The Solution Write a spyware detection program that does not use a reference list. Instead, find spyware using tests that look for files that exhibit traits common to spyware programs. These traits include file size, name, type, location and creation date. This way, the program does not need to be constantly updated, and is not bound by what its creator has deemed spyware. The program scans a computer, testing all files and directories it encounters, and decides what files are spyware based on the tests that they pass. Some example directory tests No executable file except for the uninstall file No executable files, and a dll file with a similar name as the directory itself A lot of large dat files The Problem Most spyware detection tools work by using their own lists of known spyware programs. This means that anything not on this list will not be caught, including anything released since the last update, or programs that the maker of the tool has decided are not spyware. Testing Patterns look for certain traits in a file’s name, size and type. Each pattern has a code associated with it, so that when a file matches a pattern its own code reflects this. Pattern Code SizePattern 400, NamePattern “spy” TypePattern “exe” Tests are combinations of patterns that are common among spyware files. Each test has a code associated with it, which is the combination of the codes making up its patterns. Tests also have probabilities associated with them, and any time a file passes a given test its probability of being spyware is increased according to that test’s probability value. Test Code SpywareExe – looks for exe files with the word ‘spy’ in the name SmallExe – looks for exe files between 400 and 800 bytes Files can easily be tested by bitwise-anding their pattern codes (code for the patterns that file has passed) with each test’s code. If the result of this operation is the same as the test’s code, then the file has passed that test. Filename Size Pattern Code Pattern & SpywareExe Code Pattern & SmallExe Code Spyware.exe 2KB (PASS) (FAIL) kernel32.dll 450B (FAIL) (FAIL) Senior Project – Computer Science SPYWARE DETECTION Jeff Rosenberg Advisor: Professor Hemmendinger Spyware can cause an infected machine to look like this one. Lots of popup ads, unwanted toolbars and advertisements, and an internet connection so slow it is almost unusable. Program Interface Sometimes it is impossible to distinguish between what is spyware and what isn’t. So, the program gives the user the option to mark any detected files as ‘good,’ meaning they will be saved to a special list and never detected again. Files are removed by moving them to a special quarantine folder and appending some extra characters to their names. This way they cannot be executed as normal, since they won’t be able to be found. Files that are already running can’t be moved, so a special cleanup program is executed on the next restart to move and rename these files before they have a chance to start. A value is placed in the registry to tell the system to run the cleanup program the next time it restarts. Any number of files can be selected for removal or to be marked as not spyware. Future Work Learning - have the program adjust test parameters on the fly, in reaction to the user’s input. Also, have it create new tests based on new traits that it sees exhibited by spyware programs. Optimization – there is a lot of room for speed improvements in some of the algorithms used for searching. A computer can be searched starting from any root directory, with all the results displayed along with their probabilities of being spyware. Date Testing These files in C:\Windows\ system32\ were all created at the exact same time – a good indication of spyware. These other files in C:\Program Files\ are not part of a large cluster, but have the same creation date as those files above, another good indication of spyware.