Data di Pubblicazione:
2017
Citazione:
Prometheus: Analyzing WebInject-based information stealers / A. Continella, M. Carminati, M. Polino, A. Lanzi, S. Zanero, F. Maggi. - In: JOURNAL OF COMPUTER SECURITY. - ISSN 0926-227X. - 25:2(2017), pp. 117-137. [10.3233/JCS-15773]
Abstract:
Nowadays Information stealers are reaching high levels of sophistication. The number of families and variants observed increased exponentially in the last years. Furthermore, these trojans are sold on underground markets along with automatic frameworks that include web-based administration panels, builders and customization procedures. From a technical point of view such malware is equipped with a functionality, called WebInject, that exploits API hooking techniques to intercept all sensitive data in a browser context and modify web pages on infected hosts. In this paper we propose Prometheus, an automatic system that is able to analyze trojans that base their attack technique on DOM modifications. Prometheus is able to identify the injection operations performed by malware, and generate signatures based on the injection behavior. Furthermore, it is able to extract the WebInject targets by using memory forensic techniques. We evaluated Prometheus against real-world, online websites and a dataset of distinct variants of financial trojans. In our experiments we show that our approach correctly recognizes known variants of WebInject-based malware and successfully extracts the WebInject targets.
Tipologia IRIS:
01 - Articolo su periodico
Keywords:
banking trojan; info-stealer; WebInject; Software; Safety, Risk, Reliability and Quality; Hardware and Architecture; Computer Networks and Communications
Elenco autori:
A. Continella, M. Carminati, M. Polino, A. Lanzi, S. Zanero, F. Maggi
Link alla scheda completa: