Prometheus: Automatic signature generation for WebInject-based banking trojan detection

Jun 12, 2017 1 min read

The goal of this project is to extract signatures that capture the WebInject behavior of trojans. WebInject-based trojans are still the most popular e-crime tool.

Prometheus (formerly Zarathustra) is based on a technique that we call web page differential analysis, which extracts and generates a model of the differences between a web page visited from an infected (virtual) machine and the very same page visited from a clean machine. These differences are unavoidable for the malware to carry out its functionality, and thus allow to create robust indicators of compromise. We generalize these differences using custom heuristics to reduce the chances of false positives.

References

Andrea Continella, Michele Carminati, Mario Polino, Andrea Lanzi, Stefano Zanero, Federico Maggi (2017). Prometheus: Analyzing WebInject-based information stealers. Journal of Computer Security.

Claudio Criscione, Fabio Bosatelli, Stefano Zanero, Federico Maggi (2014). Zarathustra: Extracting WebInject Signatures from Banking Trojans. Proceedings of the Twelfth Annual International Conference on Privacy, Security and Trust (PST).

PDF