Examining Web-Based Spyware Invasion with Stateful Behavior Monitoring

Spyware infection that exploits the vulnerabilities of client-side Web application, especially browser, to install malicious programs has gain significant popularity in recent years. Unlike traditional infection vectors such as software bundling in shareware/freeware and placing Trojan in pirated version of commercial software that generally requires user consent to be successfully installed, Web-based spyware attempts exploits on browser vulnerabilities to achieve automatic installation (a.k.a. drive-by download). In this paper, we characterize the behavior of spyware instances collected from software bundling and of those collected from exploit Web pages in terms of auto-start extensibility points (ASEP) and other spyware behaviors. We use a tool called STARS (Stateful Threat-Aware Removal System) that can monitor critical areas of the system and detect advanced feature of a spyware instance such as self- healing. Experimental results show that traditional spyware and Web-based spyware used a different combination set of ASEP to resist deletion. The latter one hooks to low-level system components and loaded as services and/or drivers employing Layered Service Provider (LSP) to interpret network traffic. Our observations identify the unique behaviors performed by the Web-based spyware that are rarely found on traditional spyware.

[1]  Sy-Yen Kuo,et al.  Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[2]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[3]  Ioannis Kanellakopoulos,et al.  Nonlinear spacing policies for automated heavy-duty vehicles , 1998 .

[4]  Paul D. Ezhilchelvan,et al.  Design and performance-study of crash-tolerant protocols for broadcasting and reaching consensus in MANETs , 2005, 24th IEEE Symposium on Reliable Distributed Systems (SRDS'05).

[5]  Louise E. Moser,et al.  The SecureRing group communication system , 2001, TSEC.

[6]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[7]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[8]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[9]  Qing Hu,et al.  Is spyware an Internet nuisance or public menace? , 2005, CACM.

[10]  Stefan Saroiu,et al.  Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.

[11]  Murat Demirbas,et al.  Consensus and collision detectors in wireless Ad Hoc networks , 2005, PODC '05.

[12]  Yih-Chun Hu,et al.  A survey of secure wireless ad hoc routing , 2004, IEEE Security & Privacy Magazine.

[13]  Gabriel Bracha,et al.  An asynchronous [(n - 1)/3]-resilient consensus protocol , 1984, PODC '84.

[14]  Aaron Weiss,et al.  Spyware be gone! , 2005, NTWK.

[15]  Wes Ames,et al.  Understanding Spyware: Risk and Response , 2004, IT Prof..

[16]  Mark B. Schmidt,et al.  Spyware: a little knowledge is a wonderful thing , 2005, CACM.

[17]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[18]  Sébastien Tixeuil,et al.  Knowledge Connectivity vs. Synchrony Requirements for Fault-Tolerant Agreement in Unknown Networks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[19]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[20]  Sy-Yen Kuo,et al.  A Stateful Approach to Spyware Detection and Removal , 2006, 2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC'06).

[21]  Sam Toueg,et al.  Randomized Byzantine Agreements , 1984, PODC '84.

[22]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[23]  Paul D. Ezhilchelvan,et al.  Quiescent consensus in mobile ad-hoc networks using eventually storage-free broadcasts , 2006, SAC '06.

[24]  Roy Friedman,et al.  Efficient Byzantine broadcast in wireless ad-hoc networks , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[25]  Donal O'Mahony,et al.  Secure routing for mobile ad hoc networks , 2005, IEEE Communications Surveys & Tutorials.

[26]  Miguel Correia,et al.  Experimental Comparison of Local and Shared Coin Randomized Consensus Protocols , 2006, 2006 25th IEEE Symposium on Reliable Distributed Systems (SRDS'06).

[27]  Miguel Correia,et al.  Intrusion-Tolerant Architectures: Concepts and Design , 2002, WADS.

[28]  Miguel Correia,et al.  Randomized Intrusion-Tolerant Asynchronous Services , 2006, International Conference on Dependable Systems and Networks (DSN'06).