The Strider Gatekeeper Project

Strider Gatekeeper Spyware Management: Beyond Signature-based Approach

Last Updated: January 28, 2010

The Strider Family: [Gatekeeper] [GhostBuster] [HoneyMonkey] [URL Tracer] [Search Ranger]
[Security Tracer] [Troubleshooter] [Flight Data Recorder] [Patch Impact Analyzer]
See Strider at Assembling an All-Star Team of Research Talent and Imagining What Comes Next
[[Home Networking]] [[ISRC]] [[Yi-Min Wang]] [[Strider Foundation]]

Visit http://www.microsoft.com/spyware for general information about how to prevent spyware infection and what tools to use for signature-based detection and removal. Those tools have at least two limitations:

They cannot detect spyware programs for which they don't have signatures yet.
- Spywarewarrior.com Anti-Spyware Testing: "No single anti-spyware scanner removes everything. Even the best-performing anti-spyware scanner in these tests missed fully one quarter of the "critical" files and Registry entries."
They cannot detect "ghostware" programs that hide their files, Registry entries, processes, loaded modules, network ports, etc. from other applications and OS utilities running on the same machine

Read the Gatekeeper paper for a non-signature-based solution to the first problem; it is based on monitoring a set of Auto-Start Extensibility Points (ASEPs), and it is much faster. Read the GhostBuster papers for a non-signature-based solution to the second problem; it is based on a simple scan-diff concept.

Tools

An ASEP checkpointing and diffing tool that covers the 46 ASEPs known to be hooked by hundreds of spyware and malware programs
Simple steps you can take to detect some of today's ghostware:
1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

Links

Rootkit-protected Spyware
- "Nasty new parasite discovered", search for "f0r0r"
- "Follow up: Nasty new parasite", search for "Hacker Defender"
Spyware turning into Ghostware
- "CoolWebSearch (CWS) with Shield-DLL"

Related Strider Cybersecurity Projects

Strider Search Ranger Spam Detection
Strider URL Tracer with Typo-Patrol
Strider HoneyMonkey Exploit Detection
Strider GhostBuster Rootkit Detection

Publications (see the up-to-date list)

Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, Ming-Wei Wu, Yennun Huang, and Sy-Yen Kuo, "Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management", in Proc. Usenix LISA, 2004.
Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, and David Ladd, "AskStrider: What Has Changed on My Machine Lately?", Microsoft Research Technical Report MSR-TR-2004-03, Jan. 2004.

Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson, "Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files", Microsoft Research Technical Report MSR-TR-2004-71, July 2004.