Malware is used by criminals for financial gains, espionage and
sabotage, and their code and evasion techniques become increasingly
complex and sophisticated. This means it takes longer for security
researchers to analyse a malware and develop detection and removal
routines, increasing the danger of critical systems becoming infected.
In order to prevent multiple infections of the same system, malware
often uses infection markers to mark a system as already infected. In
this paper, we introduce the concept of using these markers to vaccinate
systems against infections by a specific malware family. We discuss the
characteristics of infection markers and develop a taxonomy of marker
types. Then, we present a framework capable of classifying the infection
marker used by a malware sample, and which can in most cases
automatically extract the marker and generate a vaccination program.
Evaluation with a large corpus of malware samples shows that for almost
all malware that uses an infection marker, a vaccination program can be
generated without the need of a human expert. Two case studies with
prominent malware samples, Sality and Conficker, further show the
potential of this approach.
Mendeley saves you time finding and organizing research
Choose a citation style from the tabs below