The advent and rapid growth of an underground economy that trades stolen digital credentials has spurred the growth of crimeware-driven bots and other malware that harvest sensitive data from unsuspecting users. This form of malevolent software uses a variety of techniques from web-based form grabbing and keystroke logging to screen and video capturing for the purpose of pilfering data on remote hosts to execute a financial crime. The targets of such malware range from individual users and small companies to the wealthiest organizations.
Traditional crimeware detection techniques rely on comparing signatures of known malicious instances to identify unknown samples or on anomaly-based detection techniques in which host behaviors are monitored for large deviations from baseline behaviors. However, these approaches suffer from a large number of known weaknesses. For example, signature-based approaches can be useful when a signature is known, but due to the large number of possible variants, learning and searching all of the possible signatures to identify unknown binaries is intractable. In another example, anomaly-based approaches are susceptible to false positives and false negatives, thereby limiting their potential utility. Consequently, a significant amount of existing crimeware or malware currently operates undetected by these crimeware detection techniques.
Another drawback to these detection techniques, such as conventional host-based antivirus software, is that it typically monitors from within its host computer. This makes the antivirus software vulnerable to evasion or subversion by malware. More particularly, the number of malware attacks that disable defenses, such as antivirus software, prior to undertaking some malicious activity is constantly increasing.
There is therefore a need in the art for approaches that detect covert malware. Accordingly, it is desirable to provide methods, systems, and media that overcome these and other deficiencies of the prior art.