Upload File

the solution write a spyware detection program that does not use a reference list. instead, find...

  • Home
  • Documents
  • The Solution Write a spyware detection program that does not use a reference list. Instead, find spyware using tests that look for files that exhibit traits
1
The Solution Write a spyware detection program that does not use a reference list. Instead, find spyware using tests that look for files that exhibit traits common to spyware programs. These traits include file size, name, type, location and creation date. This way, the program does not need to be constantly updated, and is not bound by what its creator has deemed spyware. The program scans a computer, testing all files and directories it encounters, and decides what files are spyware based on the tests that they pass. Some example directory tests • No executable file except for the uninstall file • No executable files, and a dll file with a similar name as the directory itself • A lot of large dat files The Problem Most spyware detection tools work by using their own lists of known spyware programs. This means that anything not on this list will not be caught, including anything released since the last update, or programs that the maker of the tool has decided are not spyware. Testing Patterns look for certain traits in a file’s name, size and type. Each pattern has a code associated with it, so that when a file matches a pattern its own code reflects this. Pattern Code SizePattern 400, 800 00000001 NamePattern “spy” 00000010 TypePattern “exe” 00000100 Tests are combinations of patterns that are common among spyware files. Each test has a code associated with it, which is the combination of the codes making up its patterns. Tests also have probabilities associated with them, and any time a file passes a given test its probability of being spyware is increased according to that test’s probability value. Test Code SpywareExe 00000110 – looks for exe files with the word ‘spy’ in the name SmallExe 00000101 – looks for exe files between 400 and 800 bytes Files can easily be tested by bitwise-anding their pattern codes (code for the patterns that file has passed) with each test’s code. If the result of this operation is the same as the test’s code, then the file has passed that test. Filename Size Pattern Code Pattern & SpywareExe Code Pattern & SmallExe Code Spyware.exe 2KB 00000110 00000110 (PASS) 00000100 (FAIL) kernel32.dll 450B 00000001 00000010 (FAIL) 00000001 (FAIL) Senior Project – Computer Science - 2006 SPYWARE DETECTION Jeff Rosenberg Advisor: Professor Hemmendinger Spyware can cause an infected machine to look like this one. Lots of popup ads, unwanted toolbars and advertisements, and an internet connection so slow it is almost unusable. Program Interface Sometimes it is impossible to distinguish between what is spyware and what isn’t. So, the program gives the user the option to mark any detected files as ‘good,’ meaning they will be saved to a special list and never detected again. Files are removed by moving them to a special quarantine folder and appending some extra characters to their names. This way they cannot be executed as normal, since they won’t be able to be found. Files that are already running can’t be moved, so a special cleanup program is executed on the next restart to move and rename these files before they have a chance to start. A value is placed in the registry to tell the system to run the cleanup Any number of files can be selected for removal or to be marked as not spyware. Future Work • Learning - have the program adjust test parameters on the fly, in reaction to the user’s input. Also, have it create new tests based on new traits that it sees exhibited by spyware programs. • Optimization – there is a lot of room for speed A computer can be searched starting from any root directory, with all the results displayed along with their probabilities of being spyware. Date Testing These files in C:\ Windows\ system32\ were all created at the exact same time – a good indicatio n of spyware. These other files in C:\Program Files\ are not part of a large cluster, but have the same creation date as those files above, another good indication of spyware.

Upload: prosper-white

Post on 29-Dec-2015

213 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The Solution Write a spyware detection program that does not use a reference list. Instead, find spyware using tests that look for files that exhibit traits

The Solution

Write a spyware detection program that does not use a reference list. Instead, find spyware using tests that look for files that exhibit traits common to spyware programs. These traits include file size, name, type, location and creation date. This way, the program does not need to be constantly updated, and is not bound by what its creator has deemed spyware. The program scans a computer, testing all files and directories it encounters, and decides what files are spyware based on the tests that they pass.

Some example directory tests

• No executable file except for the uninstall file

• No executable files, and a dll file with a similar name as the directory itself

• A lot of large dat files

The Problem

Most spyware detection tools work by using their own lists of known spyware programs. This means that anything not on this list will not be caught, including anything released since the last update, or programs that the maker of the tool has decided are not spyware.

Testing

Patterns look for certain traits in a file’s name, size and type. Each pattern has a code associated with it, so that when a file matches a pattern its own code reflects this.

Pattern Code

SizePattern 400, 800 00000001

NamePattern “spy” 00000010

TypePattern “exe” 00000100

Tests are combinations of patterns that are common among spyware files. Each test has a code associated with it, which is the combination of the codes making up its patterns. Tests also have probabilities associated with them, and any time a file passes a given test its probability of being spyware is increased according to that test’s probability value.

Test Code

SpywareExe 00000110 – looks for exe files with the word ‘spy’ in the name

SmallExe 00000101 – looks for exe files between 400 and 800 bytes

Files can easily be tested by bitwise-anding their pattern codes (code for the patterns that file has passed) with each test’s code. If the result of this operation is the same as the test’s code, then the file has passed that test.

Filename Size Pattern Code Pattern & SpywareExe Code Pattern & SmallExe Code

Spyware.exe 2KB 00000110 00000110 (PASS) 00000100 (FAIL)

kernel32.dll 450B 00000001 00000010 (FAIL) 00000001 (FAIL)

Senior Project – Computer Science - 2006

SPYWARE DETECTION

Jeff Rosenberg

Advisor: Professor Hemmendinger

Spyware can cause an infected machine to look like this one. Lots of popup ads, unwanted toolbars and advertisements, and an internet connection so slow it is almost unusable.

Program Interface

Sometimes it is impossible to distinguish between what is spyware and what isn’t. So, the program gives the user the option to mark any detected files as ‘good,’ meaning they will be saved to a special list and never detected again.

Files are removed by moving them to a special quarantine folder and appending some extra characters to their names. This way they cannot be executed as normal, since they won’t be able to be found.

Files that are already running can’t be moved, so a special cleanup program is executed on the next restart to move and rename these files before they have a chance to start. A value is placed in the registry to tell the system to run the cleanup program the next time it restarts.Any number of files can be selected for removal or to be

marked as not spyware.

Future Work

• Learning - have the program adjust test parameters on the fly, in reaction to the user’s input. Also, have it create new tests based on new traits that it sees exhibited by spyware programs.

• Optimization – there is a lot of room for speed improvements in some of the algorithms used for searching.

A computer can be searched starting from any root directory, with all the results displayed along with their probabilities of being spyware.

Date Testing

These files in C:\Windows\system32\ were all created at the exact same time – a good indication of spyware.

These other files in C:\Program Files\ are not part of a large cluster, but have the same creation date as those files above, another good indication of spyware.

Countermeasures against Spyware - IPA · Spyware, and then recommends that you purchase a specific product to remove the malicious software. It is highly likely that Anti-Spyware

17 Traits That Entrepreneurs Posses

GENETICS AND VARIABILITY IN CROP PLANTS. Genetics and variability of traits are grouped by: Qualitative traits Traits that show variability that can

Spyware - Cisco€¦ · Spyware •Overview,onpage1 •AllowingApplicationsClassifiedasPotentiallyUnwanted,onpage1 •ExcludingWebsitesfromWebReputationFiltering,onpage2

Spyware Removal

Rootkits & Spyware

Non-Mendelian Problems. I Sex-linked Traits These are Traits (genes) that are located on the sex chromosomes.These are Traits (genes) that are located

Spyware – Technologie, Auswirkungen, Massnahmen · Spyware is a non-viral application (surveillance tool) that is loaded without the user’s knowledge and can monitor computer

Chapter 8 Malware - FTMS · Spyware • Spyware is a type of malware installed on computers that collects information about users without their knowledge. • The presence of spyware

Webroot Spyware Effectiveness Test Final · Testing anti-spyware applications for effectiveness is extremely complex. Most businesses conduct rudimentary tests with common spies that

Exposición Spyware

Inherited Traits. What are some inherited traits? Inherited traits are things that are passed on that are specific traits. A tiger has stripes. A giraffe

Spyware & Internet Security. Different Types of Spyware Spyware Adware Embedded Programs Trojan Horse Browser Hijackers Dialers Malware

Cyber Security Compliance Training€¦ · Spyware: • Spyware is software that “piggybacks” on programs you download, gathers information about your online habits, and transmits

CHAPTER How Spyware and 3 Anti-Spyware Workptgmedia.pearsoncmg.com/images/9780789735539/samplechapter/07897355… · CHAPTER 3 HOW SPYWARE AND ANTI-SPYWARE WORK 33 Even if you see

Spyware Adware1

CHAPTER How Spyware and 3 Anti-Spyware Work

Exposicion SPYWARE

Spam spyware

Spyware Locked

Command Line Interface Reference - WikiLeaks · Blue Coat ProxySG Command Line Interface Reference 12 spyware,spy ware,spyware blocker,spyware detection,spyware detector,spyware eliminator,spyware

Inherited Traits - Home - Thomas County Schools traits … · • Inherited traits are things that are passed on that are specific traits. • A tiger has stripes. • A giraffe has

SPYWARE Spyware is software that aids in gathering information about a person or organization without their knowledge

Spyware 123

Spyware & Adware

Spyware Enforcement - Center for Democracy and Technologyspyware had been performed and that spyware had been detected when no such scans or examinations took place and no spyware

PROTECTING INFORMATION RESOURCES. Spyware and Adware Spyware – Software that secretly gathers information about users while they browse the Web – Can

Genetics and Heredity. Vocabulary Dominant- traits that are expressed. Dominant- traits that are expressed. Recessive- traits that are covered up. Recessive-

Spyware Detection - Automated Behavior Analysis System Detection... · Spyware Detection - Archon Scanner Spyware Domain View Different form other commercial Spyware Scanners, Archon

Quantitative traits. Quantitative Traits Mendel worked with traits that were all discrete, either/or traits: yellow or green, round or wrinkled, etc