CN103839003A - Malicious file detection method and device - Google Patents

Malicious file detection method and device Download PDF

Info

Publication number
CN103839003A
CN103839003A CN201210478566.6A CN201210478566A CN103839003A CN 103839003 A CN103839003 A CN 103839003A CN 201210478566 A CN201210478566 A CN 201210478566A CN 103839003 A CN103839003 A CN 103839003A
Authority
CN
China
Prior art keywords
file
described
sample
operation
sample file
Prior art date
Application number
CN201210478566.6A
Other languages
Chinese (zh)
Other versions
CN103839003B (en
Inventor
李萌萌
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Priority to CN201210478566.6A priority Critical patent/CN103839003B/en
Publication of CN103839003A publication Critical patent/CN103839003A/en
Application granted granted Critical
Publication of CN103839003B publication Critical patent/CN103839003B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Abstract

The invention discloses a malicious file detection method and device. The method includes the steps of obtaining a sample file to be detected; operating the sample file, monitoring operation behaviors of the sample file and generating a log file; analyzing the log file, and carrying out malicious file detection based on a preset matching rule. The sample file is operated in a virtual machine, a monitoring program is operated in the virtual machine, the operation behaviors of the sample file are recorded to generate the log file, then the log file is matched according to an extracted feature rule, and finally malicious file detection of the sample file is achieved. By means of the method, virus analysis efficiency can be greatly improved, new samples which can not be detected by anti-virus programs in the prior art or a certain type of samples of a specific behavior type can be found timely, and accordingly detection accuracy of virus samples is improved.

Description

Malicious file detection method and device

Technical field

The present invention relates to computer security technique field, relate in particular to a kind of malicious file detection method and device based on operation action log analysis.

Background technology

At present; along with without restraint spreading unchecked of virus, Malware; Virus Sample analytical technology is also improved constantly; analyze by Virus Sample; make virus analysis personnel can Rapid identification virus understand its behavior; thereby formulate corresponding anti-virus strategy, virus is effectively tackled, protection custom system is avoided destroying.

Antivirus system based on cloud can get up-to-date sample timely and effectively at present, has also brought the Sample Storehouse of magnanimity simultaneously.Because manual analysis virus relatively wastes time and energy, depend merely on manual analysis and cannot tackle a large amount of viruses of current growth at full speed, therefore need to improve in conjunction with various viral automated analysis technology the efficiency of virus analysis.

Existing virus analysis technology mainly comprises: heuristic virus analysis technology, anti-static virus analysis technology, virtual machine detect virus technology and Initiative Defense (Real-time defence) detection technique, wherein:

Heuristic virus analysis is that the difference of the behavior pattern while utilizing virus operation and program normally to move judges whether a program is virus, this mode is that the operation action by summing up a large amount of viruses draws analysis result, such as going out certain behavior pattern rule by activity-summaries such as viral self-starting, propagation, steal-number, detect virus with this.But this virus analysis efficiency is not high, and virus detects not accurate enough.

For anti-static virus analysis technology, in heuristic analysis, Static Analysis Technology is fairly simple and detection speed is fast, but not can do with add shell, obscure, distortion and polymorphic virus, because this viroid by various technology fuzzy the code of self, thereby and static analysis cannot process this class sample understand virus behavior judge its malice attribute.

Detect virus technology for virtual machine, can with deal with add shell or add colored instruction, obscure, changeable viruses, virtual machine is generally by the implementation of simulation CPU and file, internal storage management system and system API and then simulation code, Virus is carried out rather than is carried out really in the virtual environment of virtual machine, behavior when the interior running software of supervisory system, mate some rules according to these user behaviors logs, if matched, illustrate and found suspicious sample.But because virtual system relatively expends system resource, therefore this class virtual machine is not simulated whole system completely.Virus can be moved some special instructions, if now virtual machine is not simulated this instruction, virus just can detect and oneself run under virtual machine, can change execution flow process, such as not carrying out malicious act etc., detects thereby escape from anti-viral software.In addition, this class virtual technology is stable not, relatively expends system resource in the time that client is used, and causes subscriber set operation slowly.

Initiative Defense (Real-time defence) detection technique is by some the crucial API in system are carried out to hook, these API that recorded which routine call and the parameter while calling, can roughly understand the behavior of this program by the API sequence of a process run time call, judge its malice attribute, can stop in time this rogue program to be carried out through being judged as rogue program.Although this detection technique consumes resources is less,, in the time virus being detected, virus may be moved and system caused to infringement in system.And, if virus adopt some anti-viral softwares not the API of hook realize its function, can walk around Active Defending System Against.

Therefore, there is greater risk to viral detection in existing Virus Sample analytical technology, is easily found and walk around by virus, makes Detection accuracy not high, and virus analysis efficiency is not high yet.

Summary of the invention

Fundamental purpose of the present invention is to provide a kind of malicious file detection method and device, is intended to improve the efficiency of viral Detection accuracy and virus analysis.

In order to achieve the above object, the present invention proposes a kind of malicious file detection method, comprising:

Obtain sample file to be detected;

Move described sample file, and monitor the operation action of described sample file, generate journal file;

Analyze described journal file, and carry out malicious file detection based on preset matched rule.

The present invention also proposes a kind of malicious file pick-up unit, comprising:

Acquisition module, for obtaining sample file to be detected;

Operation monitoring module, for moving described sample file, and monitors the operation action of described sample file, generates journal file;

Analyzing and testing module, for analyzing described journal file, and carries out malicious file detection based on preset matched rule.

A kind of malicious file detection method and device that the present invention proposes, by move sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, generate journal file with this, and then by the feature rule of extracting, these journal files are mated, the malice that finally realizes sample file detects, the present invention can improve virus analysis efficiency greatly, and can find out in time new samples or certain class that current anti-viral software cannot detect and have the sample of specific behavior type, thereby improve the Detection accuracy of Virus Sample.

Accompanying drawing explanation

Fig. 1 is the schematic flow sheet of malicious file detection method of the present invention preferred embodiment;

Fig. 2 moves described sample file in malicious file detection method of the present invention preferred embodiment, and monitors the operation action of described sample file, generates the schematic flow sheet of journal file;

Fig. 3 analyzes described journal file in malicious file detection method of the present invention preferred embodiment, and carries out the schematic flow sheet of malicious file detection based on preset matched rule;

Fig. 4 is the structural representation of malicious file pick-up unit of the present invention preferred embodiment;

Fig. 5 is the structural representation of operation monitoring module in malicious file pick-up unit of the present invention preferred embodiment;

Fig. 6 is the structural representation of analyzing and testing module in malicious file pick-up unit of the present invention preferred embodiment.

In order to make technical scheme of the present invention clearer, clear, be described in further detail below in conjunction with accompanying drawing.

Embodiment

The solution of the embodiment of the present invention is mainly: by move sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, comprise sample file, registration table, network, read-write that process is relevant, revise information recording, generate thus journal file, and then by the feature rule of extracting, these journal files are mated, if matched, show that this sample file is for malice sample, thereby realize viral Automatic behavior analysis.

As shown in Figure 1, preferred embodiment of the present invention proposes a kind of malicious file detection method, comprising:

Step S101, obtains sample file to be detected;

Sample file to be detected can not limit it and obtain source, such as downloading from assigned address.

The sample file to be detected obtaining will be input to Automatic monitoring systems.

Take virus as example, behavior when the set Automatic monitoring systems of the present embodiment also record virus operation for automatic operating virus in batches obtains journal file, checks, thereby understands virus behavior fast, saving manpower for analyst.

Wherein, Automatic monitoring systems can only be moved exe program, and the sample file of downloading may have the files such as a lot of compressed packages (rar, zip, 7z etc.), dll, sys.Therefore first need all sample files to downloading to carry out format identification, decompression and Screening Treatment, if using, compressed package separates press tool decompress(ion), then the exe file filtering out after exe file and the decompress(ion) in sample is put into fixing file, as the sample source of Automatic monitoring systems operation.

Step S102, moves described sample file, and monitors the operation action of described sample file, generates journal file;

As previously mentioned, sample file to be detected is originally input to Automatic monitoring systems, obtain journal file by Automatic monitoring systems operations sample file the operation action of monitoring sample file, check for analyst, to understand virus fast and wait the behavior of malicious files.

The present embodiment is in Automatic monitoring systems, virtual software VMware and monitoring tools ProcessMonitor instrument are used, in virtual machine, control the operation of above-mentioned instrument by AutoIt shell script, the file of automation control system output is the journal file (ProcessMonitor monitors the journal file obtaining) of each sample file operation action.

Wherein, the operation action of sample file comprises: to the associative operation of file, registration table, process and the network information, as generated, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; , connected the information such as which ip address.

In addition, because a lot of rogue programs can discharge other rogue program after operation, therefore also need the file that these rogue programs are discharged to calculate, obtain its MD5, and form a part of content of the journal file of Automatic monitoring systems output.Under normal circumstances, if the judgement of parent file is malice, the daughter file of its release is also likely maliciously so.

The virtual machine detection technique that prior art adopts is to be placed on client executing mostly, and use is easy virtual machine, not complete simulated operating system, the Automatic monitoring systems that the present embodiment uses are at running background sample, and use virtual software VMware, can be than more complete simulated operating system, and can reduce the risk of being found by virus and walk around.

Step S103, analyzes described journal file, and carries out malicious file detection based on preset matched rule.

After each sample file operation, can generate the journal file of a ProcessMonitor, behavior can recognize sample file operation by analyzing this journal file time, mainly comprise the associative operation of file, registration table, process, the network information etc., such as generating, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.

The present embodiment to some specific sample extraction daily record matched rules, mates with this journal file that filters current sample file in advance.The journal file generating after sample file operation is mated with the above-mentioned matched rule setting in advance, if the malice attributes match of the journal file of certain sample file has arrived certain rule, show that this sample file is the specific malicious file that this rule is corresponding.

Particularly, as shown in Figure 2, as moving described sample file, and monitor the operation action of described sample file, generate a kind of embodiment of journal file, above-mentioned steps S102 can comprise:

Step S1021, carries out context initialization operation to the virtual machine of operation sample file;

When moving sample file and monitor the operation action of sample file in Automatic monitoring systems, first need the virtual machine of operation sample file being carried out to context initialization operation in Automatic monitoring systems, recover virtual machine snapshot, the virtual machine environment that this snapshot configures before being, in virtual machine environment, be provided with control program, bat file etc., virtual machine is carried out to context initialization operation, is to make virtual machine carry out the preliminary work of operation sample file.

Step S1022, copies to described sample file the fixing catalogue of virtual machine;

Step S1023 moves described sample file in described virtual machine, and by monitoring tools, the operation action of sample file described in operational process is monitored, and generates journal file.

The present embodiment need to copy to sample file in virtual machine and move and use ProcessMonitor instrument to monitor the operation action of sample file.Therefore,, in the time of monitoring, all sample programs of carrying out that filter out before need to enumerating, often enumerate a sample file and complete automatic monitoring process one time.Some control commands of the instrument vmrun.exe that this process carries with VMware are come by the operation of physical machine control virtual machine.

First a sample file of enumerating is copied to a fixing catalogue of virtual machine, then move the watchdog routine in virtual machine, the function of this program is that ProcessMonitor filtrator is set, be used for filtering out some system programs, then move rear rev down process rev of the schedule time (such as 10s), then preserve the journal file of ProcessMonitor, and initial analysis journal file, check the file of its release and calculate its md5 to be saved in specified file.

Step S1024, copies to described journal file the fixing catalogue of physical machine from described virtual machine.

Finally, by the journal file of ProcessMonitor, comprise the md5 list of user behaviors log and releasing document, copy to the fixing catalogue of physical machine from virtual machine, to journal file is analyzed.

As shown in Figure 3, as analyzing described journal file, and a kind of embodiment that carries out malicious file detection based on preset matched rule, above-mentioned steps S103 can comprise:

Step S1031, obtains described journal file from the fixing catalogue of described physical machine;

Step S1032, analyzes the operation action of described journal file;

Take virus as example, after each Virus operation, can generate the journal file of a ProcessMonitor, the behavior can recognize virus operation by analyzing this journal file time, mainly comprises the associative operations such as file, registration table, process, the network information.As generated, access, deleted any file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.

Step S1033, mates the operation action of described journal file with the malice daily record in preset matched rule;

Step S1034, if the match is successful, detecting the sample file that described journal file is corresponding is malicious file.

Can extract daily record rule for some specific samples and filter daily record, if the journal file of certain sample has matched certain rule, illustrate that this sample is the specific virus that this rule is corresponding.Such as for QQ Trojan for stealing numbers, can extract a feature and be: delete the automatic log file of QQ, therefore, if find there is such log recording in the user behaviors log of a sample, can judge that this sample is QQ Trojan for stealing numbers.

Take instant messaging QQ as example, at present in actual applications, can relate to the screening of QQ brush brill program and the screening of QQ Trojan for stealing numbers, after the operation of QQ brush brill program, can on interface, show the classification of the various brills of QQ business, then point out user to input QQ number and password, and open the business of various brills (being called for short brush bores), its essence is user cheating, steal user's QQ number and password, because in fact these application programs can not brush brill.

Because QQ brush brill program is mainly to utilize social engineering method user cheating, generally do not adopt technical method to steal QQ password, there is no specific behavioural characteristic, but there are some specific key words on the master routine interface of this class brush brill program, can mate this class sample by these key words, therefore for QQ brush brill program, be the detection that realizes malice sample by the key word of match window.

After sample file moves in virtual machine, move a QQ brush and bore trace routine, this program can be enumerated the word of the subwindow of all windows in system and these windows, then search and whether comprise following key word: brush bores, brush bores, brush Q, red brill, Q business, QQ password, Q coin, QB, if found, show that this sample is a QQ brush brill program.

To screen by extracting rule of conduct for the screening of QQ Trojan for stealing numbers.Because this class QQ Trojan for stealing numbers is to steal QQ password by technical method, such as replacing some files etc. of QQ, the screening rule of conventional QQ Trojan for stealing numbers is as follows:

(1) closed QQ.exe process;

(2) access (release) QQ file under bin catalogue;

(3) deleted the Registry.db file (this file is preserved QQ auto login information, and a lot of QQ Trojans for stealing numbers can be deleted this file and make QQ automatically login inefficacy, realize steal-number to allow user again input QQ password) of QQ;

(4) revise QQ.lnk shortcut file, made this lnk file point to QQ Trojan for stealing numbers.

In the time that corresponding screening rule carries out matching judgment, read every a line of journal file, then judge whether every row has any in following four character strings: have QQ.exe and Process Exit, QQ Bin, Registry.db, QQ.lnk simultaneously.

If comprise any in above-mentioned four behaviors, just judge that the sample file that this journal file is corresponding is QQ Trojan for stealing numbers, and its md5 is recorded in the text of appointment so.

In actual applications, can be by configuration plan target, move Automatic monitoring systems every day one time, from the sample file of the previous day, obtain QQ brush brill program and QQ Trojan for stealing numbers, by temperature and the range of continuous these sample files of monitoring, thereby the sample file of the temperature of obtaining and range maximum, to carry out emphasis processing.

This example gets following experimental data by test automation supervisory system.Wherein, be 45s the averaging time of setting a sample file of Automatic monitoring systems monitoring, by testing these (all samples that in a day, " brush bores keyword filtration " and " monitoring of QQ catalogue " obtain of several lot samples, the monitoring of QQ catalogue is the file that monitoring discharges in QQ catalogue, because a lot of Trojans for stealing numbers are to discharge DLL in this catalogue to realize steal-number, and the robotization is here for operation EXE program automatically, in fact the EXE program major part finding is QQ Trojan for stealing numbers), randomly draw four batch datas, as follows:

It is as shown in table 1 below that brush bores keyword filtration sample data:

Sample size The brush detecting bores sample size Brush bores sample proportion 328 110 33.5% 607 252 41.5% 370 138 37.3 308 152 49.3%

Table 1

QQ catalogue monitoring sample data is as shown in table 2 below:

Table 2

The present embodiment by moving sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, generate journal file with this, and then by the feature rule of extracting, these journal files are mated, the malice that finally realizes sample file detects, can greatly improve virus analysis efficiency, and can find out in time new samples or certain class that current anti-viral software cannot detect and have the sample of specific behavior type, thereby improve the Detection accuracy of Virus Sample.

In addition, in demand for follow-up excavation specific sample, all can realize by the journal file of attempting analyzing samples, therefore the present embodiment scheme has wide range of applications, and has reference and reference role for excavate specific sample file or up-to-date sample standard deviation from Massive Sample file.

As shown in Figure 4, preferred embodiment of the present invention proposes a kind of malicious file pick-up unit, comprising: acquisition module 401, operation monitoring module 402 and analyzing and testing module 403, wherein:

Acquisition module 401, for obtaining sample file to be detected;

Operation monitoring module 402, for moving described sample file, and monitors the operation action of described sample file, generates journal file;

Analyzing and testing module 403, for analyzing described journal file, and carries out malicious file detection based on preset matched rule.

Wherein, sample file to be detected can not limit it and obtain source, such as downloading from assigned address.

The sample file to be detected that acquisition module 401 obtains will be input to Automatic monitoring systems.

Take virus as example, behavior when the set Automatic monitoring systems of the present embodiment also record virus operation for automatic operating virus in batches obtains journal file, checks, thereby understands virus behavior fast, saving manpower for analyst.

Wherein, Automatic monitoring systems can only be moved exe program, and the sample file of downloading may have the files such as a lot of compressed packages (rar, zip, 7z etc.), dll, sys.Therefore first need all sample files to downloading to carry out format identification, decompression and Screening Treatment, if using, compressed package separates press tool decompress(ion), then the exe file filtering out after exe file and the decompress(ion) in sample is put into fixing file, as the sample source of Automatic monitoring systems operation.

As previously mentioned, sample file to be detected is originally input to Automatic monitoring systems, obtain journal file by Automatic monitoring systems operations sample file the operation action of monitoring sample file, check for analyst, to understand virus fast and wait the behavior of malicious files.

The present embodiment is in Automatic monitoring systems, virtual software VMware and monitoring tools ProcessMonitor instrument are used, in virtual machine, control the operation of above-mentioned instrument by AutoIt shell script, the file of automation control system output is the journal file (ProcessMonitor monitors the journal file obtaining) of each sample file operation action.

Wherein, the operation action of sample file comprises: to the associative operation of file, registration table, process and the network information, as generated, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; , connected the information such as which ip address.

In addition, because a lot of rogue programs can discharge other rogue program after operation, therefore also need the file that these rogue programs are discharged to calculate, obtain its MD5, and form a part of content of the journal file of Automatic monitoring systems output.Under normal circumstances, if the judgement of parent file is malice, the daughter file of its release is also likely maliciously so.

The virtual machine detection technique that prior art adopts is to be placed on client executing mostly, and use is easy virtual machine, not complete simulated operating system, the Automatic monitoring systems that the present embodiment uses are at running background sample, and use virtual software VMware, can be than more complete simulated operating system, and can reduce the risk of being found by virus and walk around.

After each sample file operation, can generate the journal file of a ProcessMonitor, behavior can recognize sample file operation by operation monitoring module 402 these journal files of analysis time, mainly comprise the associative operation of file, registration table, process, the network information etc., such as generating, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.

The present embodiment to some specific sample extraction daily record matched rules, mates with this journal file that filters current sample file in advance.Analyzing and testing module 403 is mated the journal file generating after sample file operation with the above-mentioned matched rule setting in advance, if the malice attributes match of the journal file of certain sample file has arrived certain rule, show that this sample file is the specific malicious file that this rule is corresponding.

Particularly, as shown in Figure 5, as the described sample file of operation, and monitor the operation action of described sample file, a kind of embodiment that generates journal file, described operation monitoring module 402 can comprise: initialization unit 4021, copied cells 4022 and operation monitoring unit 4023, wherein:

Initialization unit 4021, for carrying out context initialization operation to the virtual machine of operation sample file;

Copied cells 4022, for copying to described sample file the fixing catalogue of virtual machine;

Operation monitoring unit 4023, for moving described sample file at described virtual machine, and monitors the operation action of sample file described in operational process by monitoring tools, generates journal file.

Described copied cells 4022 is also for copying to described journal file the fixing catalogue of physical machine from described virtual machine.

When moving sample file and monitor the operation action of sample file in Automatic monitoring systems, first need the virtual machine of operation sample file being carried out to context initialization operation in Automatic monitoring systems, recover virtual machine snapshot, the virtual machine environment that this snapshot configures before being, in virtual machine environment, be provided with control program, bat file etc., virtual machine is carried out to context initialization operation, is to make virtual machine carry out the preliminary work of operation sample file.

The present embodiment need to copy to sample file in virtual machine and move and use ProcessMonitor instrument to monitor the operation action of sample file.Therefore,, in the time of monitoring, all sample programs of carrying out that filter out before need to enumerating, often enumerate a sample file and complete automatic monitoring process one time.Some control commands of the instrument vmrun.exe that this process carries with VMware are come by the operation of physical machine control virtual machine.

First a sample file of enumerating is copied to a fixing catalogue of virtual machine, then move the watchdog routine in virtual machine, the function of this program is that ProcessMonitor filtrator is set, be used for filtering out some system programs, then move rear rev down process rev of the schedule time (such as 10s), then preserve the journal file of ProcessMonitor, and initial analysis journal file, check the file of its release and calculate its md5 to be saved in specified file.

Finally, by the journal file of ProcessMonitor, comprise the md5 list of user behaviors log and releasing document, copy to the fixing catalogue of physical machine from virtual machine, to journal file is analyzed.

As shown in Figure 6, as analyzing described journal file, and a kind of embodiment that carries out malicious file detection based on preset matched rule, described analyzing and testing module 403 can comprise: acquiring unit 4031, analytic unit 4032, matching unit 4033 and detecting unit 4034, wherein:

Acquiring unit 4031, obtains described journal file for the fixing catalogue from described physical machine;

Analytic unit 4032, for analyzing the operation action of described journal file;

Matching unit 4033, for mating the operation action of described journal file with the malice daily record of preset matched rule;

Detecting unit 4034, when for the malice daily record when the operation action of described journal file and preset matched rule, the match is successful, detecting the sample file that described journal file is corresponding is malicious file.

Take virus as example, after each Virus operation, can generate the journal file of a ProcessMonitor, the behavior can recognize virus operation by analyzing this journal file time, mainly comprises the associative operations such as file, registration table, process, the network information.As generated, access, deleted any file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.

Can extract daily record rule for some specific samples and filter daily record, if the journal file of certain sample has matched certain rule, illustrate that this sample is the specific virus that this rule is corresponding.Such as for QQ Trojan for stealing numbers, can extract a feature and be: delete the automatic log file of QQ, therefore, if find there is such log recording in the user behaviors log of a sample, can judge that this sample is QQ Trojan for stealing numbers.

Take instant messaging QQ as example, at present in actual applications, can relate to the screening of QQ brush brill program and the screening of QQ Trojan for stealing numbers, after the operation of QQ brush brill program, can on interface, show the classification of the various brills of QQ business, then point out user to input QQ number and password, and open the business of various brills (being called for short brush bores), its essence is user cheating, steal user's QQ number and password, because in fact these application programs can not brush brill.

Because QQ brush brill program is mainly to utilize social engineering method user cheating, generally do not adopt technical method to steal QQ password, there is no specific behavioural characteristic, but there are some specific key words on the master routine interface of this class brush brill program, can mate this class sample by these key words, therefore for QQ brush brill program, be the detection that realizes malice sample by the key word of match window.

After sample file moves in virtual machine, move a QQ brush and bore trace routine, this program can be enumerated the word of the subwindow of all windows in system and these windows, then search and whether comprise following key word: brush bores, brush bores, brush Q, red brill, Q business, QQ password, Q coin, QB, if found, show that this sample is a QQ brush brill program.

To screen by extracting rule of conduct for the screening of QQ Trojan for stealing numbers.Because this class QQ Trojan for stealing numbers is to steal QQ password by technical method, such as replacing some files etc. of QQ, the screening rule of conventional QQ Trojan for stealing numbers is as follows:

(1) closed QQ.exe process;

(2) access (release) QQ file under bin catalogue;

(3) deleted the Registry.db file (this file is preserved QQ auto login information, and a lot of QQ Trojans for stealing numbers can be deleted this file and make QQ automatically login inefficacy, realize steal-number to allow user again input QQ password) of QQ;

(4) revise QQ.lnk shortcut file, made this lnk file point to QQ Trojan for stealing numbers.

In the time that corresponding screening rule carries out matching judgment, read every a line of journal file, then judge whether every row has any in following four character strings: have QQ.exe and Process Exit, QQ Bin, Registry.db, QQ.lnk simultaneously.

If comprise any in above-mentioned four behaviors, just judge that the sample file that this journal file is corresponding is QQ Trojan for stealing numbers, and its md5 is recorded in the text of appointment so.

In actual applications, can be by configuration plan target, move Automatic monitoring systems every day one time, from the sample file of the previous day, obtain QQ brush brill program and QQ Trojan for stealing numbers, by temperature and the range of continuous these sample files of monitoring, thereby the sample file of the temperature of obtaining and range maximum, to carry out emphasis processing.

This example gets following experimental data by test automation supervisory system.Wherein, be 45s the averaging time of setting a sample file of Automatic monitoring systems monitoring, by testing these (all samples that in a day, " brush bores keyword filtration " and " monitoring of QQ catalogue " obtain of several lot samples, the monitoring of QQ catalogue is the file that monitoring discharges in QQ catalogue, because a lot of Trojans for stealing numbers are to discharge DLL in this catalogue to realize steal-number, and the robotization is here for operation EXE program automatically, in fact the EXE program major part finding is QQ Trojan for stealing numbers), randomly draw four batch datas, wherein, brush bores keyword filtration sample data as shown in Table 1.QQ catalogue monitoring sample data is as above shown in table 2.

The present embodiment by moving sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, generate journal file with this, and then by the feature rule of extracting, these journal files are mated, the malice that finally realizes sample file detects, can greatly improve virus analysis efficiency, and can find out in time new samples or certain class that current anti-viral software cannot detect and have the sample of specific behavior type, thereby improve the Detection accuracy of Virus Sample.

In addition, in demand for follow-up excavation specific sample, all can realize by the journal file of attempting analyzing samples, therefore the present embodiment scheme has wide range of applications, and has reference and reference role for excavate specific sample file or up-to-date sample standard deviation from Massive Sample file.

The foregoing is only the preferred embodiments of the present invention; not thereby limit the scope of the claims of the present invention; every equivalent structure or flow process conversion that utilizes instructions of the present invention and accompanying drawing content to do; or be directly or indirectly used in other relevant technical field, be all in like manner included in scope of patent protection of the present invention.

Claims (11)

1. a malicious file detection method, is characterized in that, comprising:
Obtain sample file to be detected;
Move described sample file, and monitor the operation action of described sample file, generate journal file;
Analyze described journal file, and carry out malicious file detection based on preset matched rule.
2. method according to claim 1, is characterized in that, described in also comprise after obtaining the step of sample file to be detected:
To described sample file carry out format identification, decompression and or Screening Treatment, obtain the sample file that can move.
3. method according to claim 1, is characterized in that, described operation sample file, and monitor the operation action of described sample file, the step that generates journal file comprises:
Virtual machine to operation sample file carries out context initialization operation;
Described sample file is copied to the fixing catalogue of virtual machine;
In described virtual machine, move described sample file, and by monitoring tools, the operation action of sample file described in operational process is monitored, generate journal file.
4. method according to claim 3, is characterized in that, described operation sample file, and monitor the operation action of described sample file, the step that generates journal file also comprises:
Described journal file is copied to the fixing catalogue of physical machine from described virtual machine.
5. method according to claim 4, is characterized in that, described analysis journal file, and step based on preset matched rule carries out malicious file detection comprises:
Obtain described journal file from the fixing catalogue of described physical machine;
Analyze the operation action of described journal file;
The operation action of described journal file is mated with the malice daily record in preset matched rule;
If the match is successful, detecting the sample file that described journal file is corresponding is malicious file.
6. according to the method described in any one in claim 1-5, it is characterized in that, described operation action comprises: to the associative operation of file, registration table, process and/or the network information; Described journal file comprises: the md5 list of the daughter file discharging after user behaviors log and sample file operation.
7. a malicious file pick-up unit, is characterized in that, comprising:
Acquisition module, for obtaining sample file to be detected;
Operation monitoring module, for moving described sample file, and monitors the operation action of described sample file, generates journal file;
Analyzing and testing module, for analyzing described journal file, and carries out malicious file detection based on preset matched rule.
8. device according to claim 7, is characterized in that, described acquisition module also for described sample file is carried out format identification, decompression and or Screening Treatment, obtain the sample file that can move.
9. according to the device described in claim 7 or 8, it is characterized in that, described operation monitoring module comprises:
Initialization unit, for carrying out context initialization operation to the virtual machine of operation sample file;
Copied cells, for copying to described sample file the fixing catalogue of virtual machine;
Operation monitoring unit, for moving described sample file at described virtual machine, and monitors the operation action of sample file described in operational process by monitoring tools, generates journal file.
10. device according to claim 9, is characterized in that, described copied cells is also for copying to described journal file the fixing catalogue of physical machine from described virtual machine.
11. devices according to claim 9, is characterized in that, described analyzing and testing module comprises:
Acquiring unit, obtains described journal file for the fixing catalogue from described physical machine;
Analytic unit, for analyzing the operation action of described journal file;
Matching unit, for mating the operation action of described journal file with the malice daily record of preset matched rule;
Detecting unit, when for the malice daily record when the operation action of described journal file and preset matched rule, the match is successful, detecting the sample file that described journal file is corresponding is malicious file.
CN201210478566.6A 2012-11-22 2012-11-22 Malicious file detection method and device CN103839003B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210478566.6A CN103839003B (en) 2012-11-22 2012-11-22 Malicious file detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210478566.6A CN103839003B (en) 2012-11-22 2012-11-22 Malicious file detection method and device

Publications (2)

Publication Number Publication Date
CN103839003A true CN103839003A (en) 2014-06-04
CN103839003B CN103839003B (en) 2018-01-30

Family

ID=50802488

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210478566.6A CN103839003B (en) 2012-11-22 2012-11-22 Malicious file detection method and device

Country Status (1)

Country Link
CN (1) CN103839003B (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105204973A (en) * 2015-09-25 2015-12-30 浪潮集团有限公司 Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform
CN105224867A (en) * 2015-10-27 2016-01-06 成都卫士通信息产业股份有限公司 A kind of based on the Host Security reinforcement means under virtualized environment
CN105574205A (en) * 2016-01-18 2016-05-11 国家电网公司 Dynamic log analyzing system for distributed computing environment
CN105590059A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Method and device for detecting virtual machine escape
CN105631320A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Detection method and device of virtual machine escape
CN105653947A (en) * 2014-11-11 2016-06-08 中国移动通信集团公司 Method and device for assessing application data security risk
CN105791250A (en) * 2014-12-26 2016-07-20 北京奇虎科技有限公司 Application detection method and device
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Novel defending method and device for unknown malicious software
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN105912932A (en) * 2016-04-08 2016-08-31 周宏斌 Threatening behavior detection system and method
CN106055976A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox controller
CN106130966A (en) * 2016-06-20 2016-11-16 北京奇虎科技有限公司 A kind of bug excavation detection method, server, device and system
CN106130960A (en) * 2016-06-12 2016-11-16 微梦创科网络科技(中国)有限公司 Judgement system, load dispatching method and the device of steal-number behavior
WO2017028459A1 (en) * 2015-08-18 2017-02-23 安一恒通(北京)科技有限公司 Program monitoring method and apparatus
CN106557701A (en) * 2016-11-28 2017-04-05 北京奇虎科技有限公司 kernel leak detection method and device based on virtual machine
CN106599684A (en) * 2015-12-30 2017-04-26 哈尔滨安天科技股份有限公司 Detection method and system of entity file-free malicious code
CN106611122A (en) * 2015-10-27 2017-05-03 国家电网公司 Virtual execution-based unknown malicious program offline detection system
CN106682513A (en) * 2016-11-28 2017-05-17 北京奇虎科技有限公司 Detection method for target sample file and device
CN106709326A (en) * 2016-11-24 2017-05-24 北京奇虎科技有限公司 Processing method and device for suspicious sample
CN106778246A (en) * 2016-12-01 2017-05-31 北京奇虎科技有限公司 The detection method and detection means of sandbox virtualization
CN108256325A (en) * 2016-12-29 2018-07-06 中移(苏州)软件技术有限公司 A kind of method and apparatus of the detection of malicious code mutation
CN108363919A (en) * 2017-10-19 2018-08-03 北京安天网络安全技术有限公司 A kind of virus special anti-virus tool generation method and system
CN105608374B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN101593249A (en) * 2008-05-30 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of apocrypha analytical approach and system
US20090320009A1 (en) * 2008-06-20 2009-12-24 Vmware, Inc. Decoupling dynamic program analysis from execution in virtual environments
CN101788915A (en) * 2010-02-05 2010-07-28 北京工业大学 White list updating method based on trusted process tree
CN101986323A (en) * 2009-10-01 2011-03-16 卡巴斯基实验室封闭式股份公司 Method and system for detection of previously unknown malware
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN101593249A (en) * 2008-05-30 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of apocrypha analytical approach and system
US20090320009A1 (en) * 2008-06-20 2009-12-24 Vmware, Inc. Decoupling dynamic program analysis from execution in virtual environments
CN101986323A (en) * 2009-10-01 2011-03-16 卡巴斯基实验室封闭式股份公司 Method and system for detection of previously unknown malware
CN101788915A (en) * 2010-02-05 2010-07-28 北京工业大学 White list updating method based on trusted process tree
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653947A (en) * 2014-11-11 2016-06-08 中国移动通信集团公司 Method and device for assessing application data security risk
CN105791250A (en) * 2014-12-26 2016-07-20 北京奇虎科技有限公司 Application detection method and device
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
WO2017028459A1 (en) * 2015-08-18 2017-02-23 安一恒通(北京)科技有限公司 Program monitoring method and apparatus
CN105204973A (en) * 2015-09-25 2015-12-30 浪潮集团有限公司 Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform
CN105224867A (en) * 2015-10-27 2016-01-06 成都卫士通信息产业股份有限公司 A kind of based on the Host Security reinforcement means under virtualized environment
CN106611122A (en) * 2015-10-27 2017-05-03 国家电网公司 Virtual execution-based unknown malicious program offline detection system
CN105590059A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Method and device for detecting virtual machine escape
CN105608374B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN105590059B (en) * 2015-12-18 2019-04-23 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN105631320B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN105631320A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Detection method and device of virtual machine escape
CN106599684A (en) * 2015-12-30 2017-04-26 哈尔滨安天科技股份有限公司 Detection method and system of entity file-free malicious code
CN105574205A (en) * 2016-01-18 2016-05-11 国家电网公司 Dynamic log analyzing system for distributed computing environment
CN105574205B (en) * 2016-01-18 2019-03-19 国家电网公司 The log dynamic analysis system of distributed computing environment
CN105912932A (en) * 2016-04-08 2016-08-31 周宏斌 Threatening behavior detection system and method
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Novel defending method and device for unknown malicious software
CN106055976A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox controller
CN106130960A (en) * 2016-06-12 2016-11-16 微梦创科网络科技(中国)有限公司 Judgement system, load dispatching method and the device of steal-number behavior
CN106130960B (en) * 2016-06-12 2019-08-09 微梦创科网络科技(中国)有限公司 Judgement system, load dispatching method and the device of steal-number behavior
CN106130966A (en) * 2016-06-20 2016-11-16 北京奇虎科技有限公司 A kind of bug excavation detection method, server, device and system
CN106130966B (en) * 2016-06-20 2019-07-09 北京奇虎科技有限公司 A kind of bug excavation detection method, server, device and system
CN106709326A (en) * 2016-11-24 2017-05-24 北京奇虎科技有限公司 Processing method and device for suspicious sample
WO2018095099A1 (en) * 2016-11-24 2018-05-31 北京奇虎科技有限公司 Method and device for processing suspicious samples
CN106557701B (en) * 2016-11-28 2019-09-06 北京奇虎科技有限公司 Kernel leak detection method and device based on virtual machine
CN106682513A (en) * 2016-11-28 2017-05-17 北京奇虎科技有限公司 Detection method for target sample file and device
CN106557701A (en) * 2016-11-28 2017-04-05 北京奇虎科技有限公司 kernel leak detection method and device based on virtual machine
CN106778246A (en) * 2016-12-01 2017-05-31 北京奇虎科技有限公司 The detection method and detection means of sandbox virtualization
CN108256325A (en) * 2016-12-29 2018-07-06 中移(苏州)软件技术有限公司 A kind of method and apparatus of the detection of malicious code mutation
CN108363919A (en) * 2017-10-19 2018-08-03 北京安天网络安全技术有限公司 A kind of virus special anti-virus tool generation method and system

Also Published As

Publication number Publication date
CN103839003B (en) 2018-01-30

Similar Documents

Publication Publication Date Title
US10467406B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US9690606B1 (en) Selective system call monitoring
US9438613B1 (en) Dynamic content activation for automated analysis of embedded objects
US10176321B2 (en) Leveraging behavior-based rules for malware family classification
US10657251B1 (en) Multistage system and method for analyzing obfuscated content for malware
US10025927B1 (en) Malicious content analysis with multi-version application support within single operating environment
Chen et al. Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale
JP2017216018A (en) Kernel-level security agent
US10664596B2 (en) Method of malware detection and system thereof
Fan et al. Malicious sequential pattern mining for automatic malware detection
Afonso et al. Identifying Android malware using dynamically obtained features
US20170054754A1 (en) Malware and exploit campaign detection system and method
US20160357966A1 (en) Detection and prevention for malicious threats
US10198574B1 (en) System and method for analysis of a memory dump associated with a potentially malicious content suspect
US9294486B1 (en) Malware detection and analysis
Sanz et al. MAMA: manifest analysis for malware detection in android
Lin et al. Identifying android malicious repackaged applications by thread-grained system call sequences
US9251343B1 (en) Detecting bootkits resident on compromised computers
RU2645268C2 (en) Complex classification for detecting malware
US9661003B2 (en) System and method for forensic cyber adversary profiling, attribution and attack identification
US10599846B2 (en) Segregating executable files exhibiting network activity
CA2797584C (en) Behavioral signature generation using clustering
US9781144B1 (en) Determining duplicate objects for malware analysis using environmental/context information
US8479276B1 (en) Malware detection using risk analysis based on file system and network activity
US8056136B1 (en) System and method for detection of malware and management of malware-related information

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
GR01 Patent grant