The Community for Technology Leaders
Computer Security Applications Conference, Annual (2006)
Miami Beach, Florida, USA
Dec. 11, 2006 to Dec. 15, 2006
ISSN: 1063-9527
ISBN: 0-7695-2716-7
pp: 257-268
Francis Hsu , University of California, Davis, USA
Hao Chen , University of California, Davis, USA
Thomas Ristenpart , University of California, Davis, USA; University of California, San Diego, USA
Jason Li , University of California, Davis, USA; Microsoft Corporation
Zhendong Su , University of California, Davis, USA
Malware, software with malicious intent, has emerged as a widely-spread threat to system security. It is difficult to detect malware reliably because new and polymorphic malware programs appear frequently. It is also difficult to remove malware and repair its damage to the system because it can extensively modify a system. <p>We propose a novel framework for automatically removing malware from and repairing its damage to a system. The primary goal of our framework is to preserve system integrity. Our framework monitors and logs untrusted programs' operations. Using the logs, it can completely remove malware programs and their effects on the system. Our framework does not require signatures or other prior knowledge of malware behavior. We implemented this framework on Windows and evaluated it with seven spyware, trojan horses, and email worms. Comparing our tool with two popular commercial anti-malware tools, we found that our tool detected all the malware's modifications to the system detected by the commercial tools, but the commercial tools overlooked up to 97% of the modifications detected by our tool. The runtime and space overhead of our prototype tool is acceptable. Our experience suggests that this framework offers an effective new defense against malware.</p>

T. Ristenpart, J. Li, H. Chen, Z. Su and F. Hsu, "Back to the Future: A Framework for Automatic Malware Removal and System Repair," 2006 22nd Computer Security Applications Conference(ACSAC), Miami Beach, FL, 2006, pp. 257-268.
312 ms
(Ver 3.3 (11022016))