Research-based Malware Analysis on Spyware (Research Paper Sample)

Student’s Name
Instructor’s Name
Course
Date
Research-based Malware Analysis on Spyware
Executive Summary
Malware has revitalized itself as a persistent and pervasive threat to computer-connected systems, with new forms such as spyware. Spyware, a type of malware, is a class of malicious codes and programs that is installed surreptitiously on a victim’s computer, to collect personal and private information. The research analyzed spyware, describing its functionality and operation in computer systems. The paper also describes the behaviour of spyware based on the methods of analyzing spyware, including static and dynamic methods. The method of research involved scanning web libraries for information based on experiments used to analyze spyware. Findings include the type of computer resources that spyware attacks as well as techniques it uses and other descriptions and specifications identified during the analysis process.
Identification
Malware has revitalized itself as a persistent and pervasive threat to computer-connected systems, with new forms such as spyware. Spyware is a class of malicious codes and programs that is installed surreptitiously on a victim’s computer, to collect personal and private information. Egele et al. note that once the software is active in the victim’s machines, it “silently monitors the behaviour of users, records their web surfing habits, and steals their passwords” (233). Spyware use variety of techniques, including logging keystrokes, recording internet web browsing history and scanning documents on the computer’s hard disk for confidential information such as passwords, usernames, pictures, banks statements and details and other personally identifiable information (PII). It works in two ways; a keylogger and as a net counter. According to Khan et al., key loggers are software surveillance software that tracks and records every keystroke made on a system and save them as encrypted log files. For instance, it can record “instant messages, email, and capture any information you type at any time using your keyboard, including usernames, passwords” (Khan et al. 13). Log files created from such information can end up in the hands of wrong individuals, often hackers and attackers.
The other way spyware works are through the net counter, in which log files are created when the machine is in a LAN network. The log files are recorded once the user is disconnected, and contains information such as date, start time, elapsed time and end time and day (Khan et al. 13). Ames identifies three levels in which spyware works or is used to most malicious activities such as identity theft. The first level involves basic cookies for web server recognition. Simple cookie identification is used in sites to facilitate user recognition; sites can “recognize the user when he returns to the site, and it allows the site to associate the user with the known stored data he has provided” (Ames 25). The second level involves associated cookies that work by identifying a single user each time they are connected to a member site. Associated cookies monitor activities and save data recorded from user interaction with each member site. The third level, which is adversely malignant to computer systems and user, are application-based. Ames (25) notes that these applications, when installed, gains complete control of the system, and can query and record and transmit anything and everything from the system to an external system.
Users and their behaviours are often found to be responsible for most spyware attack on computer systems. According to Aycock, spyware that is bundled and distributes with other software end up in computers through explicit, voluntary installations. He notes that in most cases, users fail to read End-user license agreement or when they do, resort to social engineering to install programs. Besides the explicit, voluntary installation of software, spyware also end ups in computer systems through drive-by downloads (again, user involved), in which malicious programs are installed when users are browsing through webpages. In fact, in some cases, the user receives prompts on the web browser before the download requesting permission or luring and relying on social engineering for a user to install these programs. In these cases, the programs or spyware is in HTML format. Aycock notes that “HTML has several ways in which a web page can embed additional content” (10). Others times, drive-by downloads may be involuntary or non-user involved. According to Aycock, involuntary drive-by downloads “exploit bugs in a user’s web browser, resulting in the adversary being able to run code of their choosing on the user’s computer” (16). These attacks can be described as “stack smashing” and “works by overflowing an input buffer located on the stack; the browser’s input, in this case, is not from the user, but from a web server that the adversary controls.” (16). Lastly, the other way in which spyware finds its way to computers is through other forms of malware, in which botnet can attack a malware-affected computer. In these cases, the author of the malware and controlling the botnet finds a way to control the victim’s computer system.
Spyware attacks the computer system and get access to user privacy and confidential information in various forms such as spyware keylogger, Network password sniffing, network cookie sniffing, Pharming, malware session hijacking, common password, and phishing. Several names have been given to different spyware depending on their mode of attack on the computer system. Common examples include, SpyAxe/Zlob, Virtumonde/ErrorSafe/WinFixer, FakeAlert, Lop.com, PurityScan, Maxifile, SpySheriff/SpywareNo, Zango/180Solutions/Hotbar, Seekmo, ISTBar CoolWebSearch (CWS), Gator (GAIN) (Shams et al. 75). CoolWebSearch (CWS) attack user’s privacy information by hijacking Web searches, home pages, and other Internet Explorer settings Web searches, home page, and other Internet Explorer settings. Gator (GAIN) is commonly embedded on open-source computer software and 180search Assistant are used for pushing targeted pop-up advertisements.
Current antivirus detection capabilities for preventing spyware rely on detection of several detection techniques to prevent infection of computer systems. Sheta et al. identify four methods of detecting spyware, including signature-based detection, behaviour-based detection, specification-based detection, and data mining-based detection. Signature-based detection detects spyware by comparing the spyware signature to the database, behaviour-based analyze the behaviour of either known or unknown spyware (Sheta et al. 465)). In the case of specification-based detections, programs involved in execution are monitored, and data mining is applied when unknown spyware appears and is often conducted by researchers. There are several anti-spyware tools used to detect, clean up and prevent computer systems from attacks by adversaries who intend to acquire confidential information. Currently, major vendors provide effective and powerful tools include Kaspersky, and Avast, as well as others such as Windows Defender, MacAfee, Webroot Spy Sweeper, and Lavasoft Adware. However, not all anti-spyware products or tools are effective. According to Shams et al., Top IT magazines such as PC Magazine, PC World, CNET Reviews, Consumer Research websites and AV-Test Testing, perform Anti-Spyware testing using methodologies that allow them to evaluate detection rates for threats such as registry keys and browser helper objects (BOH). For instance, Webroot Spy Sweeper detect and eliminate 100% of the browser helper objects and 88% for removing registry keys. In comparison, McAfee Anti-Spyware has a rating of 100% for removing BHO and 79% for detecting and removing registry keys (Shams et al. 76).
Analysis
Spyware analysis provides a detailed description of privacy-breeching attacks on computer systems. According to Yin and Song, by analyzing allow for the identification of the spyware’s malicious behaviours and extract attack mechanisms. Analysis results are used to build up proper defense mechanism, such as creating detection signatures and updating detection policies (Yin, and Song 1). Common methods of analyzing spyware fall into two categories: dynamic and static analysis. According to Egele et al., the dynamic analysis uses tainting to monitor the flow of sensitive information as it propagates through the system. A privacy-breaching analysis is examples of dynamic analysis techniques. Common dynamic analysis techniques include CWSandbox, Norman Sandbox, and Anubis. These techniques “run the malicious code in a special environment, such as a virtual machine or an emulator, and then observe its interaction with the environment by monitoring important system calls and API calls” (Yin, and Song). Dynamic analysis work in two ways, including analyzing the difference between defined points and observing run-time behaviour (Ghadhiya and Bhavsar 1). Therefore, the description of the spyware analyzed using dynamic provides detailed information about the behaviour of the malware when it is in the computer system.
Static analysis methods involve inspecting a program or software without executing it. They are often conducted manually. Static malware analysis uses various methods such as file fingerprinting, file format, AV scanning, parker detection and disassembly (Ghadhiya and Bhavsar 1). Often, static analysis techniques, are discouraged due to the ability of anti-analysis techniques, such as code packing, anti-debugging, and control-flow obfuscatio...