A new technique for detecting and blocking the installation of a malicious software based on the reputation of loadpoint n-grams

Friday 6 October 14:30 - 15:00, Red room

Sujit Magar (Symantec)
Prachi Jhanwar (Symantec)
Nitin Shekokar (Symantec)

Deploying a loadpoint entry is an integral part of installation for every malicious payload. It enables the payload to launch and execute every time the system boots. However, the loadpoint entries are not used as standalone detection entities. Instead, they are only cleaned up by anti-virus software, if the associated files are detected, either in a static scan or based on their behaviour.

At Symantec, we researched the possibility of using loadpoint entries, or what we call loadpoint trigrams, as standalone detection entities. By identifying unique loadpoint trigrams from an internal telemetry collected over a predefined period and studying their associations with Ground Truth Good and Bad files, low confidence Good and Bad files and Unknown files, as well as honouring their prevalence and age, we were able to successfully validate the idea. Even in its most restricted form, based on the confidence for the disposition for the trigram, the technology could successfully be used to either block an attack, prompt the user, or silently submit files and associated telemetry for backend validations. As part of this paper, we will present the research performed and the results obtained that helped us validate the idea as well as apply for a patent for this new technique for detecting malware. We also plan to present the results from trials performed on the live telemetry, the TP and FP ratios, and the overall effectiveness of the system.






Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.