CN103839003B - Malicious file detection method and device - Google Patents

Malicious file detection method and device Download PDF

Info

Publication number
CN103839003B
CN103839003B CN201210478566.6A CN201210478566A CN103839003B CN 103839003 B CN103839003 B CN 103839003B CN 201210478566 A CN201210478566 A CN 201210478566A CN 103839003 B CN103839003 B CN 103839003B
Authority
CN
China
Prior art keywords
file
sample
journal
journal file
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210478566.6A
Other languages
Chinese (zh)
Other versions
CN103839003A (en
Inventor
李萌萌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201210478566.6A priority Critical patent/CN103839003B/en
Publication of CN103839003A publication Critical patent/CN103839003A/en
Application granted granted Critical
Publication of CN103839003B publication Critical patent/CN103839003B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention discloses a kind of malicious file detection method and device, and its method includes:Obtain sample file to be detected;Sample file is run, and monitors the operation action of sample file, generates journal file;Journal file is analyzed, and malicious file detection is carried out based on preset matched rule.The present invention in virtual machine by running sample file, then monitoring programme is run in virtual machine, record the operation action of sample file, journal file is generated with this, then these journal files are matched by the characterization rules of extraction again, the final malice detection for realizing sample file, the present invention is greatly improved virus analysis efficiency, and new samples that current anti-viral software can not detect or certain class can be found out in time have the sample of specific behavior type, so as to improve the Detection accuracy of Virus Sample.

Description

Malicious file detection method and device
Technical field
The present invention relates to computer security technique field, more particularly to a kind of malice text based on operation action log analysis Part detection method and device.
Background technology
At present, spread unchecked without restraint with viral, Malware, Virus Sample analytical technology is also improved constantly, and is passed through Virus Sample analyze, make virus analysis personnel can Rapid identification virus and understand its behavior, so as to formulate corresponding anti-virus plan Slightly, virus is effectively intercepted, protects custom system damage.
Newest sample can timely and effectively be got by being currently based on the Antivirus system of cloud, while also bring magnanimity Sample Storehouse.Because manual analysis virus is more time-consuming, a large amount of diseases being currently skyrocketed through can not be tackled by depending merely on manual analysis Poison, it is therefore desirable to improve the efficiency of virus analysis with reference to various viral automated analysis technologies.
Existing virus analysis technology mainly includes:It is heuristic virus analysis technology, anti-static virus analysis technology, virtual Machine testing virus technology and Initiative Defense(Real-time defence)Detection technique, wherein:
Heuristic virus analysis is to judge one using the difference of behavior pattern when virus operation and normal program operation Whether individual program is virus, and this mode is to draw analysis result by summarizing the operation action of a large amount of viruses, for example is passed through The activity-summaries such as viral self-starting, propagation, steal-number go out certain behavior pattern rule, and virus is detected with this.But this disease Malicious analysis efficiency is not high, and Viral diagnosis is not accurate enough.
For anti-static virus analysis technology, Static Analysis Technology is fairly simple in heuristic analysis and detection speed is fast, But not can do with shell adding, obscure, deform and Polymorph virus, because this viroid has obscured the generation of itself by various technologies Code, and static analysis can not handle this kind of sample to understand virus behavior so as to judge its malice attribute.
For virtual machine testing virus technology, it can be used for tackling shell adding or add flower instruct, obscure, changeable viruses, virtually Machine is typically by simulating CPU and file, internal storage management system and system API and then the implementation procedure of simulation code, viral journey Sequence is performed rather than really performed in the virtual environment of virtual machine, the behavior in monitoring system during running software, according to These user behaviors logs match some rules, and explanation is found that suspicious sample if matching.But because virtual system compares Expend system resource, therefore the not complete simulation whole system of this kind of virtual machine.Virus can run some special instructions, Now if virtual machine does not simulate this instruction, virus oneself is run under virtual machine with regard to that can detect, then can change execution Flow, for example malicious act etc. is not performed, so as to escape from anti-viral software detection.In addition, this kind of virtual technology is not sufficiently stable, Client using when compare consuming system resource, cause the operation of user's machine slow.
Initiative Defense(Real-time defence)Detection technique is by carrying out hook to some crucial API in system, recording These API of which routine call and parameter when calling, by the API sequences of a process run time call can be substantially The behavior of the program is solved, judges its malice attribute, through being judged as that rogue program can then prevent the rogue program to perform in time.It is this Although it is smaller that detection technique expends resource, when detecting virus, virus may in systems be run and system is made Into infringement.Moreover, if virus realizes its function using the non-hook of some anti-viral softwares API, can bypass actively System of defense.
Therefore, existing Virus Sample analytical technology to virus detection greater risk be present, easily by virus find and around Cross so that Detection accuracy is not high, and virus analysis efficiency is not also high.
The content of the invention
It is a primary object of the present invention to provide a kind of malicious file detection method and device, it is intended to improve Viral diagnosis standard The efficiency of true rate and virus analysis.
In order to achieve the above object, the present invention proposes a kind of malicious file detection method, including:
Obtain sample file to be detected;
The sample file is run, and monitors the operation action of the sample file, generates journal file;
The journal file is analyzed, and malicious file detection is carried out based on preset matched rule.
The present invention also proposes a kind of malicious file detection means, including:
Acquisition module, for obtaining sample file to be detected;
Monitoring module is run, for running the sample file, and monitors the operation action of the sample file, generates day Will file;
Detection module is analyzed, malicious file inspection is carried out for analyzing the journal file, and based on preset matched rule Survey.
A kind of malicious file detection method and device proposed by the present invention, by running sample file in virtual machine, so Monitoring programme is run in virtual machine afterwards, records the operation action of sample file, journal file is generated with this, then again by carrying The characterization rules taken match to these journal files, finally realize the malice detection of sample file, and the present invention can carry significantly High virus analysis efficiency, and new samples that current anti-viral software can not detect or certain class can be found out in time have specific behavior class The sample of type, so as to improve the Detection accuracy of Virus Sample.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of malicious file detection method preferred embodiment of the present invention;
Fig. 2 is to run the sample file in malicious file detection method preferred embodiment of the present invention, and monitors the sample The operation action of this document, generate the schematic flow sheet of journal file;
Fig. 3 is to analyze the journal file in malicious file detection method preferred embodiment of the present invention, and based on preset Matched rule carries out the schematic flow sheet of malicious file detection;
Fig. 4 is the structural representation of malicious file detection means preferred embodiment of the present invention;
Fig. 5 is the structural representation that monitoring module is run in malicious file detection means preferred embodiment of the present invention;
Fig. 6 is the structural representation that detection module is analyzed in malicious file detection means preferred embodiment of the present invention.
In order that technical scheme is clearer, clear, it is described in further detail below in conjunction with accompanying drawing.
Embodiment
The solution of the embodiment of the present invention is mainly:By running sample file in virtual machine, then in virtual machine Middle operation monitoring programme, record the operation action of sample file, including the reading related to sample file, registration table, network, process Write, modification information record, thus generate journal file, then again by the characterization rules of extraction to the progress of these journal files Match somebody with somebody, it is malice sample to show the sample file if matching, so as to realize the analysis of the Automatic behavior of virus.
As shown in figure 1, present pre-ferred embodiments propose a kind of malicious file detection method, including:
Step S101, obtain sample file to be detected;
Sample file to be detected can not limit it and obtain source, for example can be downloaded from specified location.
The sample file to be detected obtained will be input to Automatic monitoring systems.
By taking virus as an example, the Automatic monitoring systems set by the present embodiment are used for the automatic operating virus of batch and remembered Behavior during record virus operation obtains journal file, and for analysis, personnel check, so as to quickly understand virus behavior, saves manpower.
Wherein, Automatic monitoring systems can only run exe programs, and the sample file downloaded may have many compressed packages (Rar, zip, 7z etc.), the file such as dll, sys.Therefore enter row format firstly the need of all sample files to downloading to know Not, decompression and Screening Treatment, if compressed package is then decompressed using decompression tool, then filter out the exe files in sample Fixed file is put into the exe files after decompression, the samples sources as Automatic monitoring systems operation.
Step S102, the sample file is run, and monitor the operation action of the sample file, generate journal file;
As it was previously stated, sample file to be detected is originally input to Automatic monitoring systems, transported by Automatic monitoring systems Row sample file simultaneously monitors the operation action of sample file and obtains journal file, and for analysis, personnel check, quickly to understand disease The behavior of the malicious files such as poison.
The present embodiment has used virtual software VMware and monitoring tools in Automatic monitoring systems ProcessMonitor instruments, the operation of above-mentioned instrument, automation control are controlled by AutoIt shell scripts in virtual machine The file of system output processed is the journal file of each sample file operation action(ProcessMonitor monitors obtained daily record File).
Wherein, the operation action of sample file includes:To the associative operation of file, registration table, process and the network information, such as Generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;, even The information such as which ip address are connect.
Further, since many rogue programs can discharge other rogue program after operation, therefore it is also required to these malice Program release file calculated, obtain its MD5, and form Automatic monitoring systems output journal file a part in Hold.Under normal circumstances, if parent file judges it is malice, then its daughter file discharged is also likely to be malice.
The virtual machine detection technique that prior art uses is placed on client executing mostly, and uses easy void Plan machine, full simulation operating system, the Automatic monitoring systems that the present embodiment uses do not use in running background sample Virtual software VMware, can be than more complete simulated operating system, and can reduce the risk for being found and being bypassed by virus.
Step S103, the journal file is analyzed, and malicious file detection is carried out based on preset matched rule.
ProcessMonitor journal file can be generated after each sample file operation, by analyzing the daily record File is recognized that behavior during sample file operation, mainly includes the correlation of file, registration table, process, the network information etc. Operation, for example generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which is closed A little processes;It is connected to the information such as which ip address.
The present embodiment is literary to match the current sample of filtering with this in advance to some specific sample extraction log matches rules The journal file of part.The journal file generated after sample file is run is matched with the above-mentioned matched rule pre-set, If the malice attributes match of the journal file of some sample file has arrived certain rule, it is this rules and regulations to show the sample file Then corresponding specific malicious file.
Specifically, as shown in Fig. 2 as the operation sample file, and the operation action of the sample file is monitored, it is raw Into a kind of embodiment of journal file, above-mentioned steps S102 can include:
Step S1021, context initialization operation is carried out to the virtual machine for running sample file;
When sample file is run in Automatic monitoring systems and monitoring the operation action of sample file, it is necessary first to certainly Context initialization operation is carried out to the virtual machine for running sample file in dynamicization monitoring system, that is, recovers virtual machine snapshot, this is fast According to the virtual machine environment configured before being, control program, bat files etc. are provided with a virtual machine environment, virtual machine is entered Row context initialization operates, and is the preparation for making virtual machine carry out operation sample file.
Step S1022, the sample file is copied to the fixation catalogue of virtual machine;
Step S1023, the sample file is run in the virtual machine, and by monitoring tools to institute in running The operation action for stating sample file is monitored, and generates journal file.
Run in virtual machine and supervised using ProcessMonitor instruments current embodiment require that sample file is copied to Control the operation action of sample file.Therefore, in monitoring, it is necessary to all executable sample programs filtered out before enumerating, often A sample file is enumerated then to complete once to monitor process automatically.The process uses the VMware instrument vmrun.exe's carried Some control commands to control the operation of virtual machine by physical machine.
Enumerate sample file is copied to a fixed catalogue of virtual machine first, then run in virtual machine Monitoring programme, the function of the program is to set ProcessMonitor filters, for filtering out some system programs, then Run the scheduled time(Such as 10s)After close process, then preserve ProcessMonitor journal file, and initial analysis day Will file, check the file of its release and calculate its md5 being saved in specified file.
Step S1024, the journal file is copied to the fixation catalogue of physical machine from the virtual machine.
Finally by ProcessMonitor journal file, include the md5 lists of user behaviors log and releasing document, from virtual Machine copies to the fixation catalogue of physical machine, to analyze journal file.
As shown in figure 3, carry out malicious file detection as the analysis journal file, and based on preset matched rule A kind of embodiment, above-mentioned steps S103 can include:
Step S1031, the journal file is obtained from the fixation catalogue of the physical machine;
Step S1032, analyze the operation action of the journal file;
By taking virus as an example, ProcessMonitor journal file can be generated after each Virus operation, is led to Cross analyze the journal file be recognized that virus operation when behavior, mainly including file, registration table, process, the network information Deng associative operation.As generated, accessing, what file being deleted;Set, be newly-built, which registry entry deleted;Open, close Which process;It is connected to the information such as which ip address.
Step S1033, by the malice daily record progress in the operation action of the journal file and preset matched rule Match somebody with somebody;
Step S1034, if the match is successful, it is malicious file to detect sample file corresponding to the journal file.
Daily record rule can be extracted for some specific samples and carrys out filtering log, if the journal file of some sample Certain rule is fitted on, then it is specific virus corresponding to this rule to illustrate the sample.Such as QQ Trojans for stealing numbers, can be with Extracting a feature is:QQ automated log on file is deleted, therefore, if it find that having in the user behaviors log of a sample such Log recording, you can it is QQ Trojans for stealing numbers to judge the sample.
By taking instant messaging QQ as an example, at present in actual applications, screening and QQ steal-number wood that QQ brushes bore program can be related to The screening of horse, QQ brushes bore the classification for the various brills that can show QQ business after program is run on interface, then prompt user's input QQ number code and password, and open various brills(Referred to as brush bores)Business, its essence is user cheating, steal user QQ number code and Password, because these application programs are actually unable in brush and bored.
Bore program because QQ is brushed and mainly utilize social engineering method user cheating, it is typically no using technical method come QQ passwords are stolen, without specific behavioural characteristic, but this kind of brush, which bores, there are some specific keys on the main program interface of program Word, this kind of sample can be matched by these keywords, therefore be brushed for QQ and bore program, be the keyword by match window To realize the detection of malice sample.
After sample file is run in virtual machine, run a QQ brush and bore detection program, the program can be enumerated in system All windows and these windows subwindow word, then search whether to include following keyword:Brush bore, brush bore, brush Q, Red brill, Q business, QQ passwords, Q coin, QB, if it find that then showing that the sample is that a QQ brush bores program.
Screening for QQ Trojans for stealing numbers is screened by extracting rule of conduct.Because this kind of QQ Trojans for stealing numbers are logical Technical method is crossed to steal QQ passwords, for example replace QQ some files etc., the screening rule of conventional QQ Trojans for stealing numbers is as follows:
(1)Close QQ.exe processes;
(2)Access(Release)QQ file under bin catalogues;
(3)Delete QQ Registry.db files(This document preserves QQ auto login informations, many QQ Trojans for stealing numbers This document, which can be deleted, causes QQ automated log ons to fail, to allow user to input QQ passwords again to realize steal-number);
(4)It has modified QQ.lnk shortcut files so that the lnk files point to QQ Trojans for stealing numbers.
When corresponding screening rule carries out matching judgment, every a line of journal file is read, then judges often to go whether have Any one in following four character string:Simultaneously exist QQ.exe and Process Exit, QQ Bin, Registry.db, QQ.lnk。
If include any one in aforementioned four behavior, then it is QQ to be judged as sample file corresponding to the journal file Trojan for stealing numbers, and its md5 recorded in the text specified.
In actual applications, by configuring plan target an Automatic monitoring systems can be run daily, from the previous day Sample file in obtain QQ brushes and bore program and QQ Trojans for stealing numbers, by constantly monitoring the temperature and range of these sample files, So as to obtain the sample file of temperature and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation monitoring system.Wherein, automatically-monitored system is set The average time of system one sample file of monitoring is 45s, by testing a few lot sample sheets(In one day " brush bore keyword filtration " and All samples that " monitoring of QQ catalogues " obtains, the monitoring of QQ catalogues is file of the monitoring in the release of QQ catalogues, due to many steal-number wood Horse is to realize steal-number in catalogue release DLL, and automation here is to be used for automatic running EXE programs, is actually found EXE programs are largely QQ Trojans for stealing numbers), four batch datas are randomly selected, it is as follows:
It is as shown in table 1 below that brush bores keyword filtration sample data:
Sample size The brush detected bores sample size Brush bores sample proportion
328 110 33.5%
607 252 41.5%
370 138 37.3
308 152 49.3%
Table 1
QQ catalogues monitoring sample data is as shown in table 2 below:
Table 2
Then the present embodiment runs monitoring programme in virtual machine, records sample by running sample file in virtual machine The operation action of this document, journal file is generated with this, then these journal files carried out by the characterization rules of extraction again Matching, the malice detection of sample file is finally realized, is greatly improved virus analysis efficiency, and current anti-virus can be found out in time New samples or certain class that software can not detect have the sample of specific behavior type, accurate so as to improve the detection of Virus Sample Rate.
In addition, in the follow-up demand for excavating specific sample, can by attempt to analyze the journal file of sample come Realize, therefore this embodiment scheme has wide range of applications, for excavating specific sample file or most from Massive Sample file New samples have reference and reference role.
As shown in figure 4, present pre-ferred embodiments propose a kind of malicious file detection means, including:Acquisition module 401, Monitoring module 402 and analysis detection module 403 are run, wherein:
Acquisition module 401, for obtaining sample file to be detected;
Monitoring module 402 is run, for running the sample file, and monitors the operation action of the sample file, it is raw Into journal file;
Detection module 403 is analyzed, malicious file is carried out for analyzing the journal file, and based on preset matched rule Detection.
Wherein, sample file to be detected can not limit it and obtain source, for example can be downloaded from specified location.
The sample file to be detected that acquisition module 401 obtains will be input to Automatic monitoring systems.
By taking virus as an example, the Automatic monitoring systems set by the present embodiment are used for the automatic operating virus of batch and remembered Behavior during record virus operation obtains journal file, and for analysis, personnel check, so as to quickly understand virus behavior, saves manpower.
Wherein, Automatic monitoring systems can only run exe programs, and the sample file downloaded may have many compressed packages (Rar, zip, 7z etc.), the file such as dll, sys.Therefore enter row format firstly the need of all sample files to downloading to know Not, decompression and Screening Treatment, if compressed package is then decompressed using decompression tool, then filter out the exe files in sample Fixed file is put into the exe files after decompression, the samples sources as Automatic monitoring systems operation.
As it was previously stated, sample file to be detected is originally input to Automatic monitoring systems, transported by Automatic monitoring systems Row sample file simultaneously monitors the operation action of sample file and obtains journal file, and for analysis, personnel check, quickly to understand disease The behavior of the malicious files such as poison.
The present embodiment has used virtual software VMware and monitoring tools in Automatic monitoring systems ProcessMonitor instruments, the operation of above-mentioned instrument, automation control are controlled by AutoIt shell scripts in virtual machine The file of system output processed is the journal file of each sample file operation action(ProcessMonitor monitors obtained daily record File).
Wherein, the operation action of sample file includes:To the associative operation of file, registration table, process and the network information, such as Generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;, even The information such as which ip address are connect.
Further, since many rogue programs can discharge other rogue program after operation, therefore it is also required to these malice Program release file calculated, obtain its MD5, and form Automatic monitoring systems output journal file a part in Hold.Under normal circumstances, if parent file judges it is malice, then its daughter file discharged is also likely to be malice.
The virtual machine detection technique that prior art uses is placed on client executing mostly, and uses easy void Plan machine, full simulation operating system, the Automatic monitoring systems that the present embodiment uses do not use in running background sample Virtual software VMware, can be than more complete simulated operating system, and can reduce the risk for being found and being bypassed by virus.
ProcessMonitor journal file can be generated after each sample file operation, mould is monitored by running Block 402 analyzes the behavior when journal file is recognized that sample file operation, mainly including file, registration table, process, net The associative operation of network information etc., for example generate, access, what file deleted;Set, be newly-built, which registry entry deleted; Open, which process closed;It is connected to the information such as which ip address.
The present embodiment is literary to match the current sample of filtering with this in advance to some specific sample extraction log matches rules The journal file of part.The journal file and above-mentioned pre-set that analysis detection module 403 generates after sample file is run Matched with rule, if the malice attributes match of the journal file of some sample file has arrived certain rule, show this Sample file is specific malicious file corresponding to this rule.
Specifically, as shown in figure 5, as the operation sample file, and the operation action of the sample file is monitored, it is raw Into a kind of embodiment of journal file, the operation monitoring module 402 can include:Initialization unit 4021, copied cells 4022 and operation monitoring unit 4023, wherein:
Initialization unit 4021, for carrying out context initialization operation to the virtual machine for running sample file;
Copied cells 4022, for the sample file to be copied to the fixation catalogue of virtual machine;
Monitoring unit 4023 is run, for running the sample file in the virtual machine, and passes through monitoring tools pair The operation action of sample file described in running is monitored, and generates journal file.
The copied cells 4022 is additionally operable to copy to the journal file from the virtual machine fixation mesh of physical machine Record.
When sample file is run in Automatic monitoring systems and monitoring the operation action of sample file, it is necessary first to certainly Context initialization operation is carried out to the virtual machine for running sample file in dynamicization monitoring system, that is, recovers virtual machine snapshot, this is fast According to the virtual machine environment configured before being, control program, bat files etc. are provided with a virtual machine environment, virtual machine is entered Row context initialization operates, and is the preparation for making virtual machine carry out operation sample file.
Run in virtual machine and supervised using ProcessMonitor instruments current embodiment require that sample file is copied to Control the operation action of sample file.Therefore, in monitoring, it is necessary to all executable sample programs filtered out before enumerating, often A sample file is enumerated then to complete once to monitor process automatically.The process uses the VMware instrument vmrun.exe's carried Some control commands to control the operation of virtual machine by physical machine.
Enumerate sample file is copied to a fixed catalogue of virtual machine first, then run in virtual machine Monitoring programme, the function of the program is to set ProcessMonitor filters, for filtering out some system programs, then Run the scheduled time(Such as 10s)After close process, then preserve ProcessMonitor journal file, and initial analysis day Will file, check the file of its release and calculate its md5 being saved in specified file.
Finally by ProcessMonitor journal file, include the md5 lists of user behaviors log and releasing document, from virtual Machine copies to the fixation catalogue of physical machine, to analyze journal file.
As shown in fig. 6, carry out malicious file detection as the analysis journal file, and based on preset matched rule A kind of embodiment, the analysis detection module 403 can include:Acquiring unit 4031, analytic unit 4032, matching unit 4033 And detection unit 4034, wherein:
Acquiring unit 4031, for obtaining the journal file from the fixation catalogue of the physical machine;
Analytic unit 4032, for analyzing the operation action of the journal file;
Matching unit 4033, for by the malice daily record in the operation action of the journal file and preset matched rule Matched;
Detection unit 4034, for when the malice daily record in the operation action of the journal file and preset matched rule When the match is successful, it is malicious file to detect sample file corresponding to the journal file.
By taking virus as an example, ProcessMonitor journal file can be generated after each Virus operation, is led to Cross analyze the journal file be recognized that virus operation when behavior, mainly including file, registration table, process, the network information Deng associative operation.As generated, accessing, what file being deleted;Set, be newly-built, which registry entry deleted;Open, close Which process;It is connected to the information such as which ip address.
Daily record rule can be extracted for some specific samples and carrys out filtering log, if the journal file of some sample Certain rule is fitted on, then it is specific virus corresponding to this rule to illustrate the sample.Such as QQ Trojans for stealing numbers, can be with Extracting a feature is:QQ automated log on file is deleted, therefore, if it find that having in the user behaviors log of a sample such Log recording, you can it is QQ Trojans for stealing numbers to judge the sample.
By taking instant messaging QQ as an example, at present in actual applications, screening and QQ steal-number wood that QQ brushes bore program can be related to The screening of horse, QQ brushes bore the classification for the various brills that can show QQ business after program is run on interface, then prompt user's input QQ number code and password, and open various brills(Referred to as brush bores)Business, its essence is user cheating, steal user QQ number code and Password, because these application programs are actually unable in brush and bored.
Bore program because QQ is brushed and mainly utilize social engineering method user cheating, it is typically no using technical method come QQ passwords are stolen, without specific behavioural characteristic, but this kind of brush, which bores, there are some specific keys on the main program interface of program Word, this kind of sample can be matched by these keywords, therefore be brushed for QQ and bore program, be the keyword by match window To realize the detection of malice sample.
After sample file is run in virtual machine, run a QQ brush and bore detection program, the program can be enumerated in system All windows and these windows subwindow word, then search whether to include following keyword:Brush bore, brush bore, brush Q, Red brill, Q business, QQ passwords, Q coin, QB, if it find that then showing that the sample is that a QQ brush bores program.
Screening for QQ Trojans for stealing numbers is screened by extracting rule of conduct.Because this kind of QQ Trojans for stealing numbers are logical Technical method is crossed to steal QQ passwords, for example replace QQ some files etc., the screening rule of conventional QQ Trojans for stealing numbers is as follows:
(1)Close QQ.exe processes;
(2)Access(Release)QQ file under bin catalogues;
(3)Delete QQ Registry.db files(This document preserves QQ auto login informations, many QQ Trojans for stealing numbers This document, which can be deleted, causes QQ automated log ons to fail, to allow user to input QQ passwords again to realize steal-number);
(4)It has modified QQ.lnk shortcut files so that the lnk files point to QQ Trojans for stealing numbers.
When corresponding screening rule carries out matching judgment, every a line of journal file is read, then judges often to go whether have Any one in following four character string:Simultaneously exist QQ.exe and Process Exit, QQ Bin, Registry.db, QQ.lnk。
If include any one in aforementioned four behavior, then it is QQ to be judged as sample file corresponding to the journal file Trojan for stealing numbers, and its md5 recorded in the text specified.
In actual applications, by configuring plan target an Automatic monitoring systems can be run daily, from the previous day Sample file in obtain QQ brushes and bore program and QQ Trojans for stealing numbers, by constantly monitoring the temperature and range of these sample files, So as to obtain the sample file of temperature and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation monitoring system.Wherein, automatically-monitored system is set The average time of system one sample file of monitoring is 45s, by testing a few lot sample sheets(In one day " brush bore keyword filtration " and All samples that " monitoring of QQ catalogues " obtains, the monitoring of QQ catalogues is file of the monitoring in the release of QQ catalogues, due to many steal-number wood Horse is to realize steal-number in catalogue release DLL, and automation here is to be used for automatic running EXE programs, is actually found EXE programs are largely QQ Trojans for stealing numbers), four batch datas are randomly selected, wherein, brush bores keyword filtration sample data such as upper table Shown in 1.QQ catalogues monitor sample data as shown in upper table 2.
Then the present embodiment runs monitoring programme in virtual machine, records sample by running sample file in virtual machine The operation action of this document, journal file is generated with this, then these journal files carried out by the characterization rules of extraction again Matching, the malice detection of sample file is finally realized, is greatly improved virus analysis efficiency, and current anti-virus can be found out in time New samples or certain class that software can not detect have the sample of specific behavior type, accurate so as to improve the detection of Virus Sample Rate.
In addition, in the follow-up demand for excavating specific sample, can by attempt to analyze the journal file of sample come Realize, therefore this embodiment scheme has wide range of applications, for excavating specific sample file or most from Massive Sample file New samples have reference and reference role.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the scope of the invention, every utilization Equivalent structure or the flow conversion that description of the invention and accompanying drawing content are made, or directly or indirectly it is used in other related skills Art field, is included within the scope of the present invention.

Claims (10)

  1. A kind of 1. malicious file detection method, it is characterised in that including:
    Obtain sample file to be detected;
    The sample file is run, and monitors the operation action of the sample file, generates journal file;The operation action bag Include:To the associative operation of file, registration table, process and/or the network information;The journal file includes:User behaviors log and sample The MD5 lists of the daughter file discharged after running paper;
    The journal file is analyzed, and judges whether parent file is malicious file and daughter text based on preset matched rule Whether part is malicious file;The analysis includes the default daily record rule of extraction and carrys out filtering log file, if some sample Journal file has matched certain rule, then it is specific virus corresponding to this rule to illustrate the sample, or, is extracted default The keyword of daily record rule match sample human window realizes the detection of malice sample.
  2. 2. according to the method for claim 1, it is characterised in that after described the step of obtaining sample file to be detected also Including:
    To the sample file carry out format identification, decompression and or Screening Treatment, obtain the sample file that can be run.
  3. 3. according to the method for claim 1, it is characterised in that the operation sample file, and monitor the sample file Operation action, generate journal file the step of include:
    Context initialization operation is carried out to the virtual machine for running sample file;
    The sample file is copied to the fixation catalogue of virtual machine;
    The sample file, and the fortune by monitoring tools to sample file described in running are run in the virtual machine Every trade generates journal file to be monitored.
  4. 4. according to the method for claim 3, it is characterised in that the operation sample file, and monitor the sample file Operation action, generate journal file the step of also include:
    The journal file is copied to the fixation catalogue of physical machine from the virtual machine.
  5. 5. according to the method for claim 4, it is characterised in that the analysis journal file, and advised based on preset matching The step of then carrying out malicious file detection includes:
    The journal file is obtained from the fixation catalogue of the physical machine;
    Analyze the operation action of the journal file;
    The operation action of the journal file is matched with the malice daily record in preset matched rule;
    If the match is successful, it is malicious file to detect sample file corresponding to the journal file.
  6. A kind of 6. malicious file detection means, it is characterised in that including:
    Acquisition module, for obtaining sample file to be detected;
    Monitoring module is run, for running the sample file, and monitors the operation action of the sample file, generation daily record text Part;The operation action includes:To the associative operation of file, registration table, process and/or the network information;The journal file bag Include:The MD5 lists of the daughter file discharged after user behaviors log and sample file operation;
    Analyze detection module, for analyzing the journal file, and based on preset matched rule judge parent file whether be Whether malicious file and daughter file are malicious file;The analysis includes the default daily record rule of extraction and carrys out filtering log text Part, if the journal file of some sample has matched certain rule, it is specific corresponding to this rule to illustrate the sample Virus, or, the keyword of the default daily record rule match sample human window of extraction realize the detection of malice sample.
  7. 7. device according to claim 6, it is characterised in that the acquisition module is additionally operable to carry out the sample file Format identification, decompression and or Screening Treatment, obtain the sample file that can be run.
  8. 8. the device according to claim 6 or 7, it is characterised in that the operation monitoring module includes:
    Initialization unit, for carrying out context initialization operation to the virtual machine for running sample file;
    Copied cells, for the sample file to be copied to the fixation catalogue of virtual machine;
    Monitoring unit is run, for running the sample file in the virtual machine, and by monitoring tools to running Described in the operation action of sample file be monitored, generate journal file.
  9. 9. device according to claim 8, it is characterised in that the copied cells is additionally operable to the journal file from institute State the fixation catalogue that virtual machine copies to physical machine.
  10. 10. device according to claim 8, it is characterised in that the analysis detection module includes:
    Acquiring unit, for obtaining the journal file from the fixation catalogue of physical machine;
    Analytic unit, for analyzing the operation action of the journal file;
    A matching unit, for the malice daily record in the operation action of the journal file and preset matched rule to be carried out Match somebody with somebody;
    Detection unit, for when the malice log matches success in the operation action of the journal file and preset matched rule When, it is malicious file to detect sample file corresponding to the journal file.
CN201210478566.6A 2012-11-22 2012-11-22 Malicious file detection method and device Active CN103839003B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210478566.6A CN103839003B (en) 2012-11-22 2012-11-22 Malicious file detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210478566.6A CN103839003B (en) 2012-11-22 2012-11-22 Malicious file detection method and device

Publications (2)

Publication Number Publication Date
CN103839003A CN103839003A (en) 2014-06-04
CN103839003B true CN103839003B (en) 2018-01-30

Family

ID=50802488

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210478566.6A Active CN103839003B (en) 2012-11-22 2012-11-22 Malicious file detection method and device

Country Status (1)

Country Link
CN (1) CN103839003B (en)

Families Citing this family (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653947B (en) * 2014-11-11 2019-09-13 中国移动通信集团公司 The method and device of data safety risk is applied in a kind of assessment
CN105791250B (en) * 2014-12-26 2020-10-02 北京奇虎科技有限公司 Application program detection method and device
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
US9852295B2 (en) * 2015-07-14 2017-12-26 Bitdefender IPR Management Ltd. Computer security systems and methods using asynchronous introspection exceptions
CN105184162B (en) * 2015-08-18 2019-01-04 安一恒通(北京)科技有限公司 program monitoring method and device
CN105204973A (en) * 2015-09-25 2015-12-30 浪潮集团有限公司 Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform
CN105224867A (en) * 2015-10-27 2016-01-06 成都卫士通信息产业股份有限公司 A kind of based on the Host Security reinforcement means under virtualized environment
CN106611122A (en) * 2015-10-27 2017-05-03 国家电网公司 Virtual execution-based unknown malicious program offline detection system
CN105590059B (en) * 2015-12-18 2019-04-23 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN105631320B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN105608374B (en) * 2015-12-18 2019-04-19 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN106599684A (en) * 2015-12-30 2017-04-26 哈尔滨安天科技股份有限公司 Detection method and system of entity file-free malicious code
CN105574205B (en) * 2016-01-18 2019-03-19 国家电网公司 The log dynamic analysis system of distributed computing environment
CN107231245B (en) * 2016-03-23 2021-04-02 阿里巴巴集团控股有限公司 Method and device for reporting monitoring log, and method and device for processing monitoring log
CN105912932A (en) * 2016-04-08 2016-08-31 周宏斌 Threatening behavior detection system and method
CN105791323B (en) * 2016-05-09 2019-02-26 国家电网公司 The defence method and equipment of unknown malware
CN106055976B (en) * 2016-05-16 2021-05-28 新华三技术有限公司 File detection method and sandbox controller
CN106130960B (en) * 2016-06-12 2019-08-09 微梦创科网络科技(中国)有限公司 Judgement system, load dispatching method and the device of steal-number behavior
CN106130966B (en) * 2016-06-20 2019-07-09 北京奇虎科技有限公司 A kind of bug excavation detection method, server, device and system
CN106446689A (en) * 2016-09-02 2017-02-22 中科信息安全共性技术国家工程研究中心有限公司 Method for performing automated security detection on android application
CN106709326A (en) * 2016-11-24 2017-05-24 北京奇虎科技有限公司 Processing method and device for suspicious sample
CN106682513A (en) * 2016-11-28 2017-05-17 北京奇虎科技有限公司 Detection method for target sample file and device
CN106557701B (en) * 2016-11-28 2019-09-06 北京奇虎科技有限公司 Kernel leak detection method and device based on virtual machine
CN106778246A (en) * 2016-12-01 2017-05-31 北京奇虎科技有限公司 The detection method and detection means of sandbox virtualization
CN108256325A (en) * 2016-12-29 2018-07-06 中移(苏州)软件技术有限公司 A kind of method and apparatus of the detection of malicious code mutation
US10546120B2 (en) * 2017-09-25 2020-01-28 AO Kaspersky Lab System and method of forming a log in a virtual machine for conducting an antivirus scan of a file
CN108363919B (en) * 2017-10-19 2021-04-20 北京安天网络安全技术有限公司 Method and system for generating virus-killing tool
CN108804916B (en) * 2017-12-19 2022-01-28 安天科技集团股份有限公司 Malicious file detection method and device, electronic equipment and storage medium
CN110210218B (en) * 2018-04-28 2023-04-14 腾讯科技(深圳)有限公司 Virus detection method and related device
CN109766699B (en) * 2018-05-04 2022-02-15 奇安信安全技术(珠海)有限公司 Operation behavior intercepting method and device, storage medium and electronic device
CN111277539B (en) * 2018-11-16 2022-09-02 慧盾信息安全科技(苏州)股份有限公司 Server Lesox virus protection system and method
CN110399720B (en) * 2018-12-14 2022-12-16 腾讯科技(深圳)有限公司 File detection method and related device
CN111368295A (en) * 2018-12-26 2020-07-03 中兴通讯股份有限公司 Malicious sample detection method, device and system and storage medium
CN109815701B (en) * 2018-12-29 2022-04-22 奇安信安全技术(珠海)有限公司 Software security detection method, client, system and storage medium
CN111027062A (en) * 2019-03-29 2020-04-17 哈尔滨安天科技集团股份有限公司 Assessment method and device for application collapse state of target range
CN112580041B (en) * 2019-09-30 2023-07-07 奇安信安全技术(珠海)有限公司 Malicious program detection method and device, storage medium and computer equipment
CN110889113A (en) * 2019-10-30 2020-03-17 泰康保险集团股份有限公司 Log analysis method, server, electronic device and storage medium
CN111143839A (en) * 2019-12-30 2020-05-12 厦门服云信息科技有限公司 Malicious code detection method and device based on virtualization behavior analysis technology
CN112527672B (en) * 2020-12-21 2021-10-22 北京深思数盾科技股份有限公司 Detection method and equipment for shell adding tool
CN112560018B (en) * 2020-12-23 2023-10-31 苏州三六零智能安全科技有限公司 Sample file detection method, device, terminal equipment and storage medium
CN112699176B (en) * 2021-02-06 2023-06-30 北京拓普丰联信息科技股份有限公司 Quick random extraction method, system, terminal and storage medium
CN112989344B (en) * 2021-03-16 2022-07-05 北京理工大学 Malicious program intelligent detection method, device and system based on hardware tracking technology
CN116861429B (en) * 2023-09-04 2023-12-08 北京安天网络安全技术有限公司 Malicious detection method, device, equipment and medium based on sample behaviors

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN101593249A (en) * 2008-05-30 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of apocrypha analytical approach and system
CN101788915A (en) * 2010-02-05 2010-07-28 北京工业大学 White list updating method based on trusted process tree
CN101986323A (en) * 2009-10-01 2011-03-16 卡巴斯基实验室封闭式股份公司 Method and system for detection of previously unknown malware
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8719800B2 (en) * 2008-06-20 2014-05-06 Vmware, Inc. Accelerating replayed program execution to support decoupled program analysis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN101593249A (en) * 2008-05-30 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of apocrypha analytical approach and system
CN101986323A (en) * 2009-10-01 2011-03-16 卡巴斯基实验室封闭式股份公司 Method and system for detection of previously unknown malware
CN101788915A (en) * 2010-02-05 2010-07-28 北京工业大学 White list updating method based on trusted process tree
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK

Also Published As

Publication number Publication date
CN103839003A (en) 2014-06-04

Similar Documents

Publication Publication Date Title
CN103839003B (en) Malicious file detection method and device
Galal et al. Behavior-based features model for malware detection
US11423146B2 (en) Provenance-based threat detection tools and stealthy malware detection
US11210390B1 (en) Multi-version application support and registration within a single operating system environment
Mosli et al. Automated malware detection using artifacts in forensic memory images
US8484727B2 (en) System and method for computer malware detection
KR102160659B1 (en) Detection of anomalous program execution using hardware-based micro-architectural data
US9424426B2 (en) Detection of malicious code insertion in trusted environments
Sabhadiya et al. Android malware detection using deep learning
EP2975873A1 (en) A computer implemented method for classifying mobile applications and computer programs thereof
US20140181805A1 (en) System and method for establishing rules for filtering insignificant events for analysis of software program
US20150172303A1 (en) Malware Detection and Identification
EP3211558B1 (en) Multi-threat analyzer array system and method of use
US11847214B2 (en) Machine learning systems and methods for reducing the false positive malware detection rate
CN101923617A (en) Cloud-based sample database dynamic maintaining method
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
US10237285B2 (en) Method and apparatus for detecting macro viruses
Choi et al. Toward extracting malware features for classification using static and dynamic analysis
Sun et al. Malware virtualization-resistant behavior detection
Carlin et al. Dynamic analysis of malware using run-time opcodes
Aktas et al. Updroid: Updated android malware and its familial classification
Sihag et al. Opcode n-gram based malware classification in android
Liu et al. A system call analysis method with mapreduce for malware detection
Shalaginov et al. Automated intelligent multinomial classification of malware species using dynamic behavioural analysis
Bernardi et al. Process mining meets malware evolution: a study of the behavior of malicious code

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant