Prometheus: Automatic signature generation for WebInject-based banking trojan detection

The goal of this project is to extract signatures that capture the WebInject behavior of trojans. WebInject-based trojans are still the most popular e-crime tool.

Prometheus (formerly Zarathustra) is based on a technique that we call web page differential analysis, which extracts and generates a model of the differences between a web page visited from an infected (virtual) machine and the very same page visited from a clean machine. These differences are unavoidable for the malware to carry out its functionality, and thus allow to create robust indicators of compromise. We generalize these differences using custom heuristics to reduce the chances of false positives.

References

(2017). Prometheus: Analyzing WebInject-based information stealers. Journal of Computer Security.

(2014). Zarathustra: Extracting WebInject Signatures from Banking Trojans. Proceedings of the Twelfth Annual International Conference on Privacy, Security and Trust (PST).

PDF