CN104219225A - Worm virus detection and prevention method and system - Google Patents
Worm virus detection and prevention method and system Download PDFInfo
- Publication number
- CN104219225A CN104219225A CN201410372955.XA CN201410372955A CN104219225A CN 104219225 A CN104219225 A CN 104219225A CN 201410372955 A CN201410372955 A CN 201410372955A CN 104219225 A CN104219225 A CN 104219225A
- Authority
- CN
- China
- Prior art keywords
- worm
- virus
- rule
- type virus
- calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The invention relates to a worm virus detection and prevention method and system and belongs to the technical field of network security with an aim to overcome shortcomings that an existing worm virus detection method is high in false alarm rate, prone to being kill free, difficult to control and the like. The worm virus detection and prevention method includes: setting active defense rules on critical paths inevitable for worm viruses to control target software; detecting calling and modifying behaviors of the worm viruses on the critical steps by the aid of the active defense rules; intercepting the calling and modifying behaviors of the worm viruses. By the worm virus detection and prevention method and system, attaching and spreading of the worm viruses especially the worm viruses of QQ groups can be timely and effectively controlled, and safety in use of QQ series products can be effectively protected.
Description
Technical field
The invention belongs to technical field of network security, be specifically related to a kind of detection of worm-type virus and defence method and system.
Background technology
Worm-type virus is a kind of common computer virus.It utilizes network to carry out copying and propagating, and the routes of infection are by network and Email.Initial worm-type virus definition is because under DOS environment, can occur the thing of a similar insect, carelessly swallow the letter on screen and changed shape during virus outburst on screen.Worm-type virus is self-contained program (or a set of program), and it can be propagated in the copy of self function or some part of self (worm-type virus) to other computer system (normally connecting through network).
QQ group's worm-type virus, be the rogue program that a kind of QQ of utilization group shares that leak propagates rogue software and abduction IE homepage, QQ group user, once infect this worm-type virus, just can upload this virus in other QQ groups, come with the gimmick of " spreading from mouth to mouth " diffusion." QQ group's worm-type virus " third generation mutation disguises oneself as " brush bore software " propagates in a large number, and every day, poisoning computer reached 2-3 ten thousand, combines strike by each security firm, and third generation QQ group worm substantially makes no public appearances on network." QQ group's worm-type virus " forth generation is camouflage mainly with " XX video assistant .exe " or " XX video steals a glance at emperorship .exe ", because filename has temptation, has attracted a large amount of netizen to click.If netizen takes it seriously, double-click run, worm-type virus will kidnap the QQ of netizen, promote message be forwarded to QQ group share and space have a talk about, even transmission virus email to good friend.The final purpose of this virus on poisoning computer, installs a lot of rogue software to seek exorbitant profit.
A series of products such as QQ group's worm-type virus is mainly through QQ group, space, have a talk about, net dish are propagated.Its mainly maximum feature does not need to obtain user's " QQ password " just can control above product.Worm virus spreading mode is very rapid, usually can be gone by active and passive mode to propagate self.Because this viroid is more special, if just resisted from feature extraction aspect, virus only just need can walk around antivirus software by simple encryption.Tackle this viroid, after all must understanding its complete behavior, just can go out a scheme targetedly.Main flow antivirus software domestic at present does not tackle the new technology of this viroid.
The technology of the detection worm-type virus of current main flow is divided into Static Detection and behavioral value two kinds:
Static Detection reaches the object of detection by some responsive character strings of automatic or manual extraction, and advantage is that speed is fast, rate of false alarm is low.Shortcoming is the grounding in basic skills testing very much automaton or analyst, the position of extraction is bad be easy to free to kill.
Behavioral value reaches the object of detection by a series of API operations of automatic or manual this virus of extraction, and advantage is that general type is better, is not easy free to kill.Shortcoming is that rate of false alarm is higher, is not easy to control.
Summary of the invention
For the defect existed in prior art, the object of this invention is to provide a kind of detection of worm-type virus and defence method and system.The method and system high to the worm-type virus recall rate for QQ series of products, antagonism is strong.
For reaching above object, the technical solution used in the present invention is: a kind of detection of worm-type virus and defence method, comprise the following steps:
Worm-type virus target software is controlled must through critical path on Initiative Defense rule is set;
Utilize Initiative Defense rule detection worm-type virus calling and act of revision in committed step;
Calling and act of revision of interception worm-type virus.
Further, whether described Initiative Defense rule comprises and detects and stop virus to detect QQ by URL and log in.
Further, described Initiative Defense rule comprise detect and stop virus call InternetGetCookie obtain Cookie.
Further, described Initiative Defense rule comprise detects and stop viral call InternetSetCookie empty qq.com domain name under Cookie.
Further, described Initiative Defense detects and skey and the g_tk check code stoped in virus acquisition QQ Cookie regular comprising.
Further, described Initiative Defense detects and stops virus calling the address of each interface of QQ regular comprising.
Further, claimed software is QQ series of products, detect and what stop is QQ group's worm-type virus.
The detection of worm-type virus and a system of defense, comprise with lower device:
Initiative Defense rule arranges module, at worm-type virus, target software is controlled must through critical path on Initiative Defense rule is set;
Detection module, for utilizing Initiative Defense rule detection worm-type virus calling and act of revision in committed step;
Blocking module, for tackling calling and act of revision of worm-type virus.
Further, described Initiative Defense rule arranges module and comprises:
For arranging to detect and stop virus to detect by URL the defence rule whether QQ log in, submodule one is set;
The defence rule calling InternetGetCookie function acquisition Cookie for arranging virus arranges submodule two;
The defence rule calling the Cookie that InternetSetCookie function empties under qq.com domain name for arranging virus arranges submodule three;
Defence rule for arranging skey and the g_tk check code that virus obtains in QQ Cookie arranges submodule four;
For arranging virus, submodule five is arranged to the defence rule called of the address of each interface of QQ.
Further, claimed software is QQ series of products, detect and what stop is QQ group's worm-type virus.
Effect of the present invention is: adopt method and system of the present invention, one is high to the recall rate of worm-type virus particularly QQ group's worm-type virus, the main feature control QQ product exactly of this viroid, and the method that control method can be described by the present invention is tackled extremely completely; Two is that antagonism is strong: virus authors has no antagonism capital, because it wants control QQ, and can only by above method.
Accompanying drawing explanation
Fig. 1 is the flow chart of method described in the specific embodiment of the invention;
Fig. 2 is the structure chart of system described in the specific embodiment of the invention.
Embodiment
Below in conjunction with the drawings and specific embodiments, the invention will be further described.
The present embodiment is for QQ group's worm-type virus, it is the committed step that QQ group's worm-type virus is had to pass through in the process of control QQ series of products, and some certain content that must call and revise does Initiative Defense targetedly, instead of by identifying, as long as so the worm-type virus attempted QQ series of products control all can be found on these paths and tackle the responsive character string of virus or the extraction of API operation.
As shown in Figure 1, a kind of detection of worm-type virus and defence method, comprise the following steps:
Step S1, worm-type virus target software is controlled must through critical path on Initiative Defense rule is set;
Step S2, utilizes Initiative Defense rule detection worm-type virus calling and act of revision in committed step;
Step S3, calling and act of revision of interception worm-type virus.
In the present embodiment, defence rule is set for QQ quick registration URL, detects and stop and viral detect QQ by URL and whether log in.
Virus can get currently whether have QQ in login by following URL access, and during actual motion, virus can be hidden this window fall, and user is cannot perception.
http://badjs.qq.com/cgi-bin/js_report?bid=110&mid=294082&msg=ref%E4%B8%BA%E7%A9%BA%3Aqq.com%3A%7C_%7Chttp%3A%2F%2Fxui.ptlogin2.qq.com%2Fdiv%2Fqlogin_div.html%3Flang%3D2052%26flag2%3D3%26u1%3Dhttp%253A%252F%252Fimgcache.qq.com%252Fqzone%252Fv5%252Floginsucc.html%253Fpara%253Dizone%26appid%3D15000101%7C_%7C%7C_%7CMozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1%3B%20.NET%20CLR%202.0.50727)&v=0.9550685757484683
Defence rule is set, detects and stop virus to call InternetGetCookie acquisition Cookie.
Defence rule is set, detects and stop virus to call InternetSetCookie setting " deleted; Expires=Fri, 1-Jan-19991:1:1 GMT; Path=/; Domain=qq.com ", empty the Cookie under qq.com domain name.
Defence rule is set, detects and stop skey and the g_tk check code in virus acquisition QQ Cookie.
Defence rule is set, detect and stop virus calling the address of each interface of QQ, if by the address of each interface of QQ as http://s.web2.qq.com/api/set_long_nick2, all series of products that the g_tk in skey and the QQ space of combination top just can access QQ draw.
As shown in Figure 2, a kind of detection of worm-type virus and system of defense, comprise with lower device:
Initiative Defense rule arranges module 11, at worm-type virus, target software is controlled must through critical path on Initiative Defense rule is set;
Detection module 12, for utilizing Initiative Defense rule detection worm-type virus calling and act of revision in committed step;
Blocking module 13, for tackling calling and act of revision of worm-type virus.
In the present embodiment, described Initiative Defense rule arranges module and comprises:
For arranging to detect and stop virus to detect by URL the defence rule whether QQ log in, submodule one is set;
The defence rule calling InternetGetCookie function acquisition Cookie for arranging virus arranges submodule two;
The defence rule calling the Cookie that InternetSetCookie function empties under qq.com domain name for arranging virus arranges submodule three;
Defence rule for arranging skey and the g_tk check code that virus obtains in QQ Cookie arranges submodule four;
For arranging virus, submodule five is arranged to the defence rule called of the address of each interface of QQ.
In the present embodiment; conclude and summarize the method that QQ group's worm-type virus logged in fast by QQ; the process of control QQ series of products; and in the rule that must arrange Initiative Defense on path that virus is run, it is tackled; rate of false alarm is low; with strong points, virus outburst can be controlled timely and effectively and spread, the use safety of available protecting QQ series of products.
Method and system of the present invention is not limited to the embodiment described in embodiment, and those skilled in the art's technical scheme according to the present invention draws and other execution mode belongs to technological innovation scope of the present invention equally.
Claims (10)
1. the detection of worm-type virus and a defence method, comprises the following steps:
Worm-type virus target software is controlled must through critical path on Initiative Defense rule is set;
Utilize Initiative Defense rule detection worm-type virus calling and act of revision in committed step;
Calling and act of revision of interception worm-type virus.
2. the method for claim 1, is characterized in that: whether described Initiative Defense rule comprises and detect and stop virus to detect QQ by URL and log in.
3. method as claimed in claim 2, is characterized in that: described Initiative Defense rule comprises and detects and stop virus to call InternetGetCookie function acquisition Cookie.
4. method as claimed in claim 3, is characterized in that: described Initiative Defense rule comprise detects and stop viral call InternetSetCookie function empty qq.com domain name under Cookie.
5. the method as described in as arbitrary in Claims 1-4, is characterized in that: described Initiative Defense rule comprises and detecting and skey and the g_tk check code stoped in viral acquisition QQ Cookie.
6. the method as described in as arbitrary in Claims 1-4, is characterized in that: described Initiative Defense rule comprises and detects and stop calling of the viral address to each interface of QQ.
7. the method as described in as arbitrary in Claims 1-4, is characterized in that: claimed software is QQ series of products, detect and what stop is QQ group's worm-type virus.
8. the detection of worm-type virus and a system of defense, comprises with lower device:
Initiative Defense rule arranges module, at worm-type virus, target software is controlled must through critical path on Initiative Defense rule is set;
Detection module, for utilizing Initiative Defense rule detection worm-type virus calling and act of revision in committed step;
Blocking module, for tackling calling and act of revision of worm-type virus.
9. system as claimed in claim 8, is characterized in that described Initiative Defense rule arranges module and comprises:
For arranging to detect and stop virus to detect by URL the defence rule whether QQ log in, submodule one is set;
The defence rule calling InternetGetCookie function acquisition Cookie for arranging virus arranges submodule two;
The defence rule calling the Cookie that InternetSetCookie function empties under qq.com domain name for arranging virus arranges submodule three;
Defence rule for arranging skey and the g_tk check code that virus obtains in QQ Cookie arranges submodule four;
For arranging virus, submodule five is arranged to the defence rule called of the address of each interface of QQ.
10. as claimed in claim 8 or 9 system, is characterized in that: claimed software is QQ series of products, detect and what stop is QQ group's worm-type virus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410372955.XA CN104219225B (en) | 2014-07-31 | 2014-07-31 | Detection and defense method and system for worm virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410372955.XA CN104219225B (en) | 2014-07-31 | 2014-07-31 | Detection and defense method and system for worm virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104219225A true CN104219225A (en) | 2014-12-17 |
| CN104219225B CN104219225B (en) | 2020-04-03 |
Family
ID=52100359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410372955.XA Active CN104219225B (en) | 2014-07-31 | 2014-07-31 | Detection and defense method and system for worm virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104219225B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005008417A2 (en) * | 2003-07-11 | 2005-01-27 | Computer Associates Think, Inc. | Method and system for protecting against computer viruses |
| CN101188851A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
| CN102685081A (en) * | 2011-03-17 | 2012-09-19 | 腾讯科技(深圳)有限公司 | Webpage request safe processing method and system |
| CN103490992A (en) * | 2013-10-10 | 2014-01-01 | 沈阳航空航天大学 | Instant messaging worm detection method |
| CN103853980A (en) * | 2014-02-28 | 2014-06-11 | 珠海市君天电子科技有限公司 | Safety prompting method and device |
-
2014
- 2014-07-31 CN CN201410372955.XA patent/CN104219225B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005008417A2 (en) * | 2003-07-11 | 2005-01-27 | Computer Associates Think, Inc. | Method and system for protecting against computer viruses |
| CN101188851A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
| CN102685081A (en) * | 2011-03-17 | 2012-09-19 | 腾讯科技(深圳)有限公司 | Webpage request safe processing method and system |
| CN103490992A (en) * | 2013-10-10 | 2014-01-01 | 沈阳航空航天大学 | Instant messaging worm detection method |
| CN103853980A (en) * | 2014-02-28 | 2014-06-11 | 珠海市君天电子科技有限公司 | Safety prompting method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104219225B (en) | 2020-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alabdan | Phishing attacks survey: Types, vectors, and technical approaches | |
| US10594722B2 (en) | Methods, systems and media for evaluating layered computer security products | |
| US10834102B2 (en) | Client-side attack detection in web applications | |
| US9374386B2 (en) | Application malware filtering for advertising networks | |
| US20220138322A1 (en) | Reducing threat detection processing by applying similarity measures to entropy measures of files | |
| US10079854B1 (en) | Client-side protective script to mitigate server loading | |
| EP3017393B1 (en) | System and method for web application security | |
| US11036855B2 (en) | Detecting frame injection through web page analysis | |
| US20120222117A1 (en) | Method and system for preventing transmission of malicious contents | |
| Erturk | A case study in open source software security and privacy: Android adware | |
| CN104091125A (en) | Floating window processing method and device | |
| CN103268442A (en) | Method and device for achieving safe access of video websites | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| CN105631359A (en) | Control method and device of webpage operation | |
| CN104036030A (en) | Pop-up advertisement blocking method and system based on browser and related browser | |
| US11386181B2 (en) | Detecting a change to the content of information displayed to a user of a website | |
| Bauer et al. | Analyzing the dangers posed by Chrome extensions | |
| Mansoori et al. | YALIH, yet another low interaction honeyclient | |
| Spreitzenbarth et al. | Android malware on the rise | |
| US20230216885A1 (en) | Techniques for protecting web-browsers against cross-site scripting exploitation attacks | |
| CN104219225A (en) | Worm virus detection and prevention method and system | |
| US8474046B1 (en) | Systems and methods for identifying the spreading of sensitive data by a suspicious application | |
| KR20220086402A (en) | Cloud-based Integrated Security Service Providing System | |
| CN107463837A (en) | A kind of information processing method and mobile terminal | |
| Shahriar et al. | Classification of clickjacking attacks and detection techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20181128 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Seal Interest Technology Co., Ltd. Address before: 519070, six level 601F, 10 main building, science and technology road, Tangjia Bay Town, Zhuhai, Guangdong. Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |