Webcams are commonly used by advanced malware to spy on computer users. Victims are silently filmed without their knowledge for extended periods of time. Recent attack trends show that webcam video covertly recorded by malware is used beyond the boundaries of the cyber domain, and thus is combined with human factors. The Delilah malware, for example, lurks on a compromised machine while using the webcam to capture details about family, work, social connections, and any other element involved in the life of a target user. The attackers then blackmail the target user with the goal of turning him/her into an insider threat to his/her employer. The attackers ask the victim to give them industrial secrets in return for not disclosing video that is highly sensitive to him/her. In this paper we discuss an approach that enables the defender to sustain prolonged interaction with attackers for defensive and forensics purposes. The approach uses a decoy webcam on machines in production. It relies on a decoy video traffic injector module, as well as on the learning of the operational dynamics of real webcams. A webcam shadowing mechanism alternates between the real webcam and the decoy webcam. That mechanism causes malware to target the decoy webcam, but still enables the user to only see and hence use the real webcam. The approach can feed decoy webcam traffic into the data stream that malware intercept and send to attackers. The decoy webcam is robust to probes, and is able to coexist with production functions.
[1]
Stephen Checkoway,et al.
iSeeYou: Disabling the MacBook Webcam Indicator LED
,
2014,
USENIX Security Symposium.
[2]
Christopher Krügel,et al.
Detecting System Emulators
,
2007,
ISC.
[3]
Dongyan Xu,et al.
Polymorphing Software by Randomizing Data Structure Layout
,
2009,
DIMVA.
[4]
Samuel T. King,et al.
Digging for Data Structures
,
2008,
OSDI.
[5]
Christopher Krügel,et al.
Effective and Efficient Malware Detection at the End Host
,
2009,
USENIX Security Symposium.
[6]
Steven McCanne,et al.
The BSD Packet Filter: A New Architecture for User-level Packet Capture
,
1993,
USENIX Winter.
[7]
Salvatore J. Stolfo,et al.
Software decoys for insider threat
,
2012,
ASIACCS '12.
[8]
Christopher Krügel,et al.
The power of procrastination: detection and mitigation of execution-stalling malicious code
,
2011,
CCS '11.
[9]
J. Yuill,et al.
Honeyfiles: deceptive files for intrusion detection
,
2004,
Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..