Share this page
Projects
Publications
People
Downloads
Share this page E-mail this page Print this page RSS feeds
Home
The Strider Gatekeeper Project Newer: See Search Quality & Cyber-Intelligence Lab (SQ-CIL)
Newer: SeeSpam Double-Funnel: Connecting Web Spammers with Advertisers

 
Strider Gatekeeper Spyware Management: Beyond Signature-based Approach

Visit http://www.microsoft.com/spyware for general information about how to prevent spyware infection and what tools to use for signature-based detection and removal. These tools have at least two limitations:

  1. They cannot detect spyware programs for which they don't have signatures yet.
    • Spywarewarrior.com Anti-Spyware Testing: "No single anti-spyware scanner removes everything. Even the best-performing anti-spyware scanner in these tests missed fully one quarter of the "critical" files and Registry entries."
  2. They cannot detect ghostware programs that hide their files, Registry entries, processes, loaded modules, network ports, etc. from other applications and OS utilities running on the same machine

Read the Gatekeeper paper below for a non-signature-based solution to the first problem; it is based on monitoring a set of Auto-Start Extensibility Points (ASEPs), and it is much faster. Read the GhostBuster papers for a non-signature-based solution to the second problem; it is based on a simple scan-diff concept.

 
Tools

  • An ASEP checkpointing and diffing tool that covers the 46 ASEPs known to be hooked by hundreds of spyware and malware programs
  • Simple steps you can take to detect some of today's ghostware:
    1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
    2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
    3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
    4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

 
Links

 
Publications (see the up-to-date list)