Using Infection Markers as a Vaccine against Malware Attacks

Malware is used by criminals for financial gains, espionage and sabotage, and their code and evasion techniques become increasingly complex and sophisticated. This means it takes longer for security researchers to analyse a malware and develop detection and removal routines, increasing the danger of critical systems becoming infected. In order to prevent multiple infections of the same system, malware often uses infection markers to mark a system as already infected. In this paper, we introduce the concept of using these markers to vaccinate systems against infections by a specific malware family. We discuss the characteristics of infection markers and develop a taxonomy of marker types. Then, we present a framework capable of classifying the infection marker used by a malware sample, and which can in most cases automatically extract the marker and generate a vaccination program. Evaluation with a large corpus of malware samples shows that for almost all malware that uses an infection marker, a vaccination program can be generated without the need of a human expert. Two case studies with prominent malware samples, Sality and Conficker, further show the potential of this approach.