CN102841999A - Method and device for detecting macro virus of files - Google Patents
Method and device for detecting macro virus of files Download PDFInfo
- Publication number
- CN102841999A CN102841999A CN2012102466613A CN201210246661A CN102841999A CN 102841999 A CN102841999 A CN 102841999A CN 2012102466613 A CN2012102466613 A CN 2012102466613A CN 201210246661 A CN201210246661 A CN 201210246661A CN 102841999 A CN102841999 A CN 102841999A
- Authority
- CN
- China
- Prior art keywords
- file
- macrovirus
- detected
- behavior code
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The embodiment of the invention provides a method and a device for detecting macro virus of files, wherein the method comprises the steps of matching macro codes of the files to be detected with behavior codes in a code base, wherein the behavior codes are used for indicating the macro codes required by realizing fixed macro virus behavior; and judging whether the files to be detected are infected with the macro virus according to the matching result. The embodiment of the invention can improve the detection capability of the macro virus of the files.
Description
Technical field
The embodiment of the invention relates to the computer security technique field, particularly relates to a kind of detection method and device of file macrovirus.
Background technology
Macrolanguage is one type of programming language, its whole or most calculating by the grand completion of expansion.Macrolanguage is used in text processor generally, mainly is used for the function of expanded text handling procedure, and for example, Microsoft Office can adopt macrolanguage to realize form carried out macroefficiency such as dynamic calculation, design interactive window.But, the viral production person also might utilize macrolanguage powerful, develop simple advantage, use it for the exploitation macrovirus.
Macrovirus is a kind of computer virus that is deposited with in document or template grand.In case open such document, grand will being performed wherein so macrovirus will be activated, transferred on the computing machine, and resided on the Normal template.Hereafter, all documents of automatically preserving all can " infect " this macrovirus, and if other users opened the document of infective virus, macrovirus can be transferred on his computing machine again.
Because macrovirus is hidden in the data file, and the script grammer of its use is flexible and changeable, accomplishing a function has a variety of literary styles, so whether file of identification has very difficulty of macrovirus.
The anti-viral method that existing anti-viral software adopted nearly all is to depend on virus signature.Because computer virus all has characteristics such as identity separately usually, after a kind of computer virus occurred, the characteristic that at first finds this virus to have was searched and is handled the virus that this characteristic characterized according to this characteristic; Be that prior art has certain detectability for known macrovirus.
But, because macrovirus infects, outbreak formerly, anti-poison after; And macrolanguage is a kind of script, makes an amendment slightly to mutate, even can revise self in the communication process, and every propagation once just changes once; So prior art is difficult to catch up with the speed that macrovirus changes, and unknown macrovirus is not had detectability basically, the anti-virus effect is relatively poor.
In a word, need the urgent technical matters that solves of those skilled in the art to be exactly: how can improve detectability to unknown macrovirus.
Summary of the invention
Embodiment of the invention technical matters to be solved provides a kind of detection method and device of file macrovirus, can improve the detectability to the file macrovirus.
In order to address the above problem, the embodiment of the invention discloses a kind of detection method of file macrovirus, comprising:
The macrocode of file to be detected and the behavior code in the behavior code library are mated; Wherein, said behavior code is used to represent to realize the required macrocode of macrovirus behavior of fixing;
Differentiate said file to be detected according to matching result and whether infect macrovirus.
Preferably, the said step that the macrocode and the behavior code in the behavior code library of file to be detected are mated further comprises:
In the macrocode of said file to be detected, exist to obtain mating successful matching result when mating successful behavior code, and, in the macrocode of said file to be detected, do not exist when mating successful behavior code, obtain mating the matching result of failure;
Then saidly differentiate the step whether said file to be detected infects macrovirus, further comprise according to matching result:
When said matching result was failed for coupling, differentiating said file to be detected did not infect macrovirus;
At said matching result is when mating successfully, according to the successful behavior code of coupling in the macrocode of said file to be detected, differentiates said file to be detected and whether infects macrovirus.
Preferably, the successful behavior code of coupling is differentiated the step whether said file to be detected infects macrovirus in the macrocode of the said file to be detected of said foundation, further comprises:
Judge whether the successful behavior code of coupling meets preset dangerous condition in the macrocode of said file to be detected, if, then differentiate said File Infection macrovirus to be detected, otherwise, differentiate said file to be detected and do not infect macrovirus.
Preferably, said preset dangerous condition comprises in the following condition one or multinomial:
The danger coefficient of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger coefficient threshold value;
The danger classes of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger classes;
Preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of file to be detected, perhaps, preset behavior code combination occurred.
Preferably, the embodiment of the invention is constructed said behavior code library through following steps:
Collect and realize the fixing required behavior code of macrovirus behavior;
Said behavior code is saved to the behavior code library.
Preferably, said collection realizes the step of the behavior code that fixing macrovirus behavior is required, further comprises:
Collect the macrovirus sample;
According to the grammer of macrocode, the macrocode of said macrovirus sample is carried out semantic analysis, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation.
Preferably, said behavior code comprises function name, function variable name or function statement.
Preferably, said method also comprises:
To the worksheet of Excel file to be detected,, then differentiate said Excel File Infection macrovirus to be detected if having the Excel reserved name in its self-defined title.
On the other hand, the embodiment of the invention also discloses a kind of pick-up unit of file macrovirus, comprising:
Matching module is used for the macrocode of file to be detected and the behavior code of behavior code library are mated; Wherein, said behavior code is used to represent to realize the required macrocode of macrovirus behavior of fixing; And
Discrimination module is used for differentiating said file to be detected according to matching result and whether infects macrovirus.
Preferably, said matching module further comprises:
Mate successful submodule, be used for when successful behavior code is mated in the macrocode existence of said file to be detected, obtaining mating successful matching result; And
Coupling failure submodule when being used for macrocode at said file to be detected and not having the successful behavior code of coupling, obtains mating the matching result of failure;
Then said discrimination module further comprises:
First differentiates submodule, is used for when said matching result is failed for coupling, and differentiating said file to be detected does not infect macrovirus;
Second differentiates submodule, and being used at said matching result is when mating successfully, according to the successful behavior code of coupling in the macrocode of said file to be detected, differentiates said file to be detected and whether infects macrovirus.
Preferably, the said second differentiation submodule further comprises:
Judging unit is used for judging whether the successful behavior code of macrocode coupling of said file to be detected meets preset dangerous condition, if, then differentiate said File Infection macrovirus to be detected, otherwise, differentiate said file to be detected and do not infect macrovirus.
Preferably, said preset dangerous condition comprises in the following condition one or multinomial:
The danger coefficient of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger coefficient threshold value;
The danger classes of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger classes;
Preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of file to be detected, perhaps, preset behavior code combination occurred.
Preferably, said device also comprises: be used to construct the constructing module of said behavior code library, said constructing module comprises:
Collect submodule, be used to collect the fixing required behavior code of macrovirus behavior of realization;
Preserve submodule, be used for said behavior code is saved to the behavior code library.
Preferably, said collection submodule further comprises:
The sample collection unit is used to collect the macrovirus sample;
Analyze extraction unit, be used for grammer, the macrocode of said macrovirus sample is carried out semantic analysis, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation according to macrocode.
Preferably, said behavior code comprises function name, function variable name or function statement.
Preferably, said device also comprises:
The worksheet detection module is used for the worksheet to Excel file to be detected, if having the Excel reserved name in its self-defined title, then differentiates said Excel File Infection macrovirus to be detected.
Compared with prior art, the embodiment of the invention has the following advantages:
The condition code that depends on known macrovirus with respect to prior art is carried out the detection of file macrovirus; The embodiment of the invention is carried out the detection of file macrovirus based on " realize fixing the required behavior code of macrovirus behavior be relatively-stationary " this rule, and said behavior code is used to represent to realize the required macrocode of macrovirus behavior of fixing; Because known macrovirus still is that unknown macrovirus all can be followed this rule; So the speed no matter how macrovirus changes and change how; This rule all is constant, so the embodiment of the invention is mated the macrocode of file to be detected and the behavior code in the behavior code library, can possess certain detectability to unknown macrovirus; Therefore can improve the detectability of unknown macrovirus, and possess anti-virus effect preferably.
Description of drawings
Fig. 1 is the process flow diagram of the detection method embodiment of a kind of file macrovirus of the embodiment of the invention;
Fig. 2 is the structural drawing of the pick-up unit embodiment of a kind of file macrovirus of the embodiment of the invention.
Embodiment
For above-mentioned purpose, the feature and advantage that make the embodiment of the invention can be more obviously understandable, the embodiment of the invention is done further detailed explanation below in conjunction with accompanying drawing and embodiment.
Prior art relies on the condition code of macrovirus and carries out the detection of macrovirus, for known macrovirus certain detectability is arranged; But, because macrovirus infects, outbreak formerly, anti-poison after; And macrolanguage is a kind of script, makes an amendment slightly to mutate, even can revise self in the communication process, and every propagation once just changes once; So prior art is difficult to catch up with the speed that macrovirus changes, and unknown macrovirus is not had detectability basically, the anti-virus effect is relatively poor.
Embodiment of the invention inventor finds following rule under study for action: the behavior of macrovirus (behavior of following abbreviation macrovirus) is relatively-stationary, realizes that the fixing required behavior code of macrovirus behavior also is relatively-stationary; If can know and realize the fixing required behavior code of macrovirus behavior, then the macrocode of file to be detected is mated with the behavior code of being known, can detect said file to be detected and whether infect macrovirus.
Because the embodiment of the invention is not that the condition code that depends on known macrovirus is carried out the detection of file macrovirus, carry out the detection of file macrovirus and be based on " realizing that the fixing required behavior code of macrovirus behavior is relatively-stationary " this rule; And known macrovirus still to be unknown macrovirus all can follow this rule, so the speed no matter how macrovirus changes and change is how, it can both possess certain detectability to unknown macrovirus, therefore can possess anti-virus effect preferably.
With reference to Fig. 1, show the process flow diagram of the detection method embodiment of a kind of file macrovirus of the embodiment of the invention, specifically can comprise:
The embodiment of the invention can be directed against the various files that have macroefficiency, detects it and whether infects macrovirus; For example, an exemplary that has the file of macroefficiency is a Microsoft Office file, and Microsoft Office file adopts the macrolanguage realization form to be carried out macroefficiency such as dynamic calculation, design interactive window usually.Certainly Microsoft Office file is not as the application limitations of the embodiment of the invention.
Macrocode also promptly with the code of macrolanguage exploitation, in practical application, can be obtained corresponding macrocode after reading file to be detected.At the example of a macrolanguage of this measure, VBA (Visual Basic for Applications) is a kind of macrolanguage of a kind of Visual Basic, mainly can be used for expanding the application function, particularly Microsoft Office software of Windows.Certainly as the application limitations of the embodiment of the invention, in fact, the macrolanguage of C, ARC macrolanguage (ARC Macro Language) do not wait the macrocode of other macrolanguage exploitation to go for the embodiment of the invention to VBA yet.
Suppose that file to be detected is a Microsoft Word file; And this Microsoft Word file uses VBA to develop macrocode to realize corresponding expanded function; Then in practical application; Can read this Microsoft Word file, and in the Visual of Microsoft Word Basic editing machine, find corresponding macrocode.
In the embodiment of the invention, the behavior code library is exactly a container that is used to store the behavior code of realizing that fixing macrovirus behavior is required, and its available various data structures realize.As the memory contents of behavior code library, the behavior code is also promptly realized the fixing required behavior code of macrovirus behavior, and for for simplicity, following behavior code all can represent to realize the required behavior code of macrovirus behavior fixed.
In practical application, can construct said behavior code library: collect and realize the fixing required behavior code of macrovirus behavior through following steps; Said behavior code is saved to the behavior code library.And, if constantly collect the behavior code, and be saved to the behavior code library, the behavior code library that can obtain bringing in constant renewal in.
In a kind of preferred embodiment of the embodiment of the invention, said collection realizes the step of the behavior code that fixing macrovirus behavior is required, may further include:
Substep A1, collection macrovirus sample;
Substep A2, according to the grammer of macrocode, the semanteme of the macrocode of said macrovirus sample is analyzed, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation.
Macrovirus sample in the embodiment of the invention should satisfy following condition: 1, contain macrocode; 2, be confirmed to be macrovirus; Like this, the form of expression of macrovirus sample can be file.In practical application, can constantly collect the macrovirus sample of the above-mentioned form of expression.
Usually can be by the host at macrovirus place; The macrovirus sample is divided into is deposited with (the having only the VBA script) among the Word and is deposited with kinds such as (wherein comprise the VBA script again and have Macro4.0 type in the worksheet) macrovirus sample among the Excel.Can collect it according to classification.
In practical application, the file that scans for anti-viral software, confirm to infect macrovirus, can be directly with it as the macrovirus file.
In a kind of example of the embodiment of the invention, can also collect the macrovirus sample through the mode of user feedback.For example, the user can be with suspect infecting macrovirus but the file that anti-viral software can not scan, and upload onto the server, and the approach of uploading here can be the client of anti-viral software, and server can refer to the server of anti-viral software; Like this, server can be collected the macrovirus sample of all or part of client upload, and it is analyzed.Certainly, the user also can be through other approach feedback macrovirus sample, for example, the Web end upload interface or the like, the embodiment of the invention does not limit the concrete approach of uploading.
In concrete the realization, can at first obtain the macrocode of said macrovirus sample, then it is analyzed.Macrovirus sample for document form can read the macrovirus file, and therefrom finds corresponding macrocode; Specifically can be with reference to the example of the top Microsoft of obtaining Word file: can read this Microsoft Word file, and in the Visual of Microsoft Word Basic editing machine, find corresponding macrocode.
Desire is extracted the fixing required behavior code of macrovirus behavior of corresponding implementation from the macrocode of said macrovirus sample; Need at first obtain specific macrovirus behavior; Because code is exactly a code of realizing certain function in the software development; If obtained concrete macrovirus behavior, so just can find to be used to realize the specific required behavior code of this function of macrovirus behavior.
Embodiment of the invention inventor's process obtains following specific macrovirus behavior to the research of the macrovirus sample of a large amount of Microsoft Office:
1, revises the behavior of registration table, purpose: reduce the safe class setting and maybe the executable file that discharges is write starting up's item etc.;
2, dissemination, it utilize to infect masterplate propagates, and wherein, different Microsoft office has different infection masterplates, and Windows7 system for example is under the default situations
The infection template file of MicrosoftWord be Users [user name] AppData
The infection template directory of Excel: Users [user name] AppData with the Excel installation directory office11
3, infection risk: the user opens secure file, and duplicate own past secure file the inside. comprise the mail of virus document etc. to user mail contact person transmission
Behavior when 4, showing effect comprises:
4.1, at certain time period bullet window;
4.2, the repeat replication worksheet, influence software and normally use
4.3, discharge executable file, specifically can comprise: create file, written document, execute file or the like.
Need to prove that research obtains to Microsoft Office in above-mentioned specific macrovirus behavior, just as a kind of example of the embodiment of the invention, the enforcement as the embodiment of the invention does not limit for it.
In concrete the realization, can according to its grammer its semanteme be analyzed to the macrocode of said macrovirus sample, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation.For example, in a kind of applying examples of the embodiment of the invention, said analytic process can comprise: the macrocode that travels through said macrovirus sample; Perhaps analyze by function, Step Into by variable; See whether it is used to realize specific this function of macrovirus behavior, if then can it be extracted; And carry out the analysis of next function, statement or variable, otherwise carry out the analysis of next function, statement or variable.In a word, those skilled in the art can use various technology or strategy, and whether discriminant function, statement or variable are used to realize specific this function of macrovirus behavior that the embodiment of the invention does not limit concrete judgment mode.
After through analysis and extraction, the behavior code of the embodiment of the invention specifically can comprise function name, function variable name or function statement.
In a kind of preferred embodiment of the embodiment of the invention, the behavior code of the embodiment of the invention can be character string forms.Like this, in the testing process of file macrovirus, the process that the macrocode and the behavior code in the behavior code library of file to be detected mated just relates to the processing operation of character string.In a kind of applying examples of the embodiment of the invention, can read the macrocode of file to be detected, obtain a big character string; In this big character string, search given character string then, wherein given character string is exactly the behavior code of storing in the said behavior code library, if search successfully; Then expression is mated successfully; If search failure, then carry out searching of next given character string, the given string searching of in said behavior code library, storing finishes.
In a kind of preferred embodiment of the embodiment of the invention, the said step that the macrocode and the behavior code in the behavior code library of file to be detected are mated may further include:
In the macrocode of said file to be detected, exist to obtain mating successful matching result when mating successful behavior code, and, in the macrocode of said file to be detected, do not exist when mating successful behavior code, obtain mating the matching result of failure;
Then saidly differentiate the step whether said file to be detected infects macrovirus, may further include according to matching result:
Step B1, be when failure coupling at said matching result, differentiating said file to be detected does not infect macrovirus;
Step B2, at said matching result when mate successfully, mate successful behavior code in the foundation macrocode of said file to be detected, differentiate said file to be detected and whether infect macrovirus.
In the another kind of preferred embodiment of the embodiment of the invention, said step B2 differentiates the step whether said file to be detected infects macrovirus according to the successful behavior code of coupling in the macrocode of said file to be detected, may further include:
Judge whether the successful behavior code of coupling meets preset dangerous condition in the macrocode of said file to be detected, if, then differentiate said File Infection macrovirus to be detected, otherwise, differentiate said file to be detected and do not infect macrovirus.
In another preferred embodiment of the embodiment of the invention, said preset dangerous condition specifically can comprise in the following condition one or multinomial:
The danger coefficient of the behavior code that coupling is successful in the macrocode of dangerous condition C 1, said file to be detected surpasses preset danger coefficient threshold value;
About the danger coefficient of the successful behavior code of coupling in the macrocode how to obtain file to be detected, in reality, can be to the preset corresponding danger coefficient of each behavior code in the said behavior code library; Perhaps,, can classify to each behavior code in the said behavior code library in order to alleviate the workload of setting, and to the preset corresponding danger coefficient of each classification.
Be appreciated that; The classification foundation that those skilled in the art adopt can be diversified, and in a kind of preferred embodiment of application, kind that can virus behavior is as classification foundation; For example; To the preset danger coefficient of the corresponding classification of the behavior of " modification registration table " is 10, and the danger coefficient of " dissemination " corresponding classification is 5, and the danger coefficient of " infection risk " corresponding classification is 8 or the like.
Example in the reference; Because virus behavior might be segmented, so can be to the preset corresponding danger coefficient of the virus behavior that is segmented, for example; In this big classification of infection risk; Can be 5 to the preset danger coefficient of the corresponding classification of the behavior of " replication work table ", can be 10 to the preset danger coefficient of the corresponding classification of the behavior of " execute file ", or the like.
Certainly, above-mentioned is as an example; In fact, the virus behavior that those skilled in the art obtain is various, and can be according to the hazard level of various virus behaviors, and to the preset different danger coefficient of corresponding classification, the embodiment of the invention does not limit concrete danger coefficient respectively.
In practical application; More than one of the behavior code possibility that coupling is successful in the macrocode of said file to be detected; At this moment; Can ask on average the danger coefficient of a plurality of behavior codes, processing such as weighted mean, stack, obtain comprehensive danger coefficient, more comprehensive danger coefficient and preset danger coefficient threshold value are compared.
Those skilled in the art can manslaughter the index of rate, preset danger coefficient threshold value according to macrovirus recall rate or macrovirus.For example, if desire the macrovirus recall rate that reaches higher, can preset less danger coefficient threshold value; And for example, if the macrovirus of desiring to reach lower is manslaughtered rate, can preset higher danger coefficient threshold value or the like.
The danger classes of the behavior code that coupling is successful in the macrocode of dangerous condition C 2, said file to be detected surpasses preset danger classes;
The danger coefficient of behavior code and danger classes are used to reflect the hazard level of behavior code equally, and one of difference of the two is that danger coefficient is with numerical value description more specifically, and danger classes can be used easy numerical value or text description; For example, the span of danger coefficient can be [0,20], and the span of danger classes can be [1,5] perhaps [1,3], and perhaps, the literal scope of danger classes is [rudimentary, intermediate, senior] or the like.
About the danger classes of the successful behavior code of coupling in the macrocode how to obtain file to be detected, in reality, can be to the preset corresponding danger classes of each behavior code in the said behavior code library; Perhaps,, can classify to each behavior code in the said behavior code library in order to alleviate the workload of setting, and to the preset corresponding danger classes of each classification.
For dangerous condition C 2,,, do not give unnecessary details at this so cross-reference gets final product because its classification foundation that adopts and preset danger classes are similar with dangerous condition C 1.
Preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of dangerous condition C 3, file to be detected, perhaps, preset behavior code combination occurred.
Dangerous condition C 3 can be stipulated just can differentiate said File Infection macrovirus to be detected as long as preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of file to be detected.
In reality, function name that can some macrovirus behavior is corresponding is as preset single behavior code.For example, in case in the following function name has appearred in the successful behavior code of coupling in the macrocode of file to be detected, then can differentiate said File Infection macrovirus to be detected:
1=runblackice
2=infectdocument
3=infectnormal
4=Empirical
In concrete the realization, can also be according to the corresponding behavior code of macrovirus behavior, preset behavior code combination if preset behavior code combination has appearred in the successful behavior code of coupling in the macrocode of file to be detected, then can be differentiated it and infect macrovirus.
In a kind of applying examples of the embodiment of the invention, the corresponding behavior code of macrovirus behavior can be numbered as follows with arabic numeral:
1=filesystemobject
2=wcripting.shell
3=createobject
4=Application.OnKey"%{F
5=normal.dot
6=book1.xls
7=startup.xls
8=normal.xlm
9=norma1.xlm
10=norma1.dot
11=Open
12=for
13=as
14=writefile
15=createfile
16=Private?Declare?Function
17=lib
18=infectnormal
19=<!!blackice>
20=(m1)_(m2)_(m3)
21=System.PrivateProfileString
22=HKEY_CURRENT_USER
23=shell
24=Shell
25=NormalTemplate.VBProject.VBComponents
26=Application.StartupPath
So, can be according to the hazard level of the corresponding macrovirus behavior of these behavior codes, preset following behavior code combination, and number with arabic numeral respectively:
1=3,2
2=3,1
3=21,22
4=16,17
5=25
6=11,12,13
In a word, the embodiment of the invention is carried out the detection of file macrovirus based on " realizing that the fixing required behavior code of macrovirus behavior is relatively-stationary " this rule; Known macrovirus still is that unknown macrovirus all can be followed this rule, so the speed no matter how macrovirus changes and change how, it can both possess certain detectability to unknown macrovirus, therefore can possess anti-virus effect preferably.
Be appreciated that those skilled in the art can be according to the macrovirus sample of continuous appearance, renewal operations such as the behavior code required to the macrovirus behavior that realizes fixing increases, deletion, modification.
Embodiment of the invention inventor finds after deliberation; For the Excel file; It also has a kind of distinctive macrovirus and deposits mode except following " realizing that the fixing required behavior code of macrovirus behavior is relatively-stationary " this rule, and that is exactly; The macrovirus code might be deposited with in the worksheet through self-defined title (like autoopen, autoclose etc.).
" self-defined title " is a kind of function of Excel.A kind of form of " self-defined title " is: user oneself has write a formula, has played individual title to formula, therefore is self-defined title, just can carry out when generally these formula have only the user initiatively to move.For example, self-defined title can be the title of formula, and certain cell of formula content sensing worksheet, and like this, when opening the Excel file, the content in the cell can be carried out as program, so macrovirus will be activated, transfers on the computing machine.
But Excel can keep some self-defined titles, hereinafter to be referred as the Excel reserved name.Like Auto_Open, Auto_Close, Print_Area, Auto_Active or the like.
The Excel reserved name is with respect to one of difference of self-defined title; If have the Excel reserved name in the self-defined title of the worksheet of Excel file; The very possible macrovirus that infects among the hosts such as formula that then self-defined title is deposited; And host's operation is no longer dependent on user's active operation, but can when certain or some kind incident take place, carry out.For example: self-defining name is called the formula of Auto_Open, can in the Excel File Open, automatically perform, and then macrovirus will utilize this function executing.
To above-mentioned rule; In a kind of preferred embodiment of the embodiment of the invention; Said method can also comprise: to the worksheet of Excel file to be detected, if having the Excel reserved name in its self-defined title, then differentiate said Excel File Infection macrovirus to be detected.Here, the Excel reserved name can be analyzed the macrovirus sample and obtain, and the embodiment of the invention does not limit the mode of concrete analysis.
In addition, the attribute of the worksheet of Excel file generally includes visible, hiding, definitely hiding attribute; When hiding, can at first obtain content corresponding at the attribute of a worksheet, whether have the Excel reserved name in the further viewing content, if then can differentiate said Excel File Infection macrovirus to be detected through " unhiding " order.
When needing explanation, under the situation of differentiating File Infection macrovirus to be detected, can be not with the deletion of the macrocode in this file to be detected, to remove macrovirus.
In addition; Can be in anti-viral software the measuring ability of the file macrovirus of the integrated embodiment of the invention; Like this, if the user uses anti-viral software to carry out the detection of file macrovirus, can be with the file that infects macrovirus as the macrovirus sample end that uploads onto the server.
Embodiment is corresponding with preceding method, the embodiment of the invention also discloses a kind of pick-up unit of file macrovirus, and the structural drawing with reference to shown in Figure 2 specifically can comprise:
In a kind of preferred embodiment of the embodiment of the invention, said matching module 202 may further include:
Mate successful submodule, be used for when successful behavior code is mated in the macrocode existence of said file to be detected, obtaining mating successful matching result; And
Coupling failure submodule when being used for macrocode at said file to be detected and not having the successful behavior code of coupling, obtains mating the matching result of failure;
Then said discrimination module 202 may further include:
First differentiates submodule, is used for when said matching result is failed for coupling, and differentiating said file to be detected does not infect macrovirus;
Second differentiates submodule, and being used at said matching result is when mating successfully, according to the successful behavior code of coupling in the macrocode of said file to be detected, differentiates said file to be detected and whether infects macrovirus.
In the another kind of preferred embodiment of the embodiment of the invention, said second differentiates submodule may further include:
Judging unit is used for judging whether the successful behavior code of macrocode coupling of said file to be detected meets preset dangerous condition, if, then differentiate said File Infection macrovirus to be detected, otherwise, differentiate said file to be detected and do not infect macrovirus.
In embodiments of the present invention, preferably, said preset dangerous condition specifically can comprise in the following condition one or multinomial:
The danger coefficient of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger coefficient threshold value;
The danger classes of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger classes;
Preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of file to be detected, perhaps, preset behavior code combination occurred.
In a kind of preferred embodiment of the embodiment of the invention, said device can also comprise: be used to construct the constructing module of said behavior code library, said constructing module specifically can comprise:
Collect submodule, be used to collect the fixing required behavior code of macrovirus behavior of realization;
Preserve submodule, be used for said behavior code is saved to the behavior code library.
In the another kind of preferred embodiment of the embodiment of the invention, said collection submodule may further include:
The sample collection unit is used to collect the macrovirus sample;
Analyze extraction unit, be used for grammer, the macrocode of said macrovirus sample is carried out semantic analysis, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation according to macrocode.
In embodiments of the present invention, preferably, said behavior code specifically can comprise function name, function variable name or function statement.
In a kind of preferred embodiment of the embodiment of the invention, said device can also comprise:
The worksheet detection module is used for the worksheet to Excel file to be detected, if having the Excel reserved name in its self-defined title, then differentiates said Excel File Infection macrovirus to be detected.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.For device embodiment, because it is similar basically with method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
Those skilled in the art should understand that the embodiment of the embodiment of the invention can be provided as method, system or computer program.Therefore, the embodiment of the invention can adopt the form of the embodiment of complete hardware embodiment, complete software implementation example or combination software and hardware aspect.And the embodiment of the invention can be employed in the form that one or more computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code go up the computer program of implementing.
The embodiment of the invention is that reference is described according to the process flow diagram and/or the block scheme of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block scheme and/or square frame and process flow diagram and/or the block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out through the processor of computing machine or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame appointments.
These computer program instructions also can be stored in ability vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work; Make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
These computer program instructions also can be loaded on computing machine or other programmable data processing device; Make on computing machine or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of on computing machine or other programmable devices, carrying out is provided for being implemented in the step of the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
Although described the preferred embodiment of the embodiment of the invention, in a single day those skilled in the art get the basic inventive concept could of cicada, then can make other change and modification to these embodiment.So accompanying claims is intended to be interpreted as all changes and the modification that comprises preferred embodiment and fall into embodiment of the invention scope.
More than to the detection method and the device of a kind of file macrovirus that the embodiment of the invention provided; Carried out detailed introduction; Used concrete example among this paper the principle and the embodiment of the embodiment of the invention are set forth, the explanation of above embodiment just is used to help to understand the method and the core concept thereof of the embodiment of the invention; Simultaneously, for one of ordinary skill in the art, according to the thought of the embodiment of the invention, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as the restriction to the embodiment of the invention.
Claims (16)
1. the detection method of a file macrovirus is characterized in that, comprising:
The macrocode of file to be detected and the behavior code in the behavior code library are mated; Wherein, said behavior code is used to represent to realize the required macrocode of macrovirus behavior of fixing;
Differentiate said file to be detected according to matching result and whether infect macrovirus.
2. the method for claim 1 is characterized in that, the said step that the macrocode and the behavior code in the behavior code library of file to be detected are mated further comprises:
In the macrocode of said file to be detected, exist to obtain mating successful matching result when mating successful behavior code, and, in the macrocode of said file to be detected, do not exist when mating successful behavior code, obtain mating the matching result of failure;
Then saidly differentiate the step whether said file to be detected infects macrovirus, further comprise according to matching result:
When said matching result was failed for coupling, differentiating said file to be detected did not infect macrovirus;
At said matching result is when mating successfully, according to the successful behavior code of coupling in the macrocode of said file to be detected, differentiates said file to be detected and whether infects macrovirus.
3. method as claimed in claim 2 is characterized in that, the successful behavior code of coupling is differentiated the step whether said file to be detected infects macrovirus in the macrocode of the said file to be detected of said foundation, further comprises:
Judge whether the successful behavior code of coupling meets preset dangerous condition in the macrocode of said file to be detected, if, then differentiate said File Infection macrovirus to be detected, otherwise, differentiate said file to be detected and do not infect macrovirus.
4. method as claimed in claim 3 is characterized in that, said preset dangerous condition comprises in the following condition one or multinomial:
The danger coefficient of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger coefficient threshold value;
The danger classes of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger classes;
Preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of file to be detected, perhaps, preset behavior code combination occurred.
5. like each described method in the claim 1 to 4, it is characterized in that, construct said behavior code library through following steps:
Collect and realize the fixing required behavior code of macrovirus behavior;
Said behavior code is saved to the behavior code library.
6. method as claimed in claim 5 is characterized in that, said collection realizes the step of the behavior code that fixing macrovirus behavior is required, further comprises:
Collect the macrovirus sample;
According to the grammer of macrocode, the macrocode of said macrovirus sample is carried out semantic analysis, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation.
7. like each described method in the claim 1 to 4, it is characterized in that said behavior code comprises function name, function variable name or function statement.
8. like each described method in the claim 1 to 4, it is characterized in that, also comprise:
To the worksheet of Excel file to be detected,, then differentiate said Excel File Infection macrovirus to be detected if having the Excel reserved name in its self-defined title.
9. the pick-up unit of a file macrovirus is characterized in that, comprising:
Matching module is used for the macrocode of file to be detected and the behavior code of behavior code library are mated; Wherein, said behavior code is used to represent to realize the required macrocode of macrovirus behavior of fixing; And
Discrimination module is used for differentiating said file to be detected according to matching result and whether infects macrovirus.
10. device as claimed in claim 9 is characterized in that, said matching module further comprises:
Mate successful submodule, be used for when successful behavior code is mated in the macrocode existence of said file to be detected, obtaining mating successful matching result; And
Coupling failure submodule when being used for macrocode at said file to be detected and not having the successful behavior code of coupling, obtains mating the matching result of failure;
Then said discrimination module further comprises:
First differentiates submodule, is used for when said matching result is failed for coupling, and differentiating said file to be detected does not infect macrovirus;
Second differentiates submodule, and being used at said matching result is when mating successfully, according to the successful behavior code of coupling in the macrocode of said file to be detected, differentiates said file to be detected and whether infects macrovirus.
11. device as claimed in claim 10 is characterized in that, said second differentiates submodule further comprises:
Judging unit is used for judging whether the successful behavior code of macrocode coupling of said file to be detected meets preset dangerous condition, if, then differentiate said File Infection macrovirus to be detected, otherwise, differentiate said file to be detected and do not infect macrovirus.
12. device as claimed in claim 11 is characterized in that, said preset dangerous condition comprises in the following condition one or multinomial:
The danger coefficient of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger coefficient threshold value;
The danger classes of the behavior code that coupling is successful in the macrocode of said file to be detected surpasses preset danger classes;
Preset single behavior code has appearred in the successful behavior code of coupling in the macrocode of file to be detected, perhaps, preset behavior code combination occurred.
13. like each described device in the claim 9 to 12, it is characterized in that, also comprise: be used to construct the constructing module of said behavior code library, said constructing module comprises:
Collect submodule, be used to collect the fixing required behavior code of macrovirus behavior of realization;
Preserve submodule, be used for said behavior code is saved to the behavior code library.
14. device as claimed in claim 13 is characterized in that, said collection submodule further comprises:
The sample collection unit is used to collect the macrovirus sample;
Analyze extraction unit, be used for grammer, the macrocode of said macrovirus sample is carried out semantic analysis, therefrom extract the fixing required behavior code of macrovirus behavior of corresponding implementation according to macrocode.
15., it is characterized in that said behavior code comprises function name, function variable name or function statement like each described device in the claim 9 to 12.
16. like each described device in the claim 9 to 12, be characterised in that, also comprise:
The worksheet detection module is used for the worksheet to Excel file to be detected, if having the Excel reserved name in its self-defined title, then differentiates said Excel File Infection macrovirus to be detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210246661.3A CN102841999B (en) | 2012-07-16 | 2012-07-16 | A kind of file method and a device for detecting macro virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210246661.3A CN102841999B (en) | 2012-07-16 | 2012-07-16 | A kind of file method and a device for detecting macro virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102841999A true CN102841999A (en) | 2012-12-26 |
| CN102841999B CN102841999B (en) | 2016-12-21 |
Family
ID=47369349
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210246661.3A Expired - Fee Related CN102841999B (en) | 2012-07-16 | 2012-07-16 | A kind of file method and a device for detecting macro virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102841999B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150504A (en) * | 2013-01-23 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer macro viruses |
| CN103246847A (en) * | 2013-05-13 | 2013-08-14 | 腾讯科技(深圳)有限公司 | Method and device for scanning and killing macro viruses |
| CN103500309A (en) * | 2013-09-26 | 2014-01-08 | 北京奇虎科技有限公司 | Method and device for detecting and killing macro virus |
| CN103679030A (en) * | 2013-12-12 | 2014-03-26 | 中国科学院信息工程研究所 | Malicious code analysis and detection method based on dynamic semantic features |
| WO2015123972A1 (en) * | 2014-02-24 | 2015-08-27 | 珠海市君天电子科技有限公司 | Macro virus detection method and device |
| CN105488410A (en) * | 2015-05-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Detection method and system of excel macro sheet virus |
| CN106650451A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and device |
| CN106650453A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and apparatus |
| CN107025407A (en) * | 2017-03-22 | 2017-08-08 | 国家计算机网络与信息安全管理中心 | The malicious code detecting method and system of a kind of office document files |
| CN109033831A (en) * | 2018-06-22 | 2018-12-18 | 珠海市君天电子科技有限公司 | A kind of method for detecting virus, device, electronic equipment and storage medium |
| CN110866256A (en) * | 2019-11-12 | 2020-03-06 | 深信服科技股份有限公司 | Macro code detection method, device, equipment and storage medium |
| CN111400707A (en) * | 2020-03-10 | 2020-07-10 | 深信服科技股份有限公司 | File macro virus detection method, device, equipment and storage medium |
| CN112580045A (en) * | 2020-12-11 | 2021-03-30 | 杭州安恒信息技术股份有限公司 | Method, device and medium for detecting malicious document based on macro encryption |
| CN112818347A (en) * | 2021-02-22 | 2021-05-18 | 深信服科技股份有限公司 | File label determination method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020162015A1 (en) * | 2001-04-29 | 2002-10-31 | Zhaomiao Tang | Method and system for scanning and cleaning known and unknown computer viruses, recording medium and transmission medium therefor |
| JP2009037545A (en) * | 2007-08-03 | 2009-02-19 | National Institute Of Information & Communication Technology | Malware resemblance inspection method and device |
| CN101382984A (en) * | 2007-09-05 | 2009-03-11 | 江启煜 | Method for scanning and detecting generalized unknown virus |
| US7913305B2 (en) * | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
-
2012
- 2012-07-16 CN CN201210246661.3A patent/CN102841999B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020162015A1 (en) * | 2001-04-29 | 2002-10-31 | Zhaomiao Tang | Method and system for scanning and cleaning known and unknown computer viruses, recording medium and transmission medium therefor |
| US7913305B2 (en) * | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
| JP2009037545A (en) * | 2007-08-03 | 2009-02-19 | National Institute Of Information & Communication Technology | Malware resemblance inspection method and device |
| CN101382984A (en) * | 2007-09-05 | 2009-03-11 | 江启煜 | Method for scanning and detecting generalized unknown virus |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150504B (en) * | 2013-01-23 | 2015-12-23 | 北京奇虎科技有限公司 | The method and apparatus of detection and dump macrovirus |
| CN103150504A (en) * | 2013-01-23 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer macro viruses |
| CN103246847A (en) * | 2013-05-13 | 2013-08-14 | 腾讯科技(深圳)有限公司 | Method and device for scanning and killing macro viruses |
| CN103246847B (en) * | 2013-05-13 | 2016-03-23 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of macrovirus killing |
| CN103500309A (en) * | 2013-09-26 | 2014-01-08 | 北京奇虎科技有限公司 | Method and device for detecting and killing macro virus |
| CN103500309B (en) * | 2013-09-26 | 2016-09-28 | 北京奇虎科技有限公司 | A kind of method and device for detecting and killing macro virus |
| CN103679030A (en) * | 2013-12-12 | 2014-03-26 | 中国科学院信息工程研究所 | Malicious code analysis and detection method based on dynamic semantic features |
| CN103679030B (en) * | 2013-12-12 | 2017-01-11 | 中国科学院信息工程研究所 | Malicious code analysis and detection method based on dynamic semantic features |
| US10237285B2 (en) | 2014-02-24 | 2019-03-19 | Zhuhai Juntian Electronic Technology Co., Ltd. | Method and apparatus for detecting macro viruses |
| WO2015123972A1 (en) * | 2014-02-24 | 2015-08-27 | 珠海市君天电子科技有限公司 | Macro virus detection method and device |
| CN105488410A (en) * | 2015-05-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Detection method and system of excel macro sheet virus |
| CN106650451A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and device |
| CN106650453A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and apparatus |
| CN106650453B (en) * | 2016-12-30 | 2019-11-05 | 北京启明星辰信息安全技术有限公司 | A kind of detection method and device |
| CN107025407A (en) * | 2017-03-22 | 2017-08-08 | 国家计算机网络与信息安全管理中心 | The malicious code detecting method and system of a kind of office document files |
| CN109033831A (en) * | 2018-06-22 | 2018-12-18 | 珠海市君天电子科技有限公司 | A kind of method for detecting virus, device, electronic equipment and storage medium |
| CN110866256A (en) * | 2019-11-12 | 2020-03-06 | 深信服科技股份有限公司 | Macro code detection method, device, equipment and storage medium |
| CN111400707A (en) * | 2020-03-10 | 2020-07-10 | 深信服科技股份有限公司 | File macro virus detection method, device, equipment and storage medium |
| CN112580045A (en) * | 2020-12-11 | 2021-03-30 | 杭州安恒信息技术股份有限公司 | Method, device and medium for detecting malicious document based on macro encryption |
| CN112818347A (en) * | 2021-02-22 | 2021-05-18 | 深信服科技股份有限公司 | File label determination method, device, equipment and storage medium |
| CN112818347B (en) * | 2021-02-22 | 2024-04-09 | 深信服科技股份有限公司 | File tag determining method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102841999B (en) | 2016-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102841999A (en) | Method and device for detecting macro virus of files | |
| CN102768717B (en) | Malicious file detection method and malicious file detection device | |
| Li et al. | Large-scale identification of malicious singleton files | |
| Santos et al. | N-grams-based file signatures for malware detection | |
| KR101162051B1 (en) | Using string comparison malicious code detection and classification system and method | |
| JP5744892B2 (en) | Text filtering method and system | |
| CN102054022B (en) | Systems and methods for processing and managing object-related data for use by a plurality of applications | |
| JP2016053956A (en) | System and method for detecting web-based malicious codes | |
| US9519718B2 (en) | Webpage information detection method and system | |
| Li et al. | Opcode sequence analysis of Android malware by a convolutional neural network | |
| CN105975575A (en) | Automatic data type recognition method | |
| Shapira et al. | Content-based data leakage detection using extended fingerprinting | |
| CN109600382B (en) | Webshell detection method and device and HMM model training method and device | |
| CN103268449A (en) | Method and system for detecting mobile phone malicious codes at high speed | |
| US20160156645A1 (en) | Method and apparatus for detecting macro viruses | |
| WO2015196981A1 (en) | Method and device for recognizing picture junk files | |
| CN104009964A (en) | Network link detection method and system | |
| CN105718795A (en) | Malicious code evidence obtaining method and system on the basis of feature code under Linux | |
| Colombini et al. | Digital scene of crime: technique of profiling users. | |
| Al-Wesabi | A smart English text zero-watermarking approach based on third-level order and word mechanism of Markov model | |
| Alazab et al. | Detecting malicious behaviour using supervised learning algorithms of the function calls | |
| CN103714269A (en) | Virus identification method and device | |
| CN105550573B (en) | The method and apparatus for intercepting bundled software | |
| CN103500309A (en) | Method and device for detecting and killing macro virus | |
| KR102437278B1 (en) | Document malware detection device and method combining machine learning and signature matching |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161221 Termination date: 20190716 |