Defending from financially-motivated software abuses


Software is involved in every aspect of our world, from our homes to large enterprises, and, in particular, it manages our data. As a consequence, software abuses can drastically impact our lives, for instance causing substantial financial losses or affecting people’s privacy. This raised the attention of cybercriminals, who found in this scenario a lucrative business. In fact, in the past twenty years the motivation behind the cybercriminals’ modus operandi has changed. No longer searching only for notoriety and fame, they have turned their attention to financial gain. Indeed malicious software, “malware,” is one of the most dangerous Internet threat nowadays. This dissertation details our research on the analysis and detection of the current software abuses, with the aim of protecting users from such threats. Specifically, we focus on three main threats, which have been the cause of billion dollars losses in the past years. First, we concentrate on information-stealing malware, also known as “banking Trojans.” The purpose of these Trojans is to steal banking credentials and any other kind of private information by loading code in memory and hooking the network-related operating-system APIs used by web browsers. Second, we focus on a major class of malware, known as ransomware, which encrypts files, preventing legitimate access until a ransom is paid. Finally, we analyze the privacy issues in the mobile world by studying the problem of privacy leaks. Mobile apps are notorious for collecting a wealth of private information from users. Such information is particularly attractive. For instance, cybercriminals are known to sell users’ private information on the underground markets, and advertisement libraries massively collect users’ data to illicitly increase their profits. Our contributions regarding banking Trojans focus on extracting robust, behavioral signatures of their malicious behavior, by combining web-page differential analysis and memory forensics techniques. The produced signatures can then be used, on the client side, to detect such Trojans in a more generic way, independently from their specific implementation, and protect victims’ machines. Our contributions regarding ransomware focus on designing behavioral detection models and proposing a novel defense mechanism to mitigate its effectiveness by equipping modern operating systems with practical self-healing capabilities. We designed our detection models after an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. Our contributions regarding mobile privacy leaks focus on proposing a novel, obfuscation-resilient approach to detect privacy leaks by applying network differential analysis. To make differential analysis practical, our approach leverages a novel technique that performs root cause analysis of non-determinism in the network behavior of Android apps.

PhD Thesis