A new technique for detecting and blocking the installation of a malicious software based on the reputation of loadpoint n-grams

Friday 6 October 14:30 - 15:00, Red room

Sujit Magar (Symantec)
Prachi Jhanwar (Symantec)
Nitin Shekokar (Symantec)



Deploying a loadpoint entry is an integral part of installation for every malicious payload. It enables the payload to launch and execute every time the system boots. However, the loadpoint entries are not used as standalone detection entities. Instead, they are only cleaned up by anti-virus software, if the associated files are detected, either in a static scan or based on their behaviour.

At Symantec, we researched the possibility of using loadpoint entries, or what we call loadpoint trigrams, as standalone detection entities. By identifying unique loadpoint trigrams from an internal telemetry collected over a predefined period and studying their associations with Ground Truth Good and Bad files, low confidence Good and Bad files and Unknown files, as well as honouring their prevalence and age, we were able to successfully validate the idea. Even in its most restricted form, based on the confidence for the disposition for the trigram, the technology could successfully be used to either block an attack, prompt the user, or silently submit files and associated telemetry for backend validations. As part of this paper, we will present the research performed and the results obtained that helped us validate the idea as well as apply for a patent for this new technique for detecting malware. We also plan to present the results from trials performed on the live telemetry, the TP and FP ratios, and the overall effectiveness of the system.



VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

2017 PÉTER SZŐR AWARD


Other VB2017 papers

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.