Detecting stealth software with Strider GhostBuster
作者: Yi-Min Wang , D. Beck , Binh Vo , R. Roussev , C. Verbowski
DOI: 10.1109/DSN.2005.39
关键词:
摘要: Stealth malware programs that silently infect enterprise and consumer machines are becoming a major threat to the future of Internet. Resource hiding is powerful stealth technique commonly used by evade detection computer users anti-malware scanners. In this paper, we focus on subclass malware, termed "ghostware", which hide files, configuration settings, processes, loaded modules from operating system's query enumeration application programming interfaces (APIs). Instead targeting individual implementations, describe systematic framework for detecting multiple types hidden resources leveraging behavior as mechanism. Specifically, adopt cross-view diff-based approach ghostware comparing high-level infected scan with low-level clean alternatively an inside-the-box outside-the-box scan. We design implementation Strider GhostBuster tool demonstrate its efficiency effectiveness in real-world such rootkits, Trojans, key-loggers.
computer.org
ieeecomputersociety.org
acm.org 参考文章(13)
Leah H. Jamieson, Rick Kennell, Establishing the genuinity of remote computer systems usenix security symposium. pp. 21- 21 ,(2003)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
Binh Vo, Chad Verbowski, Roussi Roussev, Aaron Johnson, Yi-Min Wang, Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files pp. 15- ,(2004)
Galen Hunt, Doug Brubacher, Detours: binary interception of Win32 functions conference on usenix windows nt symposium. pp. 14- 14 ,(1999)
Chad Verbowski, John Dunagan, Helen J. Wang, Yi-Min Wang, Chun Yuan, Zheng Zhang, Yu Chen, STRIDER: A Black-box, State-based Approach to Change and Configuration Management and Support usenix large installation systems administration conference. pp. 159- 172 ,(2003)
A. Seshadri, A. Perrig, L. van Doorn, P. Khosla, SWATT: softWare-based attestation for embedded devices ieee symposium on security and privacy. pp. 272- 282 ,(2004) , 10.1109/SECPRI.2004.1301329
Chad Verbowski, Roussi Roussev, Sy-Yen Kuo, Aaron Johnson, Ming-Wei Wu, Yi-Min Wang, Yennun Huang, Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management usenix large installation systems administration conference. pp. 33- 46 ,(2004)
Yi-Min Wang, C. Verbowski, D.R. Simon, Persistent-state checkpoint comparison for troubleshooting configuration failures dependable systems and networks. pp. 311- 316 ,(2003) , 10.1109/DSN.2003.1209941
A. Bohra, I. Neamtiu, P. Gallard, F. Sultan, L. Iftode, Remote repair of operating system state using Backdoors international conference on autonomic computing. pp. 256- 263 ,(2004) , 10.1109/ICAC.2004.1301371
Chad Verbowski, Roussi Roussev, Aaron Johnson, Yi-Min Wang, David Ladd, AskStrider: What Has Changed on My Machine Lately? pp. 12- ,(2004)