Francis Hsu
University of California, Davis
USA

Thomas Ristenpart
University of California, San Diego
USA

Hao Chen
University of California, Davis
USA

Malware is software with malicious intent. Besides viruses and worms,
spyware, adware, and other newer forms of malware have recently
emerged as widely-spread threats to system security. It is difficult
to detect malware reliably because new and polymorphic ones appear
frequently. It is also difficult to remove malware and repair its
damage to the system because some malware programs can extensively
modify a system.

We propose a novel framework for automatically removing malware and
repairing its damage to a system. The primary goal of our framework
is to preserve system integrity. Our framework monitors and logs
untrusted programs' operations. Using these logs, it can completely
remove malware programs and their effects on the system, and reliably
restore the infected data. Our framework does not require signatures
or other prior knowledge of malware behavior. We implemented this
framework on Windows and evaluated it with seven spyware, trojan
horses, and email worms. Comparing our tool with two popular
commercial anti-malware tools, we found that our tool detected all the
malware's modifications to the system detected by the commercial
tools, but the commercial tools overlooked up to 97% of the
modifications detected by our tool. The runtime overhead and log
space overhead of our prototype tool are acceptable. Our experience
suggests that this framework offers an effective new defense against
malware.

Keywords: malware, integrity, system recovery

Read Paper (in PDF)