The Strider Gatekeeper Project

Microsoft Research Home

About Microsoft Research

Research Areas

People

Worldwide Labs

Collaborative Projects

Publications

Downloads

Conferences and Events

Careers

Visiting Microsoft Research

Press Resources

Search Quality & Cyber-Intelligence Lab (SQ-CIL)

Spam Double-Funnel: Connecting Web Spammers with Advertisers

Strider Gatekeeper Spyware Management: Beyond Signature-based Approach

Visit http://www.microsoft.com/spyware for general information about how to prevent spyware infection and what tools to use for signature-based detection and removal. These tools have at least two limitations:

They cannot detect spyware programs for which they don't have signatures yet.
- Spywarewarrior.com Anti-Spyware Testing: "No single anti-spyware scanner removes everything. Even the best-performing anti-spyware scanner in these tests missed fully one quarter of the "critical" files and Registry entries."
They cannot detect ghostware programs that hide their files, Registry entries, processes, loaded modules, network ports, etc. from other applications and OS utilities running on the same machine

Read the Gatekeeper paper below for a non-signature-based solution to the first problem; it is based on monitoring a set of Auto-Start Extensibility Points (ASEPs), and it is much faster. Read the GhostBuster papers for a non-signature-based solution to the second problem; it is based on a simple scan-diff concept.

Tools

An ASEP checkpointing and diffing tool that covers the 46 ASEPs known to be hooked by hundreds of spyware and malware programs
Simple steps you can take to detect some of today's ghostware:
1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

Links

Rootkit-protected Spyware
- "Nasty new parasite discovered", search for "f0r0r"
- "Follow up: Nasty new parasite", search for "Hacker Defender"
Spyware turning into Ghostware
- "CoolWebSearch (CWS) with Shield-DLL"

Publications (see the up-to-date list)

Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, Ming-Wei Wu, Yennun Huang, and Sy-Yen Kuo, "Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management", in Proc. Usenix LISA, 2004.
Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, and David Ladd, "AskStrider: What Has Changed on My Machine Lately?", Microsoft Research Technical Report MSR-TR-2004-03, Jan. 2004.

Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson, "Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files", Microsoft Research Technical Report MSR-TR-2004-71, July 2004.