Poster: Detecting webinjects through live memory inspection


Information stealing malware—a growing threat, which provokes billion-dollar losses every year—usually obtains sensitive information by modifying the content that the user’s browser renders when visiting specific (e.g., banking) websites. This poster addresses the problem of detecting when a machine is infected by such trojans. We propose IRIS, an automatic kernel space module that analyzes the memory of the user’s browser to spot the artifacts of malicious web-injections by means of a signature matching mechanism. We leverage the signatures generated by Prometheus, an automatic system that analyzes information stealing malware by observing the differences that they produce in the infected DOMs and by generating signatures of the injection behavior. Preliminary results, conducted against real-world variants of financial trojans, show that our system can successfully detect such malware.

IEEE Symposium on Security and Privacy (S&P)