15th USENIX Security Symposium; Pp. 273–288 of the Proceedings
Engin Kirda and Christopher Kruegel; Secure Systems Lab Technical University Vienna
Greg Banks, Giovanni Vigna, and Richard A. Kemmerer; Department of Computer Science University of California, Santa Barbara
Spyware is rapidly becoming a major security issue. Spyware programs are surreptitiously installed on a user’s workstation to monitor his/her actions and gather private information about a user’s behavior. Current anti-spyware tools operate in a way similar to traditional anti-virus tools, where signatures associated with known spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations.
This paper presents a novel technique for spyware detection that is based on the characterization of spyware-like behavior. The technique is tailored to a popular class of spyware applications that use Internet Explorer’s Browser Helper Object (BHO) and toolbar interfaces to monitor a user’s browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events should be considered malicious. The evaluation of our technique on a representative set of spyware samples shows that it is possible to reliably identify malicious components using an abstract behavioral characterization.