Examining Web-Based Spyware Invasion with Stateful Behavior Monitoring

Spyware infection that exploits the vulnerabilities of client-side Web application, especially browser, to install malicious programs has gain significant popularity in recent years. Unlike traditional infection vectors such as software bundling in shareware/freeware and placing Trojan in pirated version of commercial software that generally requires user consent to be successfully installed, Web-based spyware attempts exploits on browser vulnerabilities to achieve automatic installation (a.k.a. drive-by download). In this paper, we characterize the behavior of spyware instances collected from software bundling and of those collected from exploit Web pages in terms of auto-start extensibility points (ASEP) and other spyware behaviors. We use a tool called STARS (Stateful Threat-Aware Removal System) that can monitor critical areas of the system and detect advanced feature of a spyware instance such as self- healing. Experimental results show that traditional spyware and Web-based spyware used a different combination set of ASEP to resist deletion. The latter one hooks to low-level system components and loaded as services and/or drivers employing Layered Service Provider (LSP) to interpret network traffic. Our observations identify the unique behaviors performed by the Web-based spyware that are rarely found on traditional spyware.