CN104219225B - Detection and defense method and system for worm virus - Google Patents
Detection and defense method and system for worm virus Download PDFInfo
- Publication number
- CN104219225B CN104219225B CN201410372955.XA CN201410372955A CN104219225B CN 104219225 B CN104219225 B CN 104219225B CN 201410372955 A CN201410372955 A CN 201410372955A CN 104219225 B CN104219225 B CN 104219225B
- Authority
- CN
- China
- Prior art keywords
- virus
- worm
- detecting
- setting
- calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 106
- 230000007123 defense Effects 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000001514 detection method Methods 0.000 title claims abstract description 18
- 230000006399 behavior Effects 0.000 claims abstract description 17
- 235000014510 cooky Nutrition 0.000 claims description 18
- 230000007547 defect Effects 0.000 abstract description 4
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000008485 antagonism Effects 0.000 description 1
- 230000001680 brushing effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Images
Abstract
The invention relates to a method and a system for detecting and defending a worm virus, belonging to the technical field of network security. The existing detection means of the worm virus has the defects of high false alarm rate, easy killing, difficult control and the like. The method of the invention is that active defense rules are set on the essential key path for the worm virus to control the target software; detecting the calling and modifying behaviors of the worm virus in key steps by using an active defense rule; intercepting the calling and modifying behaviors of the worm virus. The method and the system can effectively control the outbreak and spread of the worm virus, particularly the QQ group worm virus, and effectively protect the use safety of QQ series products.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method and a system for detecting and defending a worm virus.
Background
A worm virus is a common computer virus. It is copied and spread by network, and the infection route is through network and E-mail. The original definition of worm virus was because in the DOS environment, a worm-like item appeared on the screen at the time of virus outbreak, and the worm-like item was confused and swallowed with letters on the screen and reshaped. A worm virus is a self-contained program (or set of programs) that can propagate copies of its own functions or parts of itself (the worm virus) to other computer systems, usually over a network connection.
The QQ group worm virus is a malicious program which utilizes a QQ group shared vulnerability to spread rogue software and hijack I E homepage, once a QQ group user is infected with the worm virus, the QQ group user uploads the virus to other QQ groups and spreads the virus by a method of 'ten-by-hundred'. The third generation variant of the QQ group worm virus is disguised as the drill brushing software to be spread in a large quantity, 2-3 ten thousand of computers poisoned every day, and the third generation QQ group worm is basically eliminated from the network insidious marks through the combined attack of various security manufacturers. The fourth generation of the QQ group worm virus is mostly disguised by an XX video assistant exe or an XX video surreptitious magic device exe, and a large number of netizens are attracted to click due to the fact that file names are very attractive. If the netizen believes true, the worm virus hijacks the QQ of the netizen by double-click operation, the popularization message is forwarded to the QQ group sharing and space saying, and even a virus mail is sent to a friend. The ultimate goal of the virus is to install a large heap of rogue software on the intoxicated computer to try out the violence.
The QQ group worm virus is mainly transmitted through a series of products such as QQ group, space, saying, net disk and the like. The main greatest characteristic of the method is that the product can be controlled without acquiring a user 'QQ password'. Worm viruses spread rapidly, usually by actively or passively spreading themselves. Since such viruses are very specific, they can bypass antivirus software by simple encryption if they are only confronted with the feature extraction aspect. To deal with such viruses, the complete behavior must be understood before a targeted solution can be developed. At present, the mainstream antivirus software in China has no new technology for dealing with the viruses.
Currently, mainstream techniques for detecting worm viruses are classified into static detection and behavior detection:
the static detection achieves the purpose of detection by automatically or manually extracting some sensitive character strings, and has the advantages of high speed and low false alarm rate. The defects are that the success of an automaton or an analyst is checked, and the extracted position is not good and is easy to be killed.
The behavior detection achieves the purpose of detection through a series of API operations of automatically or manually extracting the virus, and has the advantages of better generalization and difficult killing. The defect is that the false alarm rate is high and is not easy to control.
Disclosure of Invention
In view of the defects in the prior art, the invention aims to provide a method and a system for detecting and defending worm viruses. The method and the system have high detection rate and strong antagonism on the worm viruses of the QQ series products.
In order to achieve the above purposes, the invention adopts the technical scheme that: a method for detecting and defending against worm viruses, comprising the steps of:
setting an active defense rule on a necessary key path for controlling target software by a worm virus;
detecting the calling and modifying behaviors of the worm virus in key steps by using an active defense rule;
intercepting the calling and modifying behaviors of the worm virus.
Further, the active defense rules include detecting and preventing viruses from logging in the QQ via the URL.
Further, the active defense rule comprises detecting and preventing the virus from calling the internet GetCookie to obtain the Cookie.
Further, the active defense rule includes detecting and preventing a virus from calling an internet setcookie to empty cookies under qq.
Further, the active defense rule comprises detecting and preventing the virus from acquiring skey and g _ tk check codes in the QQ Cookie.
Further, the active defense rule includes detecting and preventing the calling of the virus to the addresses of the interfaces of the QQ.
Further, the software to be protected is a QQ series product, and the virus of the QQ group worm is detected and prevented.
A detection and defense system for worm viruses comprising the following means:
the active defense rule setting module is used for setting an active defense rule on a necessary key path for controlling the target software by the worm virus;
the detection module is used for detecting the calling and modifying behaviors of the worm virus in key steps by utilizing an active defense rule;
and the interception module is used for intercepting the calling and modifying behaviors of the worm viruses.
Further, the active defense rule setting module comprises:
a defense rule setting submodule I for setting, detecting and preventing viruses from detecting whether the QQ logs in through the URL;
a second defense rule setting submodule for setting viruses to call an internet GetCookie function to obtain Cookie;
a third defense rule setting submodule for setting a virus to call an internet SetCookie function to empty Cookie under qq.com domain name;
a defense rule setting submodule IV for setting the skey and g _ tk check codes in the virus acquisition QQ Cookie;
and a fifth defense rule setting submodule for setting the calling of the virus to the addresses of the interfaces of the QQ.
Further, the software to be protected is a QQ series product, and the virus of the QQ group worm is detected and prevented.
The invention has the following effects: by adopting the method and the system, firstly, the detection rate of the worm viruses, particularly the QQ group worm viruses is high, the main characteristic of the viruses is to control the QQ products, and the control method can be completely intercepted by the method; second, the virus author is overwhelmed by capital since it is only able to control the QQ by the above method.
Drawings
FIG. 1 is a flow chart of a method according to an embodiment of the present invention;
FIG. 2 is a block diagram of the system in accordance with an embodiment of the present invention.
Detailed Description
The invention is further described with reference to the following figures and detailed description.
In the embodiment, the QQ group worm virus is taken as an example, and is a targeted active defense against certain specific contents that the QQ group worm virus must pass through in the process of controlling the QQ series products, and some specific contents must be called and modified, rather than being identified by extracting sensitive character strings or API operations of the virus, so that the worm virus trying to control the QQ series products can be discovered and intercepted on these paths.
As shown in fig. 1, a method for detecting and defending against a worm virus includes the following steps:
step S1, setting active defense rules on the critical path which is necessary for the worm virus to control the target software;
step S2, detecting the calling and modifying behaviors of the worm virus in key steps by using an active defense rule;
and step S3, intercepting the calling and modifying behaviors of the worm virus.
In this embodiment, a defense rule is set for the QQ fast login URL, and it is detected and prevented that a virus detects whether the QQ logs in through the URL.
The virus can acquire whether the QQ is logged in currently or not through the following URL access, and the virus can hide the window when the QQ is actually operated, so that a user cannot perceive the QQ.
http://badjs.qq.com/cgi-bin/js_report?bid=110&mid=294082&msg=ref%E4%B8%BA%E7%A9%BA%3Aqq.com%3A%7C_%7Chttp%3A%2F%2Fxui.ptlogin2.qq.com%2Fdiv%2Fqlogin_div.html%3Flang%3D2052%26flag2%3D3%26u1%3Dhttp%253A%252F%252Fimgcache.qq.com%252Fqzone%252Fv5%252Floginsucc.html%253Fpara%253Dizone%26appid%3D15000101%7C_%7C%7C_%7CMozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1%3B%20.NET%20CLR%202.0.50727)&v=0.9550685757484683
And setting a defense rule, and detecting and preventing the virus from calling the internet GetCookie to obtain the Cookie.
Setting a defense rule, detecting and preventing viruses from calling the internet SetCookie to set 'deleted'; expires ═ Fri,1-Jan-19991:1:1 GMT; path ═/; domain is qq.com ", and cookies under the qq.com domain name are emptied.
And setting a defense rule, and detecting and preventing the virus from acquiring the skey and the g _ tk check code in the QQ Cookie.
Setting a defense rule, detecting and preventing the calling of viruses to the addresses of the interfaces of the QQ, if the addresses of the interfaces of the QQ are as follows: http:// s.web2.qq.com/api/set _ long _ nick2, combining the skey at the top and g _ tk of the QQ space gives access to all the families of QQ.
As shown in fig. 2, a worm virus detection and defense system includes the following devices:
the active defense rule setting module 11 is used for setting an active defense rule on a necessary key path for controlling the target software by the worm virus;
the detection module 12 is used for detecting the invoking and modifying behaviors of the worm virus in the key steps by utilizing the active defense rule;
and the interception module 13 is used for intercepting the calling and modifying behaviors of the worm viruses.
In this embodiment, the active defense rule setting module includes:
a defense rule setting submodule I for setting, detecting and preventing viruses from detecting whether the QQ logs in through the URL;
a second defense rule setting submodule for setting viruses to call an internet GetCookie function to obtain Cookie;
a third defense rule setting submodule for setting a virus to call an internet SetCookie function to empty Cookie under qq.com domain name;
a defense rule setting submodule IV for setting the skey and g _ tk check codes in the virus acquisition QQ Cookie;
and a fifth defense rule setting submodule for setting the calling of the virus to the addresses of the interfaces of the QQ.
In the embodiment, the process of controlling the QQ series products by the QQ quick login method of the QQ group worm viruses is summarized and summarized, the active defense rule is set on the necessary path for the virus to run to intercept the virus, the false alarm rate is low, the pertinence is strong, the virus outbreak and spread can be effectively controlled in time, and the use safety of the QQ series products is effectively protected.
The method and system of the present invention are not limited to the embodiments described in the detailed description, and those skilled in the art can derive other embodiments according to the technical solutions of the present invention, and also belong to the technical innovation scope of the present invention.
Claims (3)
1. A method for detecting and defending against worm viruses, comprising the steps of:
setting an active defense rule on a necessary key path for controlling target software by a worm virus;
detecting the calling and modifying behaviors of the worm virus in key steps by using an active defense rule;
intercepting the calling and modifying behaviors of the worm virus;
the target software to be protected is a QQ series product, and the QQ group worm virus is detected and prevented;
wherein:
the active defense rules comprise:
detecting and preventing viruses from detecting whether the QQ logs in by accessing the set URL;
detecting and preventing viruses from calling an internet GetCookie function to obtain Cookies;
detecting and preventing a virus from calling an internet SetCookie function to empty Cookie under a qq.com domain name;
detecting and preventing viruses from acquiring skey and g _ tk check codes in the QQ Cookie; and
and detecting and preventing the calling of the virus to the addresses of the interfaces of the QQ.
2. A detection and defense system for worm viruses comprising the following means:
the active defense rule setting module is used for setting an active defense rule on a necessary key path for controlling the target software by the worm virus;
the detection module is used for detecting the calling and modifying behaviors of the worm virus in key steps by utilizing an active defense rule;
the intercepting module is used for intercepting the calling and modifying behaviors of the worm viruses;
the active defense rule setting module comprises:
a defense rule setting submodule I for setting detection and preventing viruses from detecting whether the QQ logs in or not by accessing a set URL;
a second defense rule setting submodule for setting viruses to call an internet GetCookie function to obtain Cookie;
a third defense rule setting submodule for setting a virus to call an internet SetCookie function to empty Cookie under qq.com domain name;
a defense rule setting submodule IV for setting the skey and g _ tk check codes in the virus acquisition QQ Cookie;
and a fifth defense rule setting submodule for setting the calling of the virus to the addresses of the interfaces of the QQ.
3. The system of claim 2, wherein: the software to be protected is a QQ series product, and the QQ group worm virus is detected and prevented.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410372955.XA CN104219225B (en) | 2014-07-31 | 2014-07-31 | Detection and defense method and system for worm virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410372955.XA CN104219225B (en) | 2014-07-31 | 2014-07-31 | Detection and defense method and system for worm virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104219225A CN104219225A (en) | 2014-12-17 |
| CN104219225B true CN104219225B (en) | 2020-04-03 |
Family
ID=52100359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410372955.XA Active CN104219225B (en) | 2014-07-31 | 2014-07-31 | Detection and defense method and system for worm virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104219225B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005008417A2 (en) * | 2003-07-11 | 2005-01-27 | Computer Associates Think, Inc. | Method and system for protecting against computer viruses |
| CN101188851A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
| CN102685081A (en) * | 2011-03-17 | 2012-09-19 | 腾讯科技(深圳)有限公司 | Webpage request safe processing method and system |
| CN103490992A (en) * | 2013-10-10 | 2014-01-01 | 沈阳航空航天大学 | Instant messaging worm detection method |
| CN103853980A (en) * | 2014-02-28 | 2014-06-11 | 珠海市君天电子科技有限公司 | Safety prompting method and device |
-
2014
- 2014-07-31 CN CN201410372955.XA patent/CN104219225B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005008417A2 (en) * | 2003-07-11 | 2005-01-27 | Computer Associates Think, Inc. | Method and system for protecting against computer viruses |
| CN101188851A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
| CN102685081A (en) * | 2011-03-17 | 2012-09-19 | 腾讯科技(深圳)有限公司 | Webpage request safe processing method and system |
| CN103490992A (en) * | 2013-10-10 | 2014-01-01 | 沈阳航空航天大学 | Instant messaging worm detection method |
| CN103853980A (en) * | 2014-02-28 | 2014-06-11 | 珠海市君天电子科技有限公司 | Safety prompting method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104219225A (en) | 2014-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kiwia et al. | A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence | |
| CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
| US10133866B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
| US10395029B1 (en) | Virtual system and method with threat protection | |
| US10726125B2 (en) | Malware detection using clustering with malware source information | |
| Akiyama et al. | Design and implementation of high interaction client honeypot for drive-by-download attacks | |
| US20160078229A1 (en) | System And Method For Threat Risk Scoring Of Security Threats | |
| CN105592017B (en) | The defence method and system of cross-site scripting attack | |
| US20130145465A1 (en) | Multilayered deception for intrusion detection and prevention | |
| US11552988B2 (en) | Creating malware prevention rules using malware detection and prevention system | |
| US8955138B1 (en) | Systems and methods for reevaluating apparently benign behavior on computing devices | |
| US11374946B2 (en) | Inline malware detection | |
| WO2018095098A1 (en) | Network security protection method and device | |
| US11636208B2 (en) | Generating models for performing inline malware detection | |
| CN110602044A (en) | Network threat analysis method and system | |
| Patsakis et al. | Analysing the fall 2020 Emotet campaign | |
| WO2017083435A1 (en) | System and method for threat risk scoring of security threats | |
| Ahmed et al. | Survey of Keylogger technologies | |
| CN104219225B (en) | Detection and defense method and system for worm virus | |
| EP3999985A1 (en) | Inline malware detection | |
| Kono et al. | An unknown malware detection using execution registry access | |
| Cherepanov et al. | Hesperbot—A new, AdvAnced bAnking trojAn in tHe wild | |
| Mims | The Botnet Problem | |
| US9641548B2 (en) | System and method for detecting and protecting against malicious | |
| US20220245249A1 (en) | Specific file detection baked into machine learning pipelines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20181128 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Seal Interest Technology Co., Ltd. Address before: 519070, six level 601F, 10 main building, science and technology road, Tangjia Bay Town, Zhuhai, Guangdong. Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |