Matthew Williamson Sana Security Inc.
Malicious code that steals information is becoming increasingly common as the information gathered can be readily used for monetary gain. Stolen financial details can be used for fraudulent purchases or money laundering, while corporate secrets can lead to extortion and public embarrassment.
Signature-based mechanisms (anti-virus and anti-spyware) are not ideally suited to this threat. These techniques cannot detect previously unknown malware, and rely on submitted samples to generate new signatures. However, this type of malware is written to be unobtrusive, making detection difficult and restricting the supply of samples. Even if a signature is generated, it is unlikely to give good protection, as the malware can be easily obfuscated, or use rootkit-like techniques to evade detection.
The alternative is to base detection on the program behaviour. This paper presents a framework that can be used to summarize and understand the behaviours exhibited by information-stealing malware. The framework consists of a number of behavioural characteristics that are carefully chosen to be fundamental to the malware's operation, and so reflect the underlying motivations of the malware writer.
The framework was developed using data from over 50 real malware examples, and allows those to be classified into three classes of installation programs, and four classes of payload-carrying programs.
The results of this analysis give some idea of the difficulty and potential for detecting this type of malware using behavioural techniques. The approach is generic and can be applied to any malicious code including viruses.
