Spyware Detection

Behavioral classification of spyware and detection through static and dynamic analysis.


Over the past several years, spyware has become both a major nuisance as well as a major security threat to systems around the world. While the degree of maliciousness varies considerably between instances, the fact remains that this software is generally unwanted and installed surreptitiously via "free" software (often with ambiguous and painful-to-read end user license agreements) and browser vulnerabilities. The current approach to alleviating this problem has been to apply the de facto solution for viruses and other forms of malware, namely binary signature generation and matching. This approach, of course, has the drawback of being extremely specific to each instance of malware that is to be detected and fails miserably in the face of code transformations applied by modern polymorphic worms and viruses. Our approach to this problem utilizes both dynamic and static analysis in order to determine if an unknown component displays spyware-like behavior. By doing this, the detection is based on the behavior of the component and not on a specific sequence of bytes in its binary representation. We built a prototype tool based on our behavior-based approach that detects spyware that exploits the Browser Helper Object (BHO) interface of Internet Explorer. More specifically, a component is identified as being spyware if shows the following behavior in response to browser events:
  1. it monitors user behavior by interacting with the web browser and
  2. it invokes Windows API calls that can potentially leak information about this behavior (e.g., calls to save the data to a file or transmit information to a remote host).
Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events should be considered malicious. More precisely, the two types of analysis are used to determine which code is executed in association with simulated events and if the code includes calls to suspicious APIs. Further discussion of our results can be found in our publication.


Component Object Model (COM)
A binary standard developed by Microsoft in order to facilitate a component based software market, implementation language independence, and interoperability.
Browser Helper Object (BHO)
A lightweight COM object that is loaded automatically by a web browser like Internet Explorer. It is capable of registering for browser events and controlling browser behavior through interfaces exported by the browser.
Bowser Toolbar
Similar to a BHO, except that it contains a graphical component and is expected to implement several other interfaces.


2006 (1 publication)

Behavior-based Spyware Detection E. Kirda, C. Kruegel, G. Banks, G. Vigna, R. Kemmerer Proceedings of the USENIX Security Symposium (USENIX Security 2006) BibTeX PDF (325.5 KB)

This research was supported by the Austrian Science Foundation (FWF), under grant No. P18157, the Secure Business Austria competence center, the U.S. Army Research Office, under agreement DAAD19-01-1-0484, and by the National Science Foundation, under grants CCR-0238492 and CCR-0524853.

Research topics

People involved


Master Students

Last update
May 24, 2011, 11:02 a.m.