25-02-2013, 10:08 AM
NetSpy: Automatic Generation of Spyware Signatures for NIDS
NetSpy.pdf (Size: 154.23 KB / Downloads: 16)
Abstract
We present NetSpy, a tool to automatically generate
network-level signatures for spyware. NetSpy determines
whether an untrusted program is spyware by correlating
user input with network traffic generated by the untrusted
program. If classified as spyware, NetSpy also generates a
signature characterizing the malicious substrate of the spy-
ware’s network behavior. Such a signature can be used by
network intrusion detection systems to detect spyware in-
stallations in large networks.
In our experiments, NetSpy precisely identified each of
the 7 spyware programs that we considered and generated
network-level signatures for them. Of the 9 supposedly-
benign programs that we considered, NetSpy correctly char-
acterized 6 of them as benign. The remaining 3 programs
showed network behavior that was highly suggestive of spy-
ing activity.
Introduction
Spyware is a class of malware that steals private information
from users without their knowledge or permission.
Popular examples of spyware include keyloggers, programs
that monitor web-browsing activity, and Trojans that download
and install other malware. Most spyware typically
masquerade as programs that provide useful functionality,
such as browser plug-ins and extensions, and compromise
the privacy of unsuspecting individuals who install them
on their computers. Several recent studies show that the
threat of spyware is on the rise, with one study reporting
that as many as 80% of computers in the US are spywareinfected
[9, 19]. Because spyware surreptitiously snoops
and reports victim behavior to a malicious remote server,
victims often do not notice malicious activity on their machines
and do not realize that the spyware program is compromising
their privacy. This very characteristic makes it
challenging to detect spyware.
Overview
NetSpy has two goals: (i) to automatically discover possibly
malicious network activity generated by novel spyware
instances, and (ii) to generate NIDS signatures for
this network activity. This section presents a high-level, informal
overview of NetSpy, focusing on how an end-user
would use NetSpy to generate signatures for spyware. We
begin with a running example.
Browser Accelerator: an example spyware
Browser Accelerator [15] is a spyware program that disguises
itself as a plug-in for Internet Explorer. Plug-ins normally
enhance the functionality of Internet Explorer by providing
additional features. However, Browser Accelerator
also monitors user-web-browsing activity, and reports the
monitored activity back to a home server.
To illustrate the spying behavior of Browser Accelerator,
we first consider the network activity generated by a
“clean”, i.e., non-spyware-infected, version of Internet Explorer,
and compare it with the network activity generated
by Internet Explorer with Browser Accelerator installed.
Suppose that an end-user uses Internet Explorer to visit
the URL www.google.com. On a clean version, this generates
two out-bound HTTP requests (Figure 1, rows 1-
2), both destined for www.google.com. The first request
retrieves the root document associated with the URL,
while the second retrieves the Google logo image contained
within the root document.
Spyware signature generation using NetSpy
We have designed NetSpy for use in environmentswhere
a large number of machines are supported. When a program
installed on a particularmachine in the network is suspected
to be spyware, a system administrator can use NetSpy to determine
if it is indeed so, and generate a signature to capture
the outbound network-level behavior of the program. A key
feature of network-level signature generation is that once
a spyware program has been detected on a particular machine
in the network, the network-level signature can detect
installations of that program on other machines in the network.
There are four high-level steps to using NetSpy, as
shown in Figure 2.1. We describe each in detail.
Differential analysis
Differential analysis examines the network traffic generated
by a machine with an untrusted program installed and
achieves two goals: (i) it identifies the portion of network
traffic generated by the untrusted program, and (ii) it determines
whether the program is potentially spyware. The
key observation used here is that a spyware program monitors
victim activity and reports this back to a home server.
Thus, network traffic generated by spyware must be dependent
on user-input, i.e., different values for user-input produce
different network activity. Differential analysis employs
heuristics, described below, to assign a score between
1 and 3 to an untrusted program, where a higher score indicates
that the program is more likely to be spyware.
Implementation
The NetSpy prototype is currently implemented forWindows
2000/XP, and focuses on generating signatures for
spyware that target Internet Explorer. NetSpy is fully automatic.
The only (optional) manual task is that of changing
a configuration file that contains the input URLs used
to collect reference network statistics. It currently produces
Snort signatures as output (though it can be adapted to produce
signatures in other formats as well). We envision that
these signatures can help efforts like Bleeding Edge Snort.
The prototype, implemented in C/C++, currently stands at
4700 lines of code, consisting of three principle components:
a packet capturing tool, a differential analysis tool,
and a NIDS signature generator.
Signature Generation
Differential analysis assigns a score RS (between 1
and 3) to an untrusted program S that it analyzes. If RS is
above a certain threshold (2 in our current implementation),
NetSpy classifies the program as spyware and generates a
NIDS signature for this program.
The key to signature generation is to identify the invariant
portion of network traffic generated by a spyware program,
i.e., we must filter content that is specific to user input.
This is because a signature that has content related to
specific user input will miss network activity generated by
the program on other user input. On our running example,
Browser Accelerator, each packet sent to the home server
data.browseraccelerator.com contains a URL that the
user has entered. The NIDS signature must be agnostic to
the URL and retain the invariant portion of network traffic.
Related Work
Spyware-detection techniques fall into two main categories:
host-based and network-based. Each of these can
be further sub-categorized into pattern-based and behaviorbased
matching techniques, as shown in Figure 7.
Host-based techniques analyze untrusted binary executables
to determine if they are potentially spyware. They work
much like commercial virus scanners and search binary executables
for known patterns of spyware. Commercial antispyware
solutions, such as AdAware [1] and Spybot Search
& Destroy [7] use simple techniques, such as comparing the
MD5-hash of untrusted binary executables against known
values to detect spyware. These techniques while fast and
accurate—they have near-zero false positives—can only detect
known spyware instances and are not resilient even in
the face of simple obfuscations.
Conclusion
We presented NetSpy, an automatic spyware signature
generator. NetSpy identifies if an untrusted program is spyware;
if so, it generates network-level signatures that can be
used with a NIDS that monitors outgoing network traffic.
Experimental results show that NetSpy is effective and that
it generates succinct, precise spyware signatures for NIDS.