Back to the Future: A Framework for Automatic Malware Removal
Malware, software with malicious intent, has emerged as a
widely-spread threat to system security. It is difficult to detect
malware reliably because new and polymorphic malware programs appear
frequently. It is also difficult to remove malware and repair its
damage to a system because it can extensively modify the system.
In this paper, we propose a novel framework for automatically removing
malware from and repairing its damage to a system. The primary goal
of our framework is to preserve system integrity. Our framework
monitors and logs untrusted programs' operations. Using these logs,
it can completely remove malware programs and their effects on the
system. Our framework does not require signatures or other prior
knowledge of malware behavior. We implemented this framework on
Windows and evaluated it with seven spyware, trojan horses, and email
worms. Comparing our tool with two popular commercial anti-malware
tools, we found that our tool detected all the malware's modifications
to the system detected by the commercial tools, but the commercial
tools overlooked up to 97% of the modifications detected by our tool.
The runtime and space overhead of our prototype tool is acceptable.
Our experience suggests that this framework offers an effective new
defense against malware.
An extended abstract will appear in the Proceedings of the Annual Computer Security Applications Conference 2006.
Full version is available as a pdf.
List of Updates:
Sep 28, 2006