Cryptography Reference
In-Depth Information
samples may be unable to steal the accounts from the financial services we used,
or their owners were not interested to these type of accounts, etc. On the other
hand, the low hits percentage could be due to the nature of our study. One thing
that we have to keep in mind is the fact that all the malware samples we used
were downloaded from Zeus Tracker. As the attackers get more and more sophis-
ticated and cautious, it would be no surprise to us that they could discard any
credentials reported by malware samples that have been published in sites like
Zeus Tracker. Similarly, as our main goal was the performance and scalability
evaluation, the injection of the bait credentials was periodical and simultaneous
to all the accounts and all the VMs were connected to the Internet through a
single public IP address (NAT). It would be trivial for an attacker with several
malware instances to filter out our credentials as suspicious, because they are all
reported from the same IP address, periodically and simultaneously.
5Conluon
We presented the application of our spyware detection technique for a common
setup in multiuser enterprise environments. We demonstrated it for thin client
environments where we utilized out-of-the-box tools to implement our tamper
resistant bait injection and action verification. The system was designed to be
generic and portable to different remote access protocol stacks to make it gen-
erally applicable.
We experimentally demonstrated the scalability of our system when applied
to a thin client environment. Our results showed that our system can success-
fully operate concurrently on a scalable number of VMs. Finally, the study we
conducted using more than a hundred of malware samples revealed a number
of different relationships between the malware samples and the dropzones. In
addition, the relatively small number of bait account accesses from the attackers
raises some interesting questions about their sophistication.
Acknowledgements.
This work was supported by the NSF through Grants
CNS-09-14312 and CNS-04-26623, and ONR through MURI Contract N00014-
07-1-0907. Any opinions, findings, conclusions or recommendations expressed
herein are those of the authors, and do not necessarily reflect those of the US
Government, ONR or the NSF.
References
1. Xen website,
http://www.xen.org/
2. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer,
R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP 2003: Pro-
ceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp.
164-177. ACM, New York (2003)
3. Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: Proc.
of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 78-85
(May 2006)
Search WWH ::
Custom Search