Using infection markers as a vaccine against malware attacks

  • Wichmann A
  • Gerhards-Padilla E
  • 17


    Mendeley users who have this article in their library.
  • 4


    Citations of this article.


Malware is used by criminals for financial gains, espionage and
sabotage, and their code and evasion techniques become increasingly
complex and sophisticated. This means it takes longer for security
researchers to analyse a malware and develop detection and removal
routines, increasing the danger of critical systems becoming infected.
In order to prevent multiple infections of the same system, malware
often uses infection markers to mark a system as already infected. In
this paper, we introduce the concept of using these markers to vaccinate
systems against infections by a specific malware family. We discuss the
characteristics of infection markers and develop a taxonomy of marker
types. Then, we present a framework capable of classifying the infection
marker used by a malware sample, and which can in most cases
automatically extract the marker and generate a vaccination program.
Evaluation with a large corpus of malware samples shows that for almost
all malware that uses an infection marker, a vaccination program can be
generated without the need of a human expert. Two case studies with
prominent malware samples, Sality and Conficker, further show the
potential of this approach.

Author-supplied keywords

  • Intrusion prevention
  • Malware

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Andre Wichmann

  • Elmar Gerhards-Padilla

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free