CN102446253A - Webpage trojan detection method and system - Google Patents
Webpage trojan detection method and system Download PDFInfo
- Publication number
- CN102446253A CN102446253A CN2011104395726A CN201110439572A CN102446253A CN 102446253 A CN102446253 A CN 102446253A CN 2011104395726 A CN2011104395726 A CN 2011104395726A CN 201110439572 A CN201110439572 A CN 201110439572A CN 102446253 A CN102446253 A CN 102446253A
- Authority
- CN
- China
- Prior art keywords
- webpage
- activex control
- simulation
- script
- classid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a webpage trojan detection method and system which are applied to a webpage trojan detection environment. In the invention, an ActiveX control is simulated, different loophole functions existing in different versions of the same third-party software are integrated in the simulated ActiveX control, the classid of the simulated ActiveX control is set to be the same as the same classid of the ActiveX control of the third-party software of different versions, and the simulated ActiveX control is installed in the webpage trojan detection environment. The method comprises the following steps of: receiving a message of the called loophole function sent by a script running in the webpage to the simulated ActiveX control through the classid; returning the corresponding loophole function existing in the simulated ActiveX control to the script running in the webpage; and monitoring the behavior of the script so as to determine whether trojan exists in the webpage. Through the invention, the webpage trojan detection environment is compatible with the loopholes of multiple versions of the same software, and the accuracy and expansibility in webpage trojan detection are improved.
Description
Technical field
The present invention relates to the network security technology field, particularly relate to a kind of Web page wooden horse detecting method and system.
Background technology
Webpage Trojan horse is the attack means that a kind of hacker uses always, and webpage Trojan horse utilizes the third party software leak that operating system is attacked usually.From attack effect, can be divided into two kinds, a kind of is the reason that browser self causes, and another kind is the reason that ActiveX control causes.First kind mainly is that the leak that directly utilizes browser self to exist carries out malicious attack, and second kind then is the equal of to utilize browser to realize the attack to custom system indirectly.They mainly are the leaks that has utilized other third party software, " MPC " webpage Trojan horse for example, and the object that starts a leak not is a browser itself, but " MPC " this third party software.This just means to have only on custom system " MPC " has been installed, just can be by this webpage Trojan horse program attack.When browser access after this type webpage Trojan horse program, other softwares that the Object object in the web page code can make browser call automatically to have leak.So leak will be triggered, the operational scheme of browser software is controlled by webpage Trojan horse, next will carry out the Shell Code of malice.
In order to detect whether there is webpage Trojan horse in the webpage; Can construct a webpage Trojan horse testing environment, this wooden horse testing environment is a system that operates in high in the clouds, the webpage in the automatic access internet of its meeting; Judge in which webpage and have wooden horse; Prerequisite is that which leak known third party software exists, and detects in the webpage whether have the wooden horse of attacking to these known leaks.
The webpage Trojan horse testing environment mode that common meeting usage behavior detects when carrying out the webpage Trojan horse detection that is to say to go to detect whether have wooden horse in the webpage according to the concrete behavior in the webpage operational process.Therefore; If want to judge and whether have the wooden horse of attacking to the leak of certain third party software in the webpage; Just need this third party software be installed in this webpage Trojan horse testing environment, make webpage can call the leak function, trigger attack; Through judging whether to call the behavior of this leak function, determine whether there is the wooden horse of attacking to the leak of this third party software in the webpage like this.
But; Possibly have a plurality of versions with a third party software, possibly there is different leaks in different versions, and the hacker may carry out combination attacks to the leak of a plurality of different editions; That is to say that a webpage may be attacked the multiple leak of same software different editions.If the webpage Trojan horse testing environment only exists the software vulnerability of a version by assault; Can not cover whole leaks; If even have the highest version software vulnerability in the webpage Trojan horse testing environment and the assailant attacks is the lowest version software vulnerability; Or have the lowest version software vulnerability in the webpage Trojan horse testing environment and what attack is the situation to the highest version software vulnerability, and then causing detecting the wooden horse that exists in the webpage the most at last, omission or flase drop appear.
If can there be a plurality of different editions of same third party software in the wooden horse testing environment simultaneously, then can the behavior of this combination attacks be detected, and prevent omission or flase drop; But; Just as the same software that a plurality of versions can not directly be installed on same the computer; Also be like this in the wooden horse testing environment; Only if create in a plurality of different webpage Trojan horse testing environments, the different editions of install software in each environment respectively, and then remove to detect the webpage Trojan horse of attacking to different editions.But obviously this can increase the hardware resource consumption of webpage Trojan horse testing environment greatly, and the wooden horse testing process also can more complicated.
Summary of the invention
The invention provides a kind of Web page wooden horse detecting method and system, can make and improve accuracy and extendability that webpage Trojan horse detects by a plurality of version leaks that the webpage Trojan horse testing environment can compatible same software.
The invention provides following scheme:
A kind of Web page wooden horse detecting method; Be applied in the webpage Trojan horse testing environment; The simulation ActiveX control; The different leak functions that exist in the different editions with same third party software are incorporated in the ActiveX control of said simulation, and the classid of ActiveX control of simulation are changed to identical with the same classid of the ActiveX control of the said third party software of different editions, and the ActiveX control of said simulation is installed in the said webpage Trojan horse testing environment; Said method comprises:
Receive the message of the leak function that calls that the script that moves in the webpage sends to the ActiveX control of said simulation through said classid;
The leak function of the correspondence of the existence in the ActiveX control of said simulation is returned to the script that moves in the said webpage;
Monitor the behavior of said script, whether have wooden horse in the said webpage so that confirm.
Wherein, the script that moves in the said reception webpage comprises to the message of calling the leak function that the ActiveX control of said simulation sends through said classid:
Receive the message of the leak function that the script that moves in the webpage exists through said classid in certain version that calls third party software that the ActiveX control of said simulation sends.
Wherein, the script that moves in the said reception webpage comprises to the message of calling the leak function that the ActiveX control of said simulation sends through said classid:
Receive the message of the leak function that the script that moves in the webpage exists through said classid at least in two versions that call third party software that the ActiveX control of said simulation sends.
Wherein, monitor the behavior of said script, whether exist wooden horse to comprise in the said webpage so that confirm:
Whether detect the script that moves in the webpage initiatively downloads the wooden horse file and moves malicious commands;
If have wooden horse in the then said webpage.
Wherein,, judge whether said URL comprises the suffix of executable file format, judge whether said file in download is the wooden horse file through the uniform resource position mark URL of file in download is analyzed.
Wherein, said third party software is to be used for the software that browser function strengthened through ActiveX control.
A kind of webpage Trojan horse detection system; Be applied in the webpage Trojan horse testing environment; The simulation ActiveX control; The different leak functions that exist in the different editions with same third party software are incorporated in the ActiveX control of said simulation, and the classid of ActiveX control of simulation are changed to identical with the same classid of the ActiveX control of the said third party software of different editions, and the ActiveX control of said simulation is installed in the said webpage Trojan horse testing environment; Said system comprises:
The call request receiving element is used for receiving the message of the leak function that calls that script that webpage moves sends to the ActiveX control of said simulation through said classid;
Function returns the unit, is used for the leak function of the correspondence of the existence of the ActiveX control of said simulation is returned to the script that moves in the said webpage;
Monitoring unit is used to monitor the behavior of said script, whether has wooden horse so that confirm in the said webpage.
Wherein, said call request receiving element comprises:
First receives subelement, is used for receiving the message of the leak function that script that webpage moves exists in certain version that calls third party software that the ActiveX control of said simulation sends through said classid.
Wherein, said call request receiving element comprises:
Second receives subelement, is used for receiving the message of the leak function that script that webpage moves exists in two versions that call third party software that the ActiveX control of said simulation sends through said classid at least.
Wherein, said monitoring unit comprises:
Detection sub-unit is used for detecting the script that webpage moves and whether initiatively downloads the wooden horse file and move malicious commands;
Confirm subelement, be used for if having wooden horse in the then said webpage.
Wherein, said detection sub-unit judges through the uniform resource position mark URL of file in download is analyzed whether said URL comprises the suffix of executable file format, judges whether said file in download is the wooden horse file.
Wherein, said third party software is to be used for the software that browser function strengthened through ActiveX control.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Through the present invention; Owing in same ActiveX control, simulated the leak function of a plurality of versions of same third party software, therefore, can make a plurality of version leaks that the webpage Trojan horse testing environment can compatible same software; Thereby detect the wooden horse that exists in the webpage more all sidedly; Improve accuracy and extendability that webpage Trojan horse detects, the omission probability of phenomena appears in reduction, and avoids causing the waste to hardware resource in the webpage Trojan horse testing environment.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use among the embodiment below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the process flow diagram of the method that provides of the embodiment of the invention;
Fig. 2 is the schematic representation of apparatus that the embodiment of the invention provides.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtained belongs to the scope that the present invention protects.
At first need to prove; Because normally carrying out malicious code through scripts in web pages, webpage Trojan horse reaches the purpose of attacking custom system; And webpage is generally opened by browser; Therefore, if webpage Trojan horse is wanted to attack to the leak of other third party softwares outside the browser, then this webpage is wanted and can could be realized through the function that browser calls third party software.
On the other hand; ActiveX control is a kind of code that is used to strengthen the webpage function; For example, want in webpage, to call download tools such as " sudden peals of thunder " and carry out the download of file, corresponding ActiveX control just need at first be installed; Could call download tool through this ActiveX control then, and then utilize this download tool to accomplish downloading task.It is thus clear that, if want in webpage, directly to call the third party software outside the browser, then need be by means of ActiveX control.In other words, just because of the existence of ActiveX control, make the webpage of opening in the browser can call third party software, and then also just making webpage Trojan horse call the leak function that exists in the third party software become possibility.That is to say, through ActiveX control, allow webpage to produce abundant effects more, but also possibly bring the problem of some securities simultaneously through script and widget interaction.Therefore, the third party software described in the embodiment of the invention can be meant and be used for the software that browser function strengthened through ActiveX control.
In a word, all of third party software can receive the attack of webpage Trojan horse, are because have leak in the third party software, other third party softwares that the Object object in the web page code can make browser call automatically to have leak.So leak is triggered, the operational scheme of browser software is controlled by webpage Trojan horse, next will carry out the ShellCode of malice.Can be utilized to do webpage Trojan horse but the institute that not all third party software occurs is leaky, if a third party software is irrelevant fully with browser, the then general object of attack that can not be called webpage Trojan horse.Therefore, have only the ActiveX control of third party software to start a leak, just might be utilized and become webpage Trojan horse.
And in the Web page wooden horse detecting method that the embodiment of the invention provides, for the different editions that makes that the webpage Trojan horse testing environment can compatible same software, start with from ActiveX control exactly, carried out relevant processing.During concrete the realization; At first, at first find out all versions that the user uses always, and find out the leak function that exists in each version respectively to certain third party software; Simulate the leak function in each version then, guarantee simulation softward and priginal soft indifference on triggering; Leak function in each version that will simulate then is incorporated in the ActiveX control, and the ActiveX control that will simulate again is installed in the webpage Trojan horse testing environment.To guarantee no matter webpage Trojan horse is attacked to the software of which version, can both trigger leak, and then detect this webpage Trojan horse according to concrete behavior.
For example, OnBeforeVideoDownload () the function stack in the ActiveX control of known music player version exists Overflow Vulnerability (owing to be known leak, therefore can in China national information security vulnerability database (CNNVD), include usually; The CNNVD that supposes this leak is numbered CNNVD-200709-127), there is long-range Overflow Vulnerability (CNNVD that supposes this leak is numbered CNNVD-200905-130) in rawParse () the function stack in the ActiveX control of another version.These two leaks all are the security breaches that ActiveX control mps.dll occurs, yet there is the software upgrade cycle of (for example 2 years) for a long time in two leaks, and there is the interval of a plurality of versions in two leaks.If in the tangible general webpage Trojan horse testing environment; Because this music player software that a version can only be installed; After then if this music player software that has the CNNVD-200905-130 leak being installed in the webpage Trojan horse testing environment; This webpage Trojan horse testing environment just just can only detect the webpage Trojan horse of attacking to the CNNVD-200905-130 leak, can't compatiblely again detect the webpage Trojan horse of attacking to the CNNVD-200905-127 leak.
And in embodiments of the present invention; In just can same mps.dll control; The classid " 6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB " of the original ActiveX control of simulation CNNVD-200905-130 and these two leaks of CNNVD-200905-127 is (owing to be the ActiveX control of the different editions of same third party software; Therefore, its classid is identical) because webpage Trojan horse is through the leak function in each software of different control invokes the time; Distinguish different controls with classid; That is to say,, then can in call request, write the classid of this control exactly if certain webpage Trojan horse is wanted to call certain leak function through control A.Therefore, if the control that the embodiment of the invention simulates also simulates original classid, then webpage just can call the ActiveX control that the present invention simulates through the Object object tag.For example, can call the ActiveX control that simulates through following statement:
<object classid=″clsid:6BE52E1D-E586474f-A6E2-1A85A9B4D9FB″id=′target′></object>。
In addition; Also need in ActiveX control, simulate in two leaks the OnBeforeVideoDownload function that occurs respectively and the bug code in the rawParse function; Like this; Make scripts in web pages both can call rawParse function (target.rawParse (buffer)), also can call OnBeforeVideoDownload function (target.OnBeforeVideoDownload (buffer)).
In a word, also need simulate the classid of the ActiveX control of priginal soft, make webpage can call the ActiveX control that this simulates; Need in the ActiveX control that this simulates, integrate the leak function of a plurality of versions of simulation simultaneously, make webpage can call the leak function that any version exists, and then the operation action of script is detected, judge wherein whether there is webpage Trojan horse.
After having carried out above-mentioned preliminary work, just can the ActiveX control that simulate be installed in the webpage Trojan horse testing environment, simultaneously; The embodiment of the invention also provides a kind of Web page wooden horse detecting method; Specifically when carrying out the detection of webpage Trojan horse,, can may further comprise the steps referring to Fig. 1:
S101: the message that receives the leak function that calls that the script that moves in the webpage sends to the ActiveX control of said simulation through said classid;
Owing to the classid of ActiveX control of simulation has been changed to identical with the same classid of the ActiveX control of the said third party software of different editions; Therefore, scripts in web pages just can be called the leak function of integrating in the ActiveX control that simulates through this classid.
Wherein, Owing to the wooden horse in the webpage possibly only attacked to the leak function of a version; Also possibly carry out combination attacks to the different leak functions of a plurality of versions, therefore, in the call request here; Possibly be the leak function that calls in certain version wherein, also possibly be the leak function that calls in a plurality of versions.
S102: the leak function of the correspondence of the existence in the ActiveX control of said simulation is returned to the script that moves in the said webpage;
Different leak functions have different titles; And scripts in web pages is when calling different functions; Can with on separately function name, therefore, directly according to function name in the call request; Which or which function what just can learn that scripts in web pages need call is, and then the function of correspondence is returned to the script that moves in the webpage gets final product.
S103: monitor the behavior of said script, whether have wooden horse in the said webpage so that confirm.
After the leak function is returned to the script that moves in the webpage, if there is wooden horse in the webpage really, will trigger the attack of wooden horse, therefore, continue the behavior of script is monitored, just can confirm wherein whether to exist wooden horse.Specifically when carrying out behavior monitoring; Owing to generally can not download executable file (being called for short the PE file) during the normal webpage of browser access automatically or move suspicious order; And the malicious act of typical webpage Trojan horse all can be downloaded a wooden horse file usually to local runtime; So monitor this two behaviors, just can determine webpage Trojan horse.Concrete; Can carry out through following steps: at first, detect the script that moves in the webpage and whether download the wooden horse file, specifically can be to the URL of file in download (Uniform/Universal Resource Locator; URL) analyzes; See whether URL comprises the suffix of typical PE file layout, judge whether file layout is the PE type, and remove some normal PE and download situation; Then, detect the script that moves in the webpage and whether move malicious commands, specifically can detect through path and the command parameter of checking the executable file that browser is carried out.If have above-mentioned two class behaviors, can be judged to be the wooden horse that comprises malice in the webpage.
In a word, in embodiments of the present invention, owing in same ActiveX control, simulated the leak function of a plurality of versions of same third party software; Therefore; Can make a plurality of version leaks that the webpage Trojan horse testing environment can compatible same software, thereby detect the wooden horse that exists in the webpage more all sidedly, improve accuracy and extendability that webpage Trojan horse detects; The omission probability of phenomena appears in reduction, and avoids causing the waste to hardware resource in the webpage Trojan horse testing environment.
Corresponding with the Web page wooden horse detecting method that the embodiment of the invention provides; The embodiment of the invention also provides a kind of webpage Trojan horse detection system; Referring to Fig. 2, this system applies is in the webpage Trojan horse testing environment, when specifically realizing; Can simulate ActiveX control; The different leak functions that exist in the different editions with same third party software are incorporated in the ActiveX control of said simulation, and the classid of ActiveX control of simulation are changed to identical with the same classid of the ActiveX control of the said third party software of different editions, and the ActiveX control of said simulation is installed in the said webpage Trojan horse testing environment; Referring to Fig. 2, said system comprises:
Call request receives single, and 201, be used for receiving the message of the leak function that calls that script that webpage moves sends to the ActiveX control of said simulation through said classid;
Function returns unit 202, is used for the leak function of the correspondence of the existence of the ActiveX control of said simulation is returned to the script that moves in the said webpage;
Wherein, call request receiving element 201 can comprise:
First receives subelement, is used for receiving the message of the leak function that script that webpage moves exists in certain version that calls third party software that the ActiveX control of said simulation sends through said classid.
Perhaps, call request receiving element 201 also can comprise:
Second receives subelement, is used for receiving the message of the leak function that script that webpage moves exists in two versions that call third party software that the ActiveX control of said simulation sends through said classid at least.
During concrete the realization, monitoring unit 203 can comprise:
Detection sub-unit is used for detecting the script that webpage moves and whether initiatively downloads the wooden horse file and move malicious commands;
Confirm subelement, be used for if having wooden horse in the then said webpage.
Wherein, said detection sub-unit can judge whether said URL comprises the suffix of executable file format through the uniform resource position mark URL of file in download is analyzed, and judges whether said file in download is the wooden horse file.
Wherein, third party software is to be used for the software that browser function strengthened through ActiveX control.
In a word; In the webpage Trojan horse detection system that the embodiment of the invention provides; Owing in same ActiveX control, simulated the leak function of a plurality of versions of same third party software, therefore, can make a plurality of version leaks that the webpage Trojan horse testing environment can compatible same software; Thereby detect the wooden horse that exists in the webpage more all sidedly; Improve accuracy and extendability that webpage Trojan horse detects, the omission probability of phenomena appears in reduction, and avoids causing the waste to hardware resource in the webpage Trojan horse testing environment.
Description through above embodiment can know, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the storage medium, like ROM/RAM, magnetic disc, CD etc., comprises that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.Especially, for device or system embodiment, because it is basically similar in appearance to method embodiment, so describe fairly simplely, relevant part gets final product referring to the part explanation of method embodiment.Apparatus and system embodiment described above only is schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
More than to a kind of Web page wooden horse detecting method provided by the present invention and system; Carried out detailed introduction; Used concrete example among this paper principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part all can change on embodiment and range of application.In sum, this description should not be construed as limitation of the present invention.
Claims (12)
1. Web page wooden horse detecting method; Be applied in the webpage Trojan horse testing environment; It is characterized in that, the simulation ActiveX control, the different leak functions that exist in the different editions with same third party software are incorporated in the ActiveX control of said simulation; And the classid of ActiveX control of simulation is changed to identical with the same classid of the ActiveX control of the said third party software of different editions, the ActiveX control of said simulation is installed in the said webpage Trojan horse testing environment; Said method comprises:
Receive the message of the leak function that calls that the script that moves in the webpage sends to the ActiveX control of said simulation through said classid;
The leak function of the correspondence of the existence in the ActiveX control of said simulation is returned to the script that moves in the said webpage;
Monitor the behavior of said script, whether have wooden horse in the said webpage so that confirm.
2. method according to claim 1 is characterized in that, the script that moves in the said reception webpage comprises to the message of calling the leak function that the ActiveX control of said simulation sends through said classid:
Receive the message of the leak function that the script that moves in the webpage exists through said classid in certain version that calls third party software that the ActiveX control of said simulation sends.
3. method according to claim 1 is characterized in that, the script that moves in the said reception webpage comprises to the message of calling the leak function that the ActiveX control of said simulation sends through said classid:
Receive the message of the leak function that the script that moves in the webpage exists through said classid at least in two versions that call third party software that the ActiveX control of said simulation sends.
4. whether method according to claim 1 is characterized in that, monitors the behavior of said script, exist wooden horse to comprise so that confirm in the said webpage:
Whether detect the script that moves in the webpage initiatively downloads the wooden horse file and moves malicious commands;
If have wooden horse in the then said webpage.
5. method according to claim 4 is characterized in that, through the uniform resource position mark URL of file in download is analyzed, judges whether said URL comprises the suffix of executable file format, judges whether said file in download is the wooden horse file.
6. according to each described method of claim 1 to 5, it is characterized in that said third party software is to be used for the software that browser function strengthened through ActiveX control.
7. webpage Trojan horse detection system; Be applied in the webpage Trojan horse testing environment; It is characterized in that, the simulation ActiveX control, the different leak functions that exist in the different editions with same third party software are incorporated in the ActiveX control of said simulation; And the classid of ActiveX control of simulation is changed to identical with the same classid of the ActiveX control of the said third party software of different editions, the ActiveX control of said simulation is installed in the said webpage Trojan horse testing environment; Said system comprises:
The call request receiving element is used for receiving the message of the leak function that calls that script that webpage moves sends to the ActiveX control of said simulation through said classid;
Function returns the unit, is used for the leak function of the correspondence of the existence of the ActiveX control of said simulation is returned to the script that moves in the said webpage;
Monitoring unit is used to monitor the behavior of said script, whether has wooden horse so that confirm in the said webpage.
8. system according to claim 7 is characterized in that, said call request receiving element comprises:
First receives subelement, is used for receiving the message of the leak function that script that webpage moves exists in certain version that calls third party software that the ActiveX control of said simulation sends through said classid.
9. system according to claim 7 is characterized in that, said call request receiving element comprises:
Second receives subelement, is used for receiving the message of the leak function that script that webpage moves exists in two versions that call third party software that the ActiveX control of said simulation sends through said classid at least.
10. system according to claim 7 is characterized in that, said monitoring unit comprises:
Detection sub-unit is used for detecting the script that webpage moves and whether initiatively downloads the wooden horse file and move malicious commands;
Confirm subelement, be used for if having wooden horse in the then said webpage.
11. system according to claim 10; It is characterized in that; Said detection sub-unit judges through the uniform resource position mark URL of file in download is analyzed whether said URL comprises the suffix of executable file format, judges whether said file in download is the wooden horse file.
12., it is characterized in that said third party software is to be used for the software that browser function strengthened through ActiveX control according to each described system of claim 7 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110439572.6A CN102446253B (en) | 2011-12-23 | 2011-12-23 | Webpage trojan detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110439572.6A CN102446253B (en) | 2011-12-23 | 2011-12-23 | Webpage trojan detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102446253A true CN102446253A (en) | 2012-05-09 |
| CN102446253B CN102446253B (en) | 2014-12-10 |
Family
ID=46008744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110439572.6A Active CN102446253B (en) | 2011-12-23 | 2011-12-23 | Webpage trojan detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102446253B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905269A (en) * | 2013-11-29 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Network two-way detection method and system based on format recognition technology |
| CN104881605A (en) * | 2014-02-27 | 2015-09-02 | 腾讯科技(深圳)有限公司 | Method and apparatus for detecting webpage redirection vulnerabilities |
| CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
| CN110278212A (en) * | 2019-06-26 | 2019-09-24 | 中国工商银行股份有限公司 | Link detection method and device |
| CN110348210A (en) * | 2018-04-08 | 2019-10-18 | 腾讯科技(深圳)有限公司 | Safety protecting method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101799855A (en) * | 2010-03-12 | 2010-08-11 | 北京大学 | Simulated webpage Trojan detecting method based on ActiveX component |
| US7971246B1 (en) * | 2004-04-29 | 2011-06-28 | James A. Roskind | Identity theft countermeasures |
-
2011
- 2011-12-23 CN CN201110439572.6A patent/CN102446253B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7971246B1 (en) * | 2004-04-29 | 2011-06-28 | James A. Roskind | Identity theft countermeasures |
| CN101799855A (en) * | 2010-03-12 | 2010-08-11 | 北京大学 | Simulated webpage Trojan detecting method based on ActiveX component |
Non-Patent Citations (1)
| Title |
|---|
| 郑聪 等: "基于ActiveX漏洞模拟机制的网页木马检测方法", 《全国计算机安全学术交流会论文集》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905269A (en) * | 2013-11-29 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Network two-way detection method and system based on format recognition technology |
| CN103905269B (en) * | 2013-11-29 | 2017-11-28 | 哈尔滨安天科技股份有限公司 | Network bi-directional detection method and system based on format identification technology |
| CN104881605A (en) * | 2014-02-27 | 2015-09-02 | 腾讯科技(深圳)有限公司 | Method and apparatus for detecting webpage redirection vulnerabilities |
| CN110348210A (en) * | 2018-04-08 | 2019-10-18 | 腾讯科技(深圳)有限公司 | Safety protecting method and device |
| CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
| CN109033828B (en) * | 2018-07-25 | 2021-06-01 | 山东省计算中心(国家超级计算济南中心) | Trojan horse detection method based on computer memory analysis technology |
| CN110278212A (en) * | 2019-06-26 | 2019-09-24 | 中国工商银行股份有限公司 | Link detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102446253B (en) | 2014-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10083302B1 (en) | System and method for detecting time-bomb malware | |
| US8176559B2 (en) | Obfuscated malware detection | |
| Lin et al. | Automated forensic analysis of mobile applications on Android devices | |
| AU2013201003B2 (en) | Systems and methods for detecting malicious code | |
| JP7115526B2 (en) | Analysis system, method and program | |
| CN102916937B (en) | A kind of method, device and client device tackling web page attacks | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| EP3053086A1 (en) | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection | |
| CN101964026A (en) | Method and system for detecting web page horse hanging | |
| CN104036019A (en) | Method and device for opening webpage links | |
| CN102446253B (en) | Webpage trojan detection method and system | |
| CN104537308A (en) | System and method for providing application security auditing function | |
| CN105224869A (en) | Assembly test method and device | |
| CN102929656A (en) | Method for using ActiveX plug-in in browser, and client | |
| CN103001947A (en) | Program processing method and program processing system | |
| CN102592086A (en) | Method and device for browsing webpages in sandbox | |
| CN105095759A (en) | File detection method and device | |
| CN102882875A (en) | Active defense method and device | |
| CN111177727A (en) | Vulnerability detection method and device | |
| CN103823873A (en) | Reading/writing method, device and system of browser setting item | |
| CN111859380A (en) | Zero false alarm detection method for Android App vulnerability | |
| CN103440453A (en) | Method for detecting operation environment of browser, client, server and system | |
| Kim et al. | {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing | |
| CN102857519B (en) | Active defensive system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220323 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |