Behavioral classification of spyware and detection through static and dynamic analysis.
DescriptionOver the past several years, spyware has become both a major nuisance as well as a major security threat to systems around the world. While the degree of maliciousness varies considerably between instances, the fact remains that this software is generally unwanted and installed surreptitiously via "free" software (often with ambiguous and painful-to-read end user license agreements) and browser vulnerabilities. The current approach to alleviating this problem has been to apply the de facto solution for viruses and other forms of malware, namely binary signature generation and matching. This approach, of course, has the drawback of being extremely specific to each instance of malware that is to be detected and fails miserably in the face of code transformations applied by modern polymorphic worms and viruses. Our approach to this problem utilizes both dynamic and static analysis in order to determine if an unknown component displays spyware-like behavior. By doing this, the detection is based on the behavior of the component and not on a specific sequence of bytes in its binary representation. We built a prototype tool based on our behavior-based approach that detects spyware that exploits the Browser Helper Object (BHO) interface of Internet Explorer. More specifically, a component is identified as being spyware if shows the following behavior in response to browser events:
- it monitors user behavior by interacting with the web browser and
- it invokes Windows API calls that can potentially leak information about this behavior (e.g., calls to save the data to a file or transmit information to a remote host).
- Component Object Model (COM)
- A binary standard developed by Microsoft in order to facilitate a component based software market, implementation language independence, and interoperability.
- Browser Helper Object (BHO)
- A lightweight COM object that is loaded automatically by a web browser like Internet Explorer. It is capable of registering for browser events and controlling browser behavior through interfaces exported by the browser.
- Bowser Toolbar
- Similar to a BHO, except that it contains a graphical component and is expected to implement several other interfaces.