TQAna - Behavior Based Malware Detection

TQAna - Behavior Based Malware Detection

About TQAna

Spyware is a class of malicious code that is surreptitiously installed on victims' machines. Once active, it silently monitors the behavior of users, records their web surfing habits, and steals their passwords. Current anti-spyware tools operate in a way similar to traditional virus scanners. That is, they check unknown programs against signatures associated with known spyware instances. Unfortunately, these techniques cannot identify novel spyware, require frequent updates to signature databases, and are easy to evade by code obfuscation.
TQAna on the other hand is able to identify unknown spyware instances via dynamic analysis of the sample and observing its behavior. The flow of sensitive information through the system is observed using a taint tracking mechanism. Based on the operations the sample under evaluation performs on this data TQAna classifies this sample into benign or malicious.
TQAna focuses on so called BHOs (Browser Helper Objects) which are basically plugins to Microsofts Internet Explorer.
The project is designed to be an offline analysis tool that helps a human user to gain detailed knowledge on what operations are carried out by such a BHO during execution.

Status

Completed.
Paper submitted, accepted and presented at USENIX Annual Technical Conference 2007. [Slides]

Documentation / Publications

So far, there is no documentation available.
The paper was published in the proceedings of the USENIX ATC 2007 You can download it here.

Software

Currently it is not sure if the source code is going to be released. Another project that uses TQAna is near completion, and maybe the sources are released together.

Authors

TQAna was developed by Manuel Egele


Last Modified: Tue Feb 19 15:38:29 CET 2008


Secure Systems Lab / Technical University of Vienna www.seclab.tuwien.ac.at