Report ID
2006-03
Report Authors
Greg Banks, Giovanni Vigna, and Richard A. Kemmerer
Report Date
Abstract

Spyware is rapidly becoming a ma jor security issue. Spyware programs are surreptitiously installed on a users workstation to monitor his/her actions and gather private information about a users behavior. Current anti-spyware tools operate in a way similar to traditional anti-virus tools, where signatures associated with known spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations.

This paper presents a novel technique for spyware detection that is based on the characterization of spyware-like behavior. The technique is tailored to a popular class of spyware applications that use Internet Ex- plorers Browser Helper Ob ject (BHO) and toolbar interfaces to monitor a users browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events is to be considered mali- cious. The evaluation of our technique on a representative set of spyware samples shows that it is possible to reliably identify malicious components using an abstract behavioral characterization.

Document
2006-03.pdf773.21 KB