) After scope ends, normal taint operations resume It is possible that independent variables become tainted, but no false positives were observed in our experiments

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-41
SLIDE 41

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

control dependencies

While data and address dependencies can be handled on a per instruction basis, control dependencies cannot. Instead Whenever a branch depends on tainted data, the scope for this branch is calculated (static analysis) In this scope, targets of all write operations are tainted (independent of taint status of operands) After scope ends, normal taint operations resume It is possible that independent variables become tainted, but no false positives were observed in our experiments

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-42
SLIDE 42

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

control dependencies

While data and address dependencies can be handled on a per instruction basis, control dependencies cannot. Instead Whenever a branch depends on tainted data, the scope for this branch is calculated (static analysis) In this scope, targets of all write operations are tainted (independent of taint status of operands) After scope ends, normal taint operations resume It is possible that independent variables become tainted, but no false positives were observed in our experiments

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-43
SLIDE 43

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

control dependencies

While data and address dependencies can be handled on a per instruction basis, control dependencies cannot. Instead Whenever a branch depends on tainted data, the scope for this branch is calculated (static analysis) In this scope, targets of all write operations are tainted (independent of taint status of operands) After scope ends, normal taint operations resume It is possible that independent variables become tainted, but no false positives were observed in our experiments

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-44
SLIDE 44

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

cover control dependencies

Assume variable t is tainted

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-45
SLIDE 45

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

cover control dependencies

Assume variable t is tainted

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-46
SLIDE 46

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

cover control dependencies

Assume variable t is tainted

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-47
SLIDE 47

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

cover control dependencies

Assume variable t is tainted

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-48
SLIDE 48

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

cover control dependencies

Assume variable t is tainted

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-49
SLIDE 49

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

bridging the semantic gap

Some key tasks have to be performed to connect

  • perating system information with hardware level

taint information Identify the currently executing task/thread Check if the current instruction is executed in the context of the BHO Monitor operating system actions (task/thread switches) and system calls (creation of new processes, . . . )

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-50
SLIDE 50

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

bridging the semantic gap

Some key tasks have to be performed to connect

  • perating system information with hardware level

taint information Identify the currently executing task/thread Check if the current instruction is executed in the context of the BHO Monitor operating system actions (task/thread switches) and system calls (creation of new processes, . . . )

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-51
SLIDE 51

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

bridging the semantic gap

Some key tasks have to be performed to connect

  • perating system information with hardware level

taint information Identify the currently executing task/thread Check if the current instruction is executed in the context of the BHO Monitor operating system actions (task/thread switches) and system calls (creation of new processes, . . . )

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-52
SLIDE 52

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sources

A taint source defines a portion of data that is

  • sensitive. Two taint sources have been

implemented so far The URL that is loaded by the Internet Explorer (IWebBrowser2::Navigate()) Contents of network packages received by the Internet Explorer over TCP connections (NtDeviceIoControlFile)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-53
SLIDE 53

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sources

A taint source defines a portion of data that is

  • sensitive. Two taint sources have been

implemented so far The URL that is loaded by the Internet Explorer (IWebBrowser2::Navigate()) Contents of network packages received by the Internet Explorer over TCP connections (NtDeviceIoControlFile)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-54
SLIDE 54

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sinks

Taint sinks are parts of the system that are of interest when receiving tainted data. So far, we have taint sinks for the following actions Writing to a file (including memory mapped files) Writing to the registry Writing to network sockets (tcp/udp) Writing to shared memory regions (i.e., for interprocess communication) Certain asm instructions (i.e., (string-)compares)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-55
SLIDE 55

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sinks

Taint sinks are parts of the system that are of interest when receiving tainted data. So far, we have taint sinks for the following actions Writing to a file (including memory mapped files) Writing to the registry Writing to network sockets (tcp/udp) Writing to shared memory regions (i.e., for interprocess communication) Certain asm instructions (i.e., (string-)compares)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-56
SLIDE 56

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sinks

Taint sinks are parts of the system that are of interest when receiving tainted data. So far, we have taint sinks for the following actions Writing to a file (including memory mapped files) Writing to the registry Writing to network sockets (tcp/udp) Writing to shared memory regions (i.e., for interprocess communication) Certain asm instructions (i.e., (string-)compares)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-57
SLIDE 57

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sinks

Taint sinks are parts of the system that are of interest when receiving tainted data. So far, we have taint sinks for the following actions Writing to a file (including memory mapped files) Writing to the registry Writing to network sockets (tcp/udp) Writing to shared memory regions (i.e., for interprocess communication) Certain asm instructions (i.e., (string-)compares)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-58
SLIDE 58

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

taint sinks

Taint sinks are parts of the system that are of interest when receiving tainted data. So far, we have taint sinks for the following actions Writing to a file (including memory mapped files) Writing to the registry Writing to network sockets (tcp/udp) Writing to shared memory regions (i.e., for interprocess communication) Certain asm instructions (i.e., (string-)compares)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-59
SLIDE 59

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

automated analysis of BHOs

For batch-analysis of multiple BHOs we implemented an automated testing tool First, the browser session of a user is captured (different kinds of web-sites are visited) For every BHO in the batch, replay the captured session and perform the analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-60
SLIDE 60

Motivation Our Solution System Design & Implementation Evaluation The Big Picture Modified Qemu Emulator Dynamic Taint Propagation The Problem with Control Dependencies Bridging the Semantic Gap Taint Sources Taint Sinks Automated Browser Testing

automated analysis of BHOs

For batch-analysis of multiple BHOs we implemented an automated testing tool First, the browser session of a user is captured (different kinds of web-sites are visited) For every BHO in the batch, replay the captured session and perform the analysis

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-61
SLIDE 61

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

the bare numbers

Results for analysis

Spyware False Negative Benign Suspicious False Positive Total Spyware

21

  • Benign
  • 12

1 1 14 Different mechanisms used by spyware to leak sensitive data

Network File System Registry Shared Memory Total

11 1 3 6 21 Automated crawling and analysis ongoing (millions of URLs, hundreds of samples)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-62
SLIDE 62

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

the bare numbers

Results for analysis

Spyware False Negative Benign Suspicious False Positive Total Spyware

21

  • Benign
  • 12

1 1 14 Different mechanisms used by spyware to leak sensitive data

Network File System Registry Shared Memory Total

11 1 3 6 21 Automated crawling and analysis ongoing (millions of URLs, hundreds of samples)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-63
SLIDE 63

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

the bare numbers

Results for analysis

Spyware False Negative Benign Suspicious False Positive Total Spyware

21

  • Benign
  • 12

1 1 14 Different mechanisms used by spyware to leak sensitive data

Network File System Registry Shared Memory Total

11 1 3 6 21 Automated crawling and analysis ongoing (millions of URLs, hundreds of samples)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-64
SLIDE 64

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

the bare numbers

Results for analysis

Spyware False Negative Benign Suspicious False Positive Total Spyware

21

  • Benign
  • 12

1 1 14 Different mechanisms used by spyware to leak sensitive data

Network File System Registry Shared Memory Total

11 1 3 6 21 Automated crawling and analysis ongoing (millions of URLs, hundreds of samples)

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-65
SLIDE 65

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

details on false positive and suspicious samples

One false positive: PrivacyBird request the w3c/p3p.xml document from same server One suspicious sample: LostGoggles request JavaScript file with referrer set to the visited URL

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-66
SLIDE 66

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

details on false positive and suspicious samples

One false positive: PrivacyBird request the w3c/p3p.xml document from same server One suspicious sample: LostGoggles request JavaScript file with referrer set to the visited URL

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-67
SLIDE 67

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

details on spyware samples

zangohook.dll reads the current URL and copies it to a shared memory that is then read by Zango.exe “companion process” e2give reads the URL of every site and compares it to a list (automatically detected) of URLs stored in the BHO; upon a match, the request is redirected to a different server with the

  • riginal URL as a parameter

stup.dll submits the URLs of all visited pages to a remote

  • server. This BHO is not detected by the latest versions (at

the time of writing) of AdAware or SpyBot.

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-68
SLIDE 68

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

details on spyware samples

zangohook.dll reads the current URL and copies it to a shared memory that is then read by Zango.exe “companion process” e2give reads the URL of every site and compares it to a list (automatically detected) of URLs stored in the BHO; upon a match, the request is redirected to a different server with the

  • riginal URL as a parameter

stup.dll submits the URLs of all visited pages to a remote

  • server. This BHO is not detected by the latest versions (at

the time of writing) of AdAware or SpyBot.

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-69
SLIDE 69

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

details on spyware samples

zangohook.dll reads the current URL and copies it to a shared memory that is then read by Zango.exe “companion process” e2give reads the URL of every site and compares it to a list (automatically detected) of URLs stored in the BHO; upon a match, the request is redirected to a different server with the

  • riginal URL as a parameter

stup.dll submits the URLs of all visited pages to a remote

  • server. This BHO is not detected by the latest versions (at

the time of writing) of AdAware or SpyBot.

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-70
SLIDE 70

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

summary

Taint-tracking-based, behavioral spyware analysis Focus is on BHOs Covers data-, address-, and control dependencies Able to detect previously unknown spyware instances

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-71
SLIDE 71

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

summary

Taint-tracking-based, behavioral spyware analysis Focus is on BHOs Covers data-, address-, and control dependencies Able to detect previously unknown spyware instances

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-72
SLIDE 72

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

summary

Taint-tracking-based, behavioral spyware analysis Focus is on BHOs Covers data-, address-, and control dependencies Able to detect previously unknown spyware instances

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-73
SLIDE 73

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

summary

Taint-tracking-based, behavioral spyware analysis Focus is on BHOs Covers data-, address-, and control dependencies Able to detect previously unknown spyware instances

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis

slide-74
SLIDE 74

Motivation Our Solution System Design & Implementation Evaluation Evaluation in Numbers Detailed Results

Thank You Questions?

  • M. Egele & C. Kruegel & E. Kirda & H. Yin & D. Song

Dynamic Spyware Analysis