Presented at
VB2017,
Oct. 6, 2017, 2:30 p.m.
(30 minutes)
Deploying a loadpoint entry is an integral part of installation for every malicious payload. It enables the payload to launch and execute every time the system boots. However, the loadpoint entries are not used as standalone detection entities. Instead, they are only cleaned up by anti-virus software, if the associated files are detected, either in a static scan or based on their behaviour.
At *Symantec*, we researched the possibility of using loadpoint entries, or what we call loadpoint trigrams, as standalone detection entities. By identifying unique loadpoint trigrams from an internal telemetry collected over a predefined period and studying their associations with Ground Truth Good and Bad files, low confidence Good and Bad files and Unknown files, as well as honouring their prevalence and age, we were able to successfully validate the idea. Even in its most restricted form, based on the confidence for the disposition for the trigram, the technology could successfully be used to either block an attack, prompt the user, or silently submit files and associated telemetry for backend validations. As part of this paper, we will present the research performed and the results obtained that helped us validate the idea as well as apply for a patent for this new technique for detecting malware. We also plan to present the results from trials performed on the live telemetry, the TP and FP ratios, and the overall effectiveness of the system.
Presenters:
Links:
Similar Presentations: