Skip to main content
Springer Nature Link
Log in

Automated Spyware Collection and Analysis

  • Conference paper
Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

Abstract

Various online studies on the prevalence of spyware attest overwhelming numbers (up to 80%) of infected home computers. However, the term spyware is ambiguous and can refer to anything from plug-ins that display advertisements to software that records and leaks user input. To shed light on the true nature of the spyware problem, a recent measurement paper attempted to quantify the extent of spyware on the Internet. More precisely, the authors crawled the web and analyzed the executables that were downloaded. For this analysis, only a single anti-spyware tool was used. Unfortunately, this is a major shortcoming as the results from this single tool neither capture the actual amount of the threat, nor appropriately classify the functionality of suspicious executables in many cases.

For our analysis, we developed a fully-automated infrastructure to collect and install executables from the web. We use three different techniques to analyze these programs: an online database of spyware-related identifiers, signature-based scanners, and a behavior-based malware detection technique. We present the results of a measurement study that lasted about ten months. During this time, we crawled over 15 million URLs and downloaded 35,853 executables. Almost half of the spyware samples we found were not recognized by the tool used in previous work. Moreover, a significant fraction of the analyzed programs (more than 80%) was incorrectly classified. This underlines that our measurement results are more comprehensive and precise than those of previous approaches, allowing us to draw a more accurate picture of the spyware threat.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., Konstan, J.: Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware. In: Symposium On Usable Privacy and Security, SOUPS (2005)

    Google Scholar 

  2. Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A Crawler-based Study of Spyware on the Web. In: Network and Distributed Systems Security Symposium, NDSS (2006)

    Google Scholar 

  3. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic Spyware Analysis. In: Usenix Annual Technical Conference (2007)

    Google Scholar 

  4. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based Spyware Detection. In: Usenix Security Symposium (2006)

    Google Scholar 

  5. Wang, Y., Roussev, R., Verbowski, C., Johnson, A., Wu, M., Huang, Y., Kuo, S.: Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management. In: Large Installation System Administration Conference (2004)

    Google Scholar 

  6. Hackworth, A.: Spyware. US-CERT Publication (2005)

    Google Scholar 

  7. Lavasoft: Ad-Aware, http://www.lavasoftusa.com/software/adaware

  8. Castlecops: The CLSID / BHO List / Toolbar Master List, http://www.castlecops.com/CLSID.html

  9. Mohr, G., Stack, M., Rnitovic, I., Avery, D., Kimpton, M.: Introduction to Heritrix. In: 4th International Web Archiving Workshop (2004)

    Google Scholar 

  10. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Usenix Annual Technical Conference, Freenix Track (2005)

    Google Scholar 

  11. Trendmicro: HijackThis, http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

  12. Spybot: Spybot Search & Destroy, http://www.safer-networking.org/

  13. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Symposium on Security and Privacy (2007)

    Google Scholar 

  14. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: ACM Conference on Computer and Communication Security, CCS (2007)

    Google Scholar 

  15. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware Malware Detection. In: Symposium on Security and Privacy (2005)

    Google Scholar 

  16. Wang, H., Jha, S., Ganapathy, V.: NetSpy: Automatic Generation of Spyware Signatures for NIDS. In: Annual Computer Security Applications Conference, ACSAC (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Santa Barbara

    Andreas Stamminger, Christopher Kruegel & Giovanni Vigna

  2. Institut Eurecom, France

    Engin Kirda

Authors
  1. Andreas Stamminger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stamminger, A., Kruegel, C., Vigna, G., Kirda, E. (2009). Automated Spyware Collection and Analysis. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics