Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines

Spyware is the most complex, obfuscated, and targeted class of malware, which has grown dramatically in recent years. Spyware is designed for secret, long-term, and persistent missions. This paper provides a novel method for detection, tracking, and confronting the stealth and obfuscated spyware and ransomware, including keyloggers, screen recorders, and blockers. The proposed method of this paper is based on a dynamic behavioral analysis through deep and transparent hooking of kernel-level routines. We used linear regression, JRIP, and J48 decision tree algorithms as a classifier to recognize three classes of malware. This paper presents the main architectural plan of an anti-spyware application to track spyware footprints in order to detect and force terminate running processes, eliminate executable files, and restrict network communications. The efficiency of the proposed method was evaluated from the viewpoint of accuracy in detecting real-world samples of spyware by ROC curve analysis and from the viewpoint of success rate to confront effectively with active spyware. Our proposed method was able to recognize spyware with an accuracy of about 93% and an error rate near 7%. In addition, the proposed system can disinfect an operating system from infection by spyware with a hit rate of about 82%.