Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Continella, Andreaa; * | Carminati, Michelea | Polino, Marioa | Lanzi, Andreab | Zanero, Stefanoa | Maggi, Federicoa
Affiliations: [a] Politecnico di Milano, Italy. E-mails: andrea.continella@polimi.it, michele.carminati@polimi.it, mario.polino@polimi.it, stefano.zanero@polimi.it, federico.maggi@polimi.it | [b] Università degli Studi di Milano, Italy. E-mail: andrea.lanzi@unimi.it
Correspondence: [*] Corresponding author. E-mail: andrea.continella@polimi.it.
Abstract: Nowadays Information stealers are reaching high levels of sophistication. The number of families and variants observed increased exponentially in the last years. Furthermore, these trojans are sold on underground markets along with automatic frameworks that include web-based administration panels, builders and customization procedures. From a technical point of view such malware is equipped with a functionality, called WebInject, that exploits API hooking techniques to intercept all sensitive data in a browser context and modify web pages on infected hosts. In this paper we propose Prometheus, an automatic system that is able to analyze trojans that base their attack technique on DOM modifications. Prometheus is able to identify the injection operations performed by malware, and generate signatures based on the injection behavior. Furthermore, it is able to extract the WebInject targets by using memory forensic techniques. We evaluated Prometheus against real-world, online websites and a dataset of distinct variants of financial trojans. In our experiments we show that our approach correctly recognizes known variants of WebInject-based malware and successfully extracts the WebInject targets.
Keywords: WebInject, banking trojan, info-stealer
DOI: 10.3233/JCS-15773
Journal: Journal of Computer Security, vol. 25, no. 2, pp. 117-137, 2017
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl