In this thesis we study potentially unwanted programs (PUP), a category of undesirable software that, while not outright malicious, contains behaviors that may alter the security state or the privacy of the system on which they are installed. PUP often comes bundled with freeware, i.e., proprietary software that can be used free of charge. A popular vector for distributing freeware are download portals, i.e., websites that index, categorize, and host programs. Download portals can be abused to distribute PUP. Freeware is often distributed as an installer, i.e., an auxiliary program in charge of performing all installation steps for the target program. During installation, besides the target program desired by the user, the installer may install PUP as well. PUP may be difficult to uninstall and may persist installed in the system after the user tries to uninstall it. Current malware analysis systems are not able to detect and analyze characteristic behaviors of PUP. For example, current malware analysis systems operate on a single program execution, while detecting incomplete PUP uninstallations requires analyzing together two program executions: the installation and the uninstallation.This thesis presents novel tools to detect and analyze potentially unwanted programs. More concretely, it describes three main contributions. First, it presents a measurement study of PUP prevalence in download portals, exposing the abusive behaviors that authors of malicious software use to distribute their applications through download portals. Second, it proposes a system especially designed to dynamically detect and analyze PUP behaviors during program installation and uninstallation. Third, it describes AVCLASS, an automatic labeling tool that given the AV labels for a potentially massive number of samples, outputs the most likely family for each sample.To analyze the distribution of PUP through download portals, we build a platform to crawl download portals and apply it to download 191K Windows freeware installers from 20 download portals. We analyze the collected installers measuring an overall ratio of PUP and malware between 8% (conservative estimate) and 26% (lax estimate). In 18 of the 20 download portals examined the amount of PUP and malware is below 9%. But, we also find two download portals exclusively used to distribute PPI i downloaders. We also detail different abusive behaviors that authors of undesirable programs use to distribute their programs through download portals.We present a platform to perform dynamic behavioral analysis of an input installer. Our platform executes the installer, navigates it to complete a successful installation, analyzes the installation to identify PUP behaviors, identifies the list of installed programs regardless of the installation location, checks whether each installed program has a corresponding uninstaller, executes the uninstallers, analyzes the uninstallation to identify PUP behaviors, and correlates the installation and uninstallation executions to determine if all installe...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.