Architecture for analyzing Potentially Unwanted Applications

Loading...
Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Date
2016-10-27
Department
Major/Subject
Computer Science
Mcode
SCI3068
Degree programme
Master’s Programme in Computer, Communication and Information Sciences
Language
en
Pages
149+8
Series
Abstract
The spread of potentially unwanted programs (PUP) and its supporting pay par install (PPI) business model have become relevant issues in the IT security area. While PUPs may not be explicitly malicious, they still represent a security hazard. Boosted by PPI companies, PUP software evolves rapidly. Although manual analysis represents the best approach for distinguishing cleanware from PUPs, it is inapplicable to the large amount of PUP installers appearing each day. To challenge this fast evolving phenomenon, automatic analysis tools are required. However, current automated malware analisyis techniques suffer from a number of limitations, such as the inability to click through PUP installation processes. Moreover, many malware analysis automated sandboxes (MSASs) can be detected, by taking advantage of artifacts affecting their virtualization engine. In order to overcome those limitations, we present an architectural design for implementing a MSAS mainly targeting PUP analysis. We also provide a cross-platform implementation of the MSAS, capable of running PUP analysis in both virtual and bare metal environments. The developed prototype has proved to be working and was able to automatically analyze more that 480 freeware installers, collected by the three top most ranked freeware websites, such as cnet.com, filehippo.com and softonic.com. Eventually, we briefly analyze collected data and propose a first strategy for detecting PUPs by inspecting intercepted HTTP traffic.
Description
Supervisor
Aura, Tuomas
Thesis advisor
Antikainen, Markku
Keywords
PUP, security, PUA, MSAS, potentially unwanted application
Other note
Citation