Back to the Future: A Framework for Automatic Malware Removal

Francis Hsu, Hao Chen, Thomas Ristenpart, Jason Li, and Zhendong Su

Malware, software with malicious intent, has emerged as a widely-spread threat to system security. It is difficult to detect malware reliably because new and polymorphic malware programs appear frequently. It is also difficult to remove malware and repair its damage to a system because it can extensively modify the system. In this paper, we propose a novel framework for automatically removing malware from and repairing its damage to a system. The primary goal of our framework is to preserve system integrity. Our framework monitors and logs untrusted programs' operations. Using these logs, it can completely remove malware programs and their effects on the system. Our framework does not require signatures or other prior knowledge of malware behavior. We implemented this framework on Windows and evaluated it with seven spyware, trojan horses, and email worms. Comparing our tool with two popular commercial anti-malware tools, we found that our tool detected all the malware's modifications to the system detected by the commercial tools, but the commercial tools overlooked up to 97% of the modifications detected by our tool. The runtime and space overhead of our prototype tool is acceptable. Our experience suggests that this framework offers an effective new defense against malware.

An extended abstract will appear in the Proceedings of the Annual Computer Security Applications Conference 2006.

Full Version:
Full version is available as a pdf.

List of Updates:
Sep 28, 2006