Panorama: Capturing system-wide information flow for malware detection and analysis

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 116-127

  Yin, Heng ^a   Song, Dawn ^a   Egele, Manuel ^b   Kruegel, Christopher ^b   Kirda, Engin ^b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

Author keywords

Dynamic taint analysis; Malware analysis; Malware detection; Spyware

Indexed keywords

BACKDOORS; CAPTURING SYSTEM; FALSE POSITIVE; GOOGLE DESKTOP; INFORMATION ACCESS; INFORMATION FLOWS; KEYLOGGERS; MALWARE DETECTION; MALWARES; MEDIA PLAYERS; REMOTE SERVERS; ROOTKITS; SENSITIVE INFORMATIONS; SPY-WARE;

COMPUTER SOFTWARE; DYNAMIC ANALYSIS; SECURITY OF DATA;

COMPUTER CRIME;

EID: 77950788046     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315261     Document Type: Conference Paper

References (39)

1. AutoHotkey. http://www.autohotkey.com/.
2. D. Beck, B. Vo, and C. Verbowski. Detecting stealth software with strider ghostbuster. In Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN'05), pages 368-377, June 2005.
3. F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, April 2005.
4. Blacklight. http://www.europe.f-secure.com/exclude/blacklight/.
5. Bochs: The open source IA-32 emulation project. http://bochs.sourceforge. net/.
6. D. Brumley, C. Hartwig, M. G. Kang, Z. Liang, J. Newsome, D. Song, and H. Yin. BitScope: Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133, School of Computer Science, Carnegie Mellon University, March 2007.
7. D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Botnet Analysis, chapter Automatically Identifying Trigger-based Behavior in Malware. 2007.
8. J. Butler and G. Hoglund. VICE-catch the hookers! In Black Hat USA, July 2004. http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04- butlerpdf.
9. J. Butler and S. Sparks. Shadow walker: Raising the bar for windows rootkit detection. In Phrack 63, July 2005.
10. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In Proceedings of the 13th USENIX Security Symposium (Security'03), August 2004.
11. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland'05), May 2005.
12. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), October 2005.
13. J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO'04), December 2004.
14. M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic Spyware Analysis. In Proceed i ngs of the 2007 Usenix Annual Conference (Usenix'07), June 2007.
15. P. Ferrie. Attacks on virtual machine emulators. Symantec Security Response, December 2006.
16. GINA spy. http://www.codeproject.com/useritems/GINA-SPY. Asp.
17. A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara. The taser intrusion recovery system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), October 2005.
18. Google's desktop search red flag. http://www.internetnews.com/xSP/ article.php/3584131.
19. Google Desktop - Privacy Policy. http://desktop. google.com/en/ privacypolicy.html.
20. A. Ho, M. Fetterman, C. Clark, A. Watfield, and S. Hand. Practical taint-based protection using demand emulation. In EuroSys 2006, April 2006.
21. F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su. Back to the future: A framework for automatic malware removal and system repair. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06), December 2006.
22. The IDA Pro Disassembler and Debugger. http://www.datarescue.com/idabase/ .
23. S. T. King and P. M. Chen. Backtracking intrusions. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP'03), pages 223-236, October 2003.
24. A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (Oakland'07), May 2007.
25. A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In Proceeding of the 13th Network and Distributed System Security (NDSS'06), February 2006.
26. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS'05), February 2005.
27. T. Ormandy. An Empirical Study into the Security Exposure to Host of Hostile Virtualized Environments. http://taviso.decsystem.org/virtsecpdf.
28. G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys 2006, April 2006.
29. Qemu. http://fabrice.bellard.free.fr/qemu/.
30. F. Qin, S. Lu, and Y. Zhou. Safemem: Exploiting ECC-memory for detecting memory leaks and memory corruption during production runs. In Proceedings of the 11th International Symposium on High-Performance Computer Architecture (HPCA'05), February 2005.
31. F. Qin, C. Wang, Z. Li, H. seop Kim, Y. Zhou, and Y. Wu. LIFT: A low-overhead practical information flow tracking system for detecting general security attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06), December 2006.
32. Rootkit revealer. http://www.sysinternals.com/Files/RootkitRevealer.zip.
33. J. Rutkowska. System virginity verifier: Defining the roadmap for malware detection on windows systems. In Hack In The Box Security Conference, September 2005. http://www.invisiblethings.org/papers/hitb05-virginity-verifier.ppt.
34. Sony's DRM Rootkit: The Real Story. http://www.schneier.com/blog/ archives/2005/11/sonys-drm-rootk.html.
35. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'04), October 2004.
36. The Sleuth Kit (TSK). http://www.sleuthkit.org/sleuthkit/.
37. A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions. In Proceedings of 2006 IEEE Symposium on Security and Privacy (Oakland'06)), may 2006.
38. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS'07), February 2007.
39. Y.-M. Wang, R. Roussev, C. Verbowski, A. Johnson, M.-W. Wu, Y. Huang, and S.-Y. Kuo. Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for spyware management. In Proceedings of the Large Installation System Administration Conference (LISA'04), November 2004.