Manuel Egele

Behavior-based Spyware Detection: Using Dynamic Taint Analysis Manuel Egele

Generating good signatures for the current anti-spyware toolkits and deploying them in a timely fashion is a demanding task. Even if the signatures are up-to-date, signature based detection techniques usually suffer from the inability to detect novel and unknown threats. We believe that behavior-based approaches are capable of overcoming this drawback. To this end, we implemented TQAna. Our tool is based on taint analysis and function call hooking to provide dynamic analysis that is carried out on an emulated system. Taint analysis, as implemented with TQAna, provides the ability to track data throughout the whole system on hardware level. The observed functions cover most aspects of the Windows operating system, such as network-, and file system access, shared memory, or the dynamic loader. This book addresses system and security researchers in the fields of operating systems and malicious software analysis.