Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703680
Francis Adkins, Luke Jones, M. Carlisle, Jason Upchurch
Each day, malware analysts are tasked with more samples than they have the ability to analyze by hand. To produce this trend, malware authors often reuse a significant portion of their code. In this paper, we introduce a technique to statically decompose malicious software to identify shared code. This technique variably applies a sliding-window methodology to either full files or individual basic blocks to produce representative similarity ratios either between two binaries or between two functionalities within binaries, respectively. This grants the ability to apply heuristic detection via threshold similarity matching as well as full-inclusivity matching for malicious functionality. Additionally, we apply generalization techniques to minimize local assembly variants while still maintaining consistent structural matching. We also identify improvements that this technique provides over previous technologies and demonstrate its success in practical sample detection. Finally, we suggest further applications of this technique and highlight possible contributions to modern malware detection.
{"title":"Heuristic malware detection via basic block comparison","authors":"Francis Adkins, Luke Jones, M. Carlisle, Jason Upchurch","doi":"10.1109/MALWARE.2013.6703680","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703680","url":null,"abstract":"Each day, malware analysts are tasked with more samples than they have the ability to analyze by hand. To produce this trend, malware authors often reuse a significant portion of their code. In this paper, we introduce a technique to statically decompose malicious software to identify shared code. This technique variably applies a sliding-window methodology to either full files or individual basic blocks to produce representative similarity ratios either between two binaries or between two functionalities within binaries, respectively. This grants the ability to apply heuristic detection via threshold similarity matching as well as full-inclusivity matching for malicious functionality. Additionally, we apply generalization techniques to minimize local assembly variants while still maintaining consistent structural matching. We also identify improvements that this technique provides over previous technologies and demonstrate its success in practical sample detection. Finally, we suggest further applications of this technique and highlight possible contributions to modern malware detection.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116216207","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703683
Jeffrey Wu, A. Arrott
A battery of protection and resource performance tests were conducted using commercial internet security suites designed for general purpose usage with a Windows 8 personal computer (PC). Six classes of PC users were identified: Internet addict; network businessman; socializer; basic user; gamer; self-presenter; infrequent user. Recognizing that practical Internet security is different for each of these user groups, the importance of each component protection and resource performance test was assessed independently for each PC user group. By weighting component results to match relative importance for each user group, separate overall comparative assessments of the tested internet security suite products were obtained separately for each user group. From this, a more effective assessment of the value of commercial anti-malware protection is obtained specific to a customer's PC usage. When third party commercial anti-malware products were compared to the protection application provided by Microsoft, the average improvement ranged from 5% to 10% when measured separately for each PC user group.
{"title":"Use-case-specific metrics for comparative testing of endpoint security products","authors":"Jeffrey Wu, A. Arrott","doi":"10.1109/MALWARE.2013.6703683","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703683","url":null,"abstract":"A battery of protection and resource performance tests were conducted using commercial internet security suites designed for general purpose usage with a Windows 8 personal computer (PC). Six classes of PC users were identified: Internet addict; network businessman; socializer; basic user; gamer; self-presenter; infrequent user. Recognizing that practical Internet security is different for each of these user groups, the importance of each component protection and resource performance test was assessed independently for each PC user group. By weighting component results to match relative importance for each user group, separate overall comparative assessments of the tested internet security suite products were obtained separately for each user group. From this, a more effective assessment of the value of commercial anti-malware protection is obtained specific to a customer's PC usage. When third party commercial anti-malware products were compared to the protection application provided by Microsoft, the average improvement ranged from 5% to 10% when measured separately for each PC user group.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123994254","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703689
Jacob Ouellette, A. Pfeffer, Arun Lakhotia
Recent years have seen an explosion in the number and sophistication of malware attacks. The sheer volume of novel malware has made purely manual signature development impractical and has led to research on applying machine learning and data mining to automatically infer malware signatures in the wild. Unfortunately, researchers have recently found ways to game the machine learning algorithms and learn to predict which samples the learning algorithms will classify as benign or malicious, thus opening the door for innovative deception on the part of malware developers. To counter this threat, we are developing our Semi-Supervised Algorithms against Malware Evolution (SESAME) program, which uses online learning to evolve as new malware is encountered, recognizing novel families and adapting its model of families as they themselves evolve. It uses semi-supervised learning to enable it to learn from both labeled and unlabeled malware. SESAME combines a rich feature set with deep learning algorithms to learn the essential characteristics of malware that enable us to relate novel malware to existing malware. SESAME is being designed to be an enterprise-based system with learning in the cloud and rapid endpoint classification.
{"title":"Countering malware evolution using cloud-based learning","authors":"Jacob Ouellette, A. Pfeffer, Arun Lakhotia","doi":"10.1109/MALWARE.2013.6703689","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703689","url":null,"abstract":"Recent years have seen an explosion in the number and sophistication of malware attacks. The sheer volume of novel malware has made purely manual signature development impractical and has led to research on applying machine learning and data mining to automatically infer malware signatures in the wild. Unfortunately, researchers have recently found ways to game the machine learning algorithms and learn to predict which samples the learning algorithms will classify as benign or malicious, thus opening the door for innovative deception on the part of malware developers. To counter this threat, we are developing our Semi-Supervised Algorithms against Malware Evolution (SESAME) program, which uses online learning to evolve as new malware is encountered, recognizing novel families and adapting its model of families as they themselves evolve. It uses semi-supervised learning to enable it to learn from both labeled and unlabeled malware. SESAME combines a rich feature set with deep learning algorithms to learn the essential characteristics of malware that enable us to relate novel malware to existing malware. SESAME is being designed to be an enterprise-based system with learning in the cloud and rapid endpoint classification.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122534516","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703692
Guillaume Bonfante, J. Marion, Fabrice Sabatier, Aurélien Thierry
The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu's modified driver would have detected Duqu.
{"title":"Analysis and diversion of Duqu's driver","authors":"Guillaume Bonfante, J. Marion, Fabrice Sabatier, Aurélien Thierry","doi":"10.1109/MALWARE.2013.6703692","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703692","url":null,"abstract":"The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu's modified driver would have detected Duqu.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123020127","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703684
S. Jha, Matt Fredrikson, Mihai Christodorescu, R. Sailer, Xifeng Yan
Behavior-based detection techniques are a promising solution to the problem of malware proliferation. However, they require precise specifications of malicious behavior that do not result in an excessive number of false alarms, while still remaining general enough to detect new variants before traditional signatures can be created and distributed. In this paper, we present an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based on graph mining and stochastic optimization, scales to large classes of programs. When this work was originally published, the technique yielded favorable results on malware targeted towards workstations (~86% detection rates on new malware). We believe that it can be brought to bear on emerging malware-based threats for new platforms, and discuss several promising avenues for future work in this direction.
{"title":"Synthesizing near-optimal malware specifications from suspicious behaviors","authors":"S. Jha, Matt Fredrikson, Mihai Christodorescu, R. Sailer, Xifeng Yan","doi":"10.1109/MALWARE.2013.6703684","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703684","url":null,"abstract":"Behavior-based detection techniques are a promising solution to the problem of malware proliferation. However, they require precise specifications of malicious behavior that do not result in an excessive number of false alarms, while still remaining general enough to detect new variants before traditional signatures can be created and distributed. In this paper, we present an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based on graph mining and stochastic optimization, scales to large classes of programs. When this work was originally published, the technique yielded favorable results on malware targeted towards workstations (~86% detection rates on new malware). We believe that it can be brought to bear on emerging malware-based threats for new platforms, and discuss several promising avenues for future work in this direction.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128826488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703690
Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla
Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers.
{"title":"REcompile: A decompilation framework for static analysis of binaries","authors":"Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla","doi":"10.1109/MALWARE.2013.6703690","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703690","url":null,"abstract":"Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130432570","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703687
Jason Upchurch, Xiaobo Zhou
Detecting code reuse in malicious software is complicated by the lack of source code. The same circumstance that makes code reuse detection in malicious software desirable, that is, the limited availability of original source code, also contributes to the difficulty of detecting code reuse. In this paper, we propose a method for detecting code reuse in software, specifically malicious software, that moves beyond the limitations of targeting variant detection (categorization of families). This method expands n-gram analysis to target basic blocks extracted from compiled code vice entire text sections. It also targets individual relationships between basic blocks found in localized code reuse, while preserving the ability to detect variants and families of variants found with generalized code reuse. We demonstrate the limitations of similarity calculated without first disassembling the instructions and show that our First Byte normalization gives dramatic improvements in detection of code reuse. To visualize results, our method proposes force-based clustering as a solution to rapidly detect relationships between compiled binaries and detect relationships without complex analysis. Our methods retain the previously demonstrated ability of n-gram analysis to detect variants, while adding the ability to detect code reuse in non-variant malware. We show that our proposed filtering method reduces the number of similarity calculations and highlights only meaningful relationships in our malware set.
{"title":"First byte: Force-based clustering of filtered block N-grams to detect code reuse in malicious software","authors":"Jason Upchurch, Xiaobo Zhou","doi":"10.1109/MALWARE.2013.6703687","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703687","url":null,"abstract":"Detecting code reuse in malicious software is complicated by the lack of source code. The same circumstance that makes code reuse detection in malicious software desirable, that is, the limited availability of original source code, also contributes to the difficulty of detecting code reuse. In this paper, we propose a method for detecting code reuse in software, specifically malicious software, that moves beyond the limitations of targeting variant detection (categorization of families). This method expands n-gram analysis to target basic blocks extracted from compiled code vice entire text sections. It also targets individual relationships between basic blocks found in localized code reuse, while preserving the ability to detect variants and families of variants found with generalized code reuse. We demonstrate the limitations of similarity calculated without first disassembling the instructions and show that our First Byte normalization gives dramatic improvements in detection of code reuse. To visualize results, our method proposes force-based clustering as a solution to rapidly detect relationships between compiled binaries and detect relationships without complex analysis. Our methods retain the previously demonstrated ability of n-gram analysis to detect variants, while adding the ability to detect code reuse in non-variant malware. We show that our proposed filtering method reduces the number of similarity calculations and highlights only meaningful relationships in our malware set.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"58 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122942829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703688
Rafael Fedler, Marcel Kulicke, J. Schütte
On the Android platform, antivirus software suffers from significant deficiencies. Due to platform limitations, it cannot access or monitor an Android device's file system, or dynamic behavior of installed apps. This includes the downloading of malicious files after installation, and other file system alterations. That has grave consequences for device security, as any app - even without openly malicious code in its package file - can still download and execute malicious files without any danger of being detected by antivirus software. In this paper, we present a proposal for an antivirus interface to be added to the Android API. It allows for three primary operations: (1) on-demand file system scanning and traversal, (2) on-change file system monitoring, (3) a set of basic operations that allow for scanning of arbitrary file system objects without disclosing their contents. This interface can enable Android antivirus software to deploy techniques for malware recognition similar to those of desktop antivirus systems. The proposed measures comply with Android's security architecture and user data privacy is maintained. Through our approach, antivirus software on the Android platform would reach a level of effectiveness significantly higher than currently, and comparable to that of desktop antivirus software.
{"title":"An antivirus API for Android malware recognition","authors":"Rafael Fedler, Marcel Kulicke, J. Schütte","doi":"10.1109/MALWARE.2013.6703688","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703688","url":null,"abstract":"On the Android platform, antivirus software suffers from significant deficiencies. Due to platform limitations, it cannot access or monitor an Android device's file system, or dynamic behavior of installed apps. This includes the downloading of malicious files after installation, and other file system alterations. That has grave consequences for device security, as any app - even without openly malicious code in its package file - can still download and execute malicious files without any danger of being detected by antivirus software. In this paper, we present a proposal for an antivirus interface to be added to the Android API. It allows for three primary operations: (1) on-demand file system scanning and traversal, (2) on-change file system monitoring, (3) a set of basic operations that allow for scanning of arbitrary file system objects without disclosing their contents. This interface can enable Android antivirus software to deploy techniques for malware recognition similar to those of desktop antivirus systems. The proposed measures comply with Android's security architecture and user data privacy is maintained. Through our approach, antivirus software on the Android platform would reach a level of effectiveness significantly higher than currently, and comparable to that of desktop antivirus software.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122421769","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703685
Joshua S. White, Jeanna Neefe Matthews
The Blackhole Exploit Kit (BEK) has been called the “Toyota Camry” of exploit kits - cheap, readily available and reliable. According to some estimates, it was used to enable the majority of malware infections in 2012. One major infection vector for BEK is through Twitter. In this paper, we analyze over two months of Twitter data from May through July of 2012 and identify user accounts affected by BEK. Based on reports that BEK infected tweets containing the string ”It's you on photo?” were being used to lure victims to BEK infected sites, we identified matching messages and analyzed the associated accounts. We then identified a wider range of message types associated with BEK infection and developed an automated mechanism for identifying infectious accounts - both accounts that were created specifically for malware distribution and legitimate accounts that began distributing malware after the owner's system was infected. Specifically, we find that BEK infectious accounts are characterized by tweets with an entropy lower than 4.5, tweets that are sent using the Mobile Web API and tweets containing an embedded URL. We present an automated method for isolating the point at which an account becomes infectious based on changes in the entropy of tweets from the account.
{"title":"It's you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit","authors":"Joshua S. White, Jeanna Neefe Matthews","doi":"10.1109/MALWARE.2013.6703685","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703685","url":null,"abstract":"The Blackhole Exploit Kit (BEK) has been called the “Toyota Camry” of exploit kits - cheap, readily available and reliable. According to some estimates, it was used to enable the majority of malware infections in 2012. One major infection vector for BEK is through Twitter. In this paper, we analyze over two months of Twitter data from May through July of 2012 and identify user accounts affected by BEK. Based on reports that BEK infected tweets containing the string ”It's you on photo?” were being used to lure victims to BEK infected sites, we identified matching messages and analyzed the associated accounts. We then identified a wider range of message types associated with BEK infection and developed an automated mechanism for identifying infectious accounts - both accounts that were created specifically for malware distribution and legitimate accounts that began distributing malware after the owner's system was infected. Specifically, we find that BEK infectious accounts are characterized by tweets with an entropy lower than 4.5, tweets that are sent using the Mobile Web API and tweets containing an embedded URL. We present an automated method for isolating the point at which an account becomes infectious based on changes in the entropy of tweets from the account.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124873346","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-10-01DOI: 10.1109/MALWARE.2013.6703691
Karan Sapra, Benafsh Husain, R. Brooks, M. C. Smith
We consider keyloggers (hardware or software) and screendumps of virtual keyboards by the local machine. To counter these attacks, we use DirectX 9 libraries[3] on Windows or Linux[5] operating systems. Our approach uses a remote server that communicates securely with the local process. The Direct X mode that we use executes in the GPU while being directly displayed on the screen. There is no direct communication between the operating system and the GPU storage, which allows us to communicate with the user securely even if the local machine is compromised. We present a simple prototype application of this approach, which supports web browsing.
{"title":"Circumventing keyloggers and screendumps","authors":"Karan Sapra, Benafsh Husain, R. Brooks, M. C. Smith","doi":"10.1109/MALWARE.2013.6703691","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703691","url":null,"abstract":"We consider keyloggers (hardware or software) and screendumps of virtual keyboards by the local machine. To counter these attacks, we use DirectX 9 libraries[3] on Windows or Linux[5] operating systems. Our approach uses a remote server that communicates securely with the local process. The Direct X mode that we use executes in the GPU while being directly displayed on the screen. There is no direct communication between the operating system and the GPU storage, which allows us to communicate with the user securely even if the local machine is compromised. We present a simple prototype application of this approach, which supports web browsing.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"106 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128129480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: