CN105243324A - Method and device for identifying malicious software in user terminal and user terminal - Google Patents

Method and device for identifying malicious software in user terminal and user terminal Download PDF

Info

Publication number
CN105243324A
CN105243324A CN201510684202.7A CN201510684202A CN105243324A CN 105243324 A CN105243324 A CN 105243324A CN 201510684202 A CN201510684202 A CN 201510684202A CN 105243324 A CN105243324 A CN 105243324A
Authority
CN
China
Prior art keywords
software
file
malware
operation process
judge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510684202.7A
Other languages
Chinese (zh)
Inventor
谭昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd, Zhuhai Juntian Electronic Technology Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201510684202.7A priority Critical patent/CN105243324A/en
Publication of CN105243324A publication Critical patent/CN105243324A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses a method and a device for identifying malicious software in a user terminal and the user terminal. The method comprises the following steps: monitoring the running process of the first software; when it is monitored that an installation process of second software is started in an operation process of the first software, judging whether the second software is malicious software or not; if the second software is judged to be malicious software, judging whether the behavior of starting the installation process of the second software in the running process of the first software is reasonable; and if the behavior of starting the installation process of the second software in the running process of the first software is judged to be unreasonable, identifying the first software as malicious software. By adopting the embodiment of the invention, the software for pushing other malicious software can be identified as the malicious software in the program running process, so that the user terminal system can be effectively protected, and the harm of the malicious software to the terminal system is avoided.

Description

The recognition methods of Malware in a kind of user terminal, device and user terminal
Technical field
The present invention relates to software technology field, particularly relate to the recognition methods of Malware in a kind of user terminal, device and user terminal.
Background technology
In the user terminal polytype software can be installed at present, wherein, certain some software is when promoting, can be bundled in other softwares, namely when user terminal is when running bundled software, this bundled software can automatically or point out user installation to promote software, thus makes popularization software can obtain more client, and what improve popularization software answers expenditure.But the software carrying out promoting comprises rationally to be promoted software and maliciously promotes software.Wherein, malice is promoted software and can be had an impact to user and system cloud gray model and endanger, and comprises virus, worm, wooden horse, backdoor programs, password theft program etc.Without user, usual bundled software agrees to that carrying out installation promotes software, or by improper guiding, the software that induction user installation promotes software can be defined as rogue software, wherein, rogue software is also the one in Malware, comprise malice in the software that rogue software is promoted and promote the probability of software greatly, can work the mischief to client terminal system.Usually we are when identifying malice and promoting software, the rogue software that it is promoted often is run, as identified this rogue software not in time and tackling, this rogue software can be caused to continue to promote other Malwares, larger harm is caused to client terminal system.
Summary of the invention
Embodiments provide the recognition methods of Malware in a kind of user terminal, device and user terminal.Adopt the embodiment of the present invention, in the process can run in program, identify that the software pushed other Malwares is Malware, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
The embodiment of the present invention provides the recognition methods of Malware in a kind of user terminal in first aspect, and the method can comprise:
Monitor the operation process of the first software;
When monitoring the erection schedule of opening the second software in the operation process of described first software, judge whether described second software is Malware;
If judge, described second software is Malware, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable;
If judge, the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable, then identify that described first software is Malware.
As optional embodiment, describedly judge whether described second software is Malware, comprising:
Whether the installation kit file judging described second software is malicious file;
If the result judged is yes, then determine that described second software is Malware.
As optional embodiment, whether the described installation kit file judging described second software is malicious file, comprising:
Send inquiry request to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores;
The request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software;
According to the Query Result comprised in described request response, judge whether the installation kit file of described second software is malicious file.
As optional embodiment, whether the described behavior judging the erection schedule of opening described second software in the operation process of described first software is reasonable, comprising:
Obtain in the operation process of described first software the prompting mount message of user;
Judge the installation suggestion whether comprised in described prompting mount message about described second software;
If the result judged is no, determine that the behavior that the erection schedule of described second software opened by described first software is unreasonable.
As optional embodiment, the described installation suggestion about the second software at least comprises the application function of the software information of the second software, the installation environment of the second software and/or the second software.
As optional embodiment, after described first software of described identification is Malware, described method also comprises:
The file characteristic of the package file of described first software is sent in described server.
The second aspect of the embodiment of the present invention provides the recognition device of Malware in a kind of user terminal, and this device can comprise:
Monitoring modular, for monitoring the operation process of the first software;
First judge module, for when the erection schedule of opening the second software in described monitoring module monitors to the operation process at described first software, judges whether described second software is Malware;
Second judge module, for judging that described second software is Malware when described first judge module, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable;
Identification module, for judging that the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable when described second judge module, then identifies that described first software is Malware.
As optional embodiment, described first judge module comprises:
First judging unit, for judging whether the installation kit file of described second software is malicious file;
First determining unit, is yes for the judged result when described first judging unit, then determines that described second software is Malware.
As optional embodiment, described first judging unit comprises:
Send subelement, for sending inquiry request to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores;
Receive subelement, for the request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software;
Judgment sub-unit, for according to the Query Result comprised in described request response, judges whether the installation kit file of described second software is malicious file.
As optional embodiment, described second judge module comprises:
Acquiring unit, for obtaining the prompting mount message to user in the operation process of described first software;
Second judging unit, for judging the installation suggestion whether comprised in described prompting mount message about described second software;
Second determining unit is no for the result judged when described second judging unit, determines that the behavior that the erection schedule of described second software opened by described first software is unreasonable.
As optional embodiment, the described installation suggestion about the second software at least comprises the application function of the software information of the second software, the installation environment of the second software and/or the second software.
As optional embodiment, described device also comprises:
Feature sending module, for after described in described identification module identification, the first software is Malware, is sent to the file characteristic of the package file of described first software in described server.
The embodiment of the present invention third aspect further provides a kind of user terminal, comprise user interface, storer and processor, wherein, described storer is for storing batch processing code, and described processor calls the program code of described storer storage for the following operation of execution:
Monitor the operation process of the first software;
When monitoring the erection schedule of opening the second software in the operation process of described first software, judge whether described second software is Malware;
If judge, described second software is Malware, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable;
If judge, the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable, then identify that described first software is Malware.
In the embodiment of the present invention, by monitoring the operation process of the first software, the erection schedule whether the first software opens other softwares can be monitored, if the erection schedule of opening the second software in the operation process of the first software detected, then can judge whether the second software is Malware, if judge, the second software is Malware, whether rationally can judge that the behavior of the erection schedule of the second software opened by the first software further, if judge, behavior is unreasonable, then identifiable design first software is also for pushing the rogue software of Malware, i.e. Malware.Can first software program run process in, it is identified, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow diagram of an embodiment of the recognition methods of Malware in a kind of user terminal in the present invention;
Fig. 2 is the process flow diagram of another embodiment of the recognition methods of Malware in a kind of user terminal in the present invention;
Fig. 3 is the structural representation of an embodiment of the recognition device of Malware in a kind of user terminal in the present invention;
Fig. 4 is the structural representation of another embodiment of the recognition device of Malware in a kind of user terminal in the present invention;
Fig. 5 is the structural representation of an embodiment of a kind of user terminal in the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Below with reference to the accompanying drawings embodiments of the invention are described.Wherein, the user terminal described in the embodiment of the present invention can comprise mobile phone, panel computer, notebook computer etc. and can run application and can identify Malware and all terminals processed it.
See Fig. 1, it is the process flow diagram of an embodiment of the recognition methods of Malware in a kind of user terminal in the present invention.Wherein, method described in the embodiment of the present invention can be realized by user terminal correspondence.The method can comprise the following steps.
Step S101, monitors the operation process of the first software.
In one embodiment, user terminal can monitor the operation process of the first software.Wherein, the operation process of the first software comprises the erection schedule of the first software and the first software in the operation process being realized its function by application program.Concrete, the operation process of monitoring the first software can comprise the execution chain of monitoring first software, wherein, the first execution chain running process comprises this operation process and specifically opens how many subprocesss, and the mode of opening subprocess can be recorded, and the progress information of the subprocess opened, software identification etc. as corresponding in subprocess, also comprise the critical behavior of the first operation process in operational process simultaneously, comprising above-mentioned unlatching subprocess, also the information to user's display can be comprised, can according to the information of record, resolve whether the subprocess opened is malicious process, a certain subprocess is opened as whether pointed out user in information, whether point out and the process of this subprocess is described, or whether be a certain subprocess etc. that user selects to need to open.
Step S102, when monitoring the erection schedule of opening the second software in the operation process of described first software, judges whether described second software is Malware.
In one embodiment, when user terminal monitors the erection schedule of opening the second software in the operation process of the first software, namely monitor when opening the subprocess relevant to other software in the operation process of the first software, the operation process of the first software can be suspended, and then jump to and judge whether the second software is Malware, thus determine whether the operation of the first software exists risk.Concrete, when monitoring the application program of the first software in the process run, need to install other software, wherein, the erection schedule of unlatching second software can be monitored in the erection schedule of the first software, also can monitor the erection schedule of unlatching second software in the operational process of the application program of the first software, when clicking a certain advertisement of application program display of the first software as user, namely open the erection schedule of the second software.
Concrete, judge whether the second software is Malware, can scan the installation kit file of the second software, whether comprise malicious file, as virus document, wooden horse file etc. by various ways; Also by server lookup, whether the installation kit file of this second software is malicious file.One of concrete mode for inquiring about the file characteristic of the installation kit file of the second software in the malicious file storehouse of server stores, if there is the file characteristic of inquiry in the malicious file storehouse of server, then show that the installation kit file of the second software is malicious file, then can determine that the second software is Malware.Wherein, malicious file storehouse can comprise the file characteristic of malicious file, and file characteristic can comprise the MD file in installation kit file, and file identification etc. can identify the file characteristic of installation kit file.Judge whether the second software is that Malware also can comprise other modes, and the embodiment of the present invention does not limit.
Step S103, if judge, described second software is Malware, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable.
In one embodiment, when judging that the second software is Malware, then whether rationally need to judge further that the behavior of the erection schedule of the second software opened by the first software.If unreasonable, then show that the erection schedule that user's right to know opens the second software deliberately invaded by the first software, then the first software is rogue software, if rationally, then show that the first software is rationally promoted, in extension process, do not know the second software is Malware, thus the first software is not rogue software.Concrete, judge that by various ways whether the behavior of opening the erection schedule of the second software in the operation process of the first software is reasonable.As in the operation process of monitoring first software, the prompting mount message of the first software to user can be monitored, detect in prompting mount message and whether clearly point out user will install the second software, whether clear to the software information of the second software, functional description, whether clearly point out the installation environment of the second software, install as started in the process that the second software unloads at the first software, again or whether point out and be supplied to user etc. with Option Form.Whether reasonable one or more by judging to point out mount message whether to comprise in above-mentioned information, can judge that the operation process of the first software opens this behavior of the erection schedule of the second software.By other modes, user terminal also judges that whether above-mentioned behavior is reasonable, the embodiment of the present invention does not limit.
Optionally, after judging that the second software is Malware, can tackle the erection schedule of the second software, also can point out user, can user be pointed out to carry out the risk of installing before interception, also can user be pointed out to tackle the installation of Malware after interception.
Step S104, if judge, the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable, then identify that described first software is Malware.
In one embodiment, when the behavior of opening the erection schedule of the second software in the operation process judging the first software is unreasonable, then identify that the first software is Malware, further, identifiable design first software is rogue software.Identifying after the first software is rogue software, malicious file storehouse in the file characteristic of the installation file of the first software can being uploaded onto the server, thus when other user terminals are at needs installation the first software, be rogue software by malicious file library inquiry to the first software.Optionally, identifying after the first software is rogue software, the operation process of execution first software also can be continued, because the operation process of the first software self does not exist malicious file, only promote Malware, the application program therefore running the first software can not work the mischief to client terminal system.
In the embodiment of the present invention, by monitoring the operation process of the first software, the erection schedule whether the first software opens other softwares can be monitored, if the erection schedule of opening the second software in the operation process of the first software detected, then can judge whether the second software is Malware, if judge, the second software is Malware, whether rationally can judge that the behavior of the erection schedule of the second software opened by the first software further, if judge, behavior is unreasonable, then identifiable design first software is also for pushing the rogue software of Malware, i.e. Malware.Can first software program run process in, it is identified, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
See Fig. 2, it is the process flow diagram of another embodiment of the recognition methods of Malware in a kind of user terminal in the present invention.Wherein, method described in the embodiment of the present invention can be realized by user terminal correspondence.The method can comprise the following steps.
Step S201, monitors the operation process of the first software.
In one embodiment, user terminal can monitor the operation process of the first software.Wherein, the operation process of the first software comprises the erection schedule of the first software and the first software in the operation process being realized its function by application program.Concrete, the operation process of monitoring the first software can comprise the execution chain of monitoring first software, wherein, the first execution chain running process comprises this operation process and specifically opens how many subprocesss, and the mode of opening subprocess can be recorded, and the progress information of the subprocess opened, software identification etc. as corresponding in subprocess, also comprise the critical behavior of the first operation process in operational process simultaneously, comprising above-mentioned unlatching subprocess, also the information to user's display can be comprised, can according to the information of record, resolve whether the subprocess opened is malicious process, a certain subprocess is opened as whether pointed out user in information, whether point out and the process of this subprocess is described, or whether be a certain subprocess etc. that user selects to need to open.
Step S202, when monitoring the erection schedule of opening the second software in the operation process of described first software, inquiry request is sent to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores.
In one embodiment, when opening the erection schedule of the second software in the operation process monitoring the first software, whether the erection schedule that can judge the second software is further malicious process, by judging whether there is malicious file in the installation kit file that the erection schedule of the second software is corresponding.Concrete, the file characteristic of the installation kit file of the second software can be sent to server by inquiry request, with the file characteristic making server inquire about the installation kit file whether comprising the second software in this malicious file storehouse in the malicious file storehouse stored.Wherein, malicious file storehouse can comprise the file characteristic of malicious file, and wherein, file characteristic can comprise the MD file in installation kit file, and file identification etc. can identify the file characteristic of installation kit file.
Step S203, the request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software.
In one embodiment, send after inquiry request to server, can the request response of reception server feedback, wherein, request response comprises the Query Result of server for the file characteristic of the installation kit file of the second software.Query Result can comprise existence and not exist, and represents by concrete ident value.Request response as feedback is 1, then show to exist; The request response of feedback is 0, then show not exist.Concrete, exist and show the file characteristic of the malicious file stock in server at the installation kit file of the second software, there is not the file characteristic that the malicious file storehouse shown in server does not exist the installation kit file of the second software.
Step S204, according to the Query Result comprised in described request response, judges whether the installation kit file of described second software is malicious file.
In one embodiment, according to the Query Result comprised in request response, can judge whether the installation kit file of the second software is malicious file, thus can judge whether the second software is Malware further.Concrete, if the Query Result comprised in request response is for existing, then can judge that the installation kit file of the second software is malicious file, and the second software is Malware; If the Query Result comprised in request response for not exist, then can judge that the installation kit file of the second software is not malicious file, then can run the erection schedule of the second software further, install the second software.
Step S205, if judge that the installation kit file of described second software is malicious file according to described Query Result, obtains the prompting mount message to user in the operation process of described first software.
In one embodiment, if judge, the installation kit file of the second software is malicious file, and namely the second software is Malware, then can obtain the prompting mount message to user in the operation process of the first software further.Wherein, in the operation process of monitoring first software, if monitor the prompting mount message of display to user, record can be carried out to this prompting mount message.Concrete, can when monitoring the first software to user's display reminding frame, the content in record prompting frame, if user operates for this prompting frame, then can the operational order of recording user.
Step S206, judges the installation suggestion whether comprised in described prompting mount message about described second software.
In one embodiment, after getting prompting mount message, need judge to point out in mount message the installation suggestion whether comprised about the second software.Concrete, whether installation suggestion can comprise clearly points out user will install the second software, whether to the software information of the second software, that application function describes is clear, whether clearly point out the installation environment of the second software, install as started in the process that the second software unloads at the first software, again or whether point out and be supplied to user etc. with Option Form.Wherein, the software information of the second software can include but not limited to the information such as software author, dbase, software version.
Step S207, if the result judged is no, identifies that described first software is Malware.
In one embodiment, do not comprise above-mentioned information if judge in prompting mount message, then can determine that the behavior of opening the erection schedule of the second software in the operation process of the first software is unreasonable, then identify that the first software is rogue software.Optionally, identifying after the first software is rogue software, the operation process of execution first software also can be continued, because the operation process of the first software self does not exist malicious file, only promote Malware, the application program therefore running the first software can not work the mischief to client terminal system.
Step S208, is sent to the file characteristic of the package file of described first software in described server.
In one embodiment, can the file characteristic of the package file of the first software be sent in server, thus when other user terminals carry out scan reset to the package file of the software in terminal, can get the file characteristic of the package file about the first software, thus definable first software is Malware.Wherein, the package file of the first software comprises running package file and installation kit file.
In the embodiment of the present invention, by monitoring the operation process of the first software, the erection schedule whether the first software opens other softwares can be monitored, if the erection schedule of opening the second software in the operation process of the first software detected, then can judge whether the second software is Malware, if judge, the second software is Malware, whether rationally can judge that the behavior of the erection schedule of the second software opened by the first software further, if judge, behavior is unreasonable, then identifiable design first software is also for pushing the rogue software of Malware, i.e. Malware.Can first software program run process in, it is identified, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
See Fig. 3, it is the structural representation of an embodiment of the recognition device of Malware in a kind of user terminal in the present invention.Wherein, this device can be configured in user terminal, also can be used as the recognition device independent of user terminal.This device can comprise: monitoring modular 301, first judge module 302, second judge module 303 and identification module 304.
Wherein, monitoring modular 301, for monitoring the operation process of the first software.
In one embodiment, the operation process of the first software is monitored by monitoring modular 301.Wherein, the operation process of the first software comprises the erection schedule of the first software and the first software in the operation process being realized its function by application program.Concrete, the operation process of monitoring the first software can comprise the execution chain of monitoring first software, wherein, the first execution chain running process comprises this operation process and specifically opens how many subprocesss, and the mode of opening subprocess can be recorded, and the progress information of the subprocess opened, software identification etc. as corresponding in subprocess, also comprise the critical behavior of the first operation process in operational process simultaneously, comprising above-mentioned unlatching subprocess, also the information to user's display can be comprised, can according to the information of record, resolve whether the subprocess opened is malicious process, a certain subprocess is opened as whether pointed out user in information, whether point out and the process of this subprocess is described, or whether be a certain subprocess etc. that user selects to need to open.
First judge module 302, for monitoring the erection schedule of opening the second software in the operation process of described first software when described monitoring modular 301, judges whether described second software is Malware.
In one embodiment, when monitoring modular 301 monitors the erection schedule of opening the second software in the operation process of the first software, namely monitor when opening the subprocess relevant to other software in the operation process of the first software, the operation process of the first software can be suspended, and then jump to the first judge module 302 and judge whether the second software is Malware, thus determine whether the operation of the first software exists risk.Concrete, when monitoring the application program of the first software in the process run, need to install other software, wherein, the erection schedule of unlatching second software can be monitored in the erection schedule of the first software, also can monitor the erection schedule of unlatching second software in the operational process of the application program of the first software, when clicking a certain advertisement of application program display of the first software as user, namely open the erection schedule of the second software.
Concrete, by various ways, the first judge module 302 judges whether the second software is Malware, can scan the installation kit file of the second software, whether comprise malicious file, as virus document, wooden horse file etc.; Also by server lookup, whether the installation kit file of this second software is malicious file.One of concrete mode for inquiring about the file characteristic of the installation kit file of the second software in the malicious file storehouse of server stores, if there is the file characteristic of inquiry in the malicious file storehouse of server, then show that the installation kit file of the second software is malicious file, then can determine that the second software is Malware.Wherein, malicious file storehouse can comprise the file characteristic of malicious file, and file characteristic can comprise the MD file in installation kit file, and file identification etc. can identify the file characteristic of installation kit file.Judge whether the second software is that Malware also can comprise other modes, and the embodiment of the present invention does not limit.
Second judge module 303, for judging that described second software is Malware when described first judge module 302, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable.
In one embodiment, when the first judge module 302 judges that the second software is Malware, then whether the second judge module 303 to need to judge further that the behavior of the erection schedule of the second software opened by the first software reasonable.If unreasonable, then show that the erection schedule that user's right to know opens the second software deliberately invaded by the first software, then the first software is rogue software, if rationally, then show that the first software is rationally promoted, in extension process, do not know the second software is Malware, thus the first software is not rogue software.Concrete, judge that by various ways whether the behavior of opening the erection schedule of the second software in the operation process of the first software is reasonable.As in the operation process of monitoring first software, the prompting mount message of the first software to user can be monitored, detect in prompting mount message and whether clearly point out user will install the second software, whether clear to the software information of the second software, functional description, whether clearly point out the installation environment of the second software, install as started in the process that the second software unloads at the first software, again or whether point out and be supplied to user etc. with Option Form.Whether reasonable one or more by judging to point out mount message whether to comprise in above-mentioned information, can judge that the operation process of the first software opens this behavior of the erection schedule of the second software.By other modes, user terminal also judges that whether above-mentioned behavior is reasonable, the embodiment of the present invention does not limit.
Optionally, after the first judge module 302 judges that the second software is Malware, can tackle the erection schedule of the second software, also can point out user, can user be pointed out to carry out the risk of installing before interception, also can user be pointed out to tackle the installation of Malware after interception.
Identification module 304, for judging that the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable when described second judge module 303, then identifies that described first software is Malware.
In one embodiment, when the second judge module 303 judges that the behavior of opening the erection schedule of the second software in the operation process of the first software is unreasonable, then identification module 304 identifies that the first software is Malware, and further, identifiable design first software is rogue software.Identifying after the first software is rogue software, malicious file storehouse in the file characteristic of the installation file of the first software can being uploaded onto the server, thus when other user terminals are at needs installation the first software, be rogue software by malicious file library inquiry to the first software.Optionally, identifying after the first software is rogue software, the operation process of execution first software also can be continued, because the operation process of the first software self does not exist malicious file, only promote Malware, the application program therefore running the first software can not work the mischief to client terminal system.
In the embodiment of the present invention, by monitoring the operation process of the first software, the erection schedule whether the first software opens other softwares can be monitored, if the erection schedule of opening the second software in the operation process of the first software detected, then can judge whether the second software is Malware, if judge, the second software is Malware, whether rationally can judge that the behavior of the erection schedule of the second software opened by the first software further, if judge, behavior is unreasonable, then identifiable design first software is also for pushing the rogue software of Malware, i.e. Malware.Can first software program run process in, it is identified, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
See Fig. 4, it is the structural representation of another embodiment of the recognition device of Malware in a kind of user terminal in the present invention.Wherein, this device can be configured in user terminal, also can be used as the recognition device independent of user terminal.This device can comprise: monitoring modular 401, first judge module 402, second judge module 403, identification module 404, feature sending module 405.
Wherein, monitoring modular 401, for monitoring the operation process of the first software.
In one embodiment, the operation process of the first software can be monitored.Wherein, the operation process of the first software comprises the erection schedule of the first software and the first software in the operation process being realized its function by application program.Concrete, the operation process of monitoring the first software can comprise the execution chain of monitoring first software, wherein, the first execution chain running process comprises this operation process and specifically opens how many subprocesss, and the mode of opening subprocess can be recorded, and the progress information of the subprocess opened, software identification etc. as corresponding in subprocess, also comprise the critical behavior of the first operation process in operational process simultaneously, comprising above-mentioned unlatching subprocess, also the information to user's display can be comprised, can according to the information of record, resolve whether the subprocess opened is malicious process, a certain subprocess is opened as whether pointed out user in information, whether point out and the process of this subprocess is described, or whether be a certain subprocess etc. that user selects to need to open.
First judge module 402, for monitoring the erection schedule of opening the second software in the operation process of described first software when described monitoring modular 401, judges whether described second software is Malware.
In the embodiment of the present invention, the first judge module 402 also can comprise with lower unit:
First judging unit 4021, for judging whether the installation kit file of described second software is malicious file.
First judging unit 4021 also can comprise following subelement:
Send subelement, for sending inquiry request to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores;
In one embodiment, when opening the erection schedule of the second software in monitoring module monitors to the operation process of the first software, first judge module 402 can judge whether the erection schedule of the second software is malicious process further, judges whether there is malicious file in the installation kit file that the erection schedule of the second software is corresponding by the first judging unit 4021.Concrete, send subelement and the file characteristic of the installation kit file of the second software can be sent to server by inquiry request, with the file characteristic making server inquire about the installation kit file whether comprising the second software in this malicious file storehouse in the malicious file storehouse stored.Wherein, malicious file storehouse can comprise the file characteristic of malicious file, and wherein, file characteristic can comprise the MD file in installation kit file, and file identification etc. can identify the file characteristic of installation kit file.
Receive subelement, for the request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software;
In one embodiment, send subelement and send after inquiry request to server, receiving subelement can the request response of reception server feedback, and wherein, request response comprises the Query Result of server for the file characteristic of the installation kit file of the second software.Query Result can comprise existence and not exist, and represents by concrete ident value.Request response as feedback is 1, then show to exist; The request response of feedback is 0, then show not exist.Concrete, exist and show the file characteristic of the malicious file stock in server at the installation kit file of the second software, there is not the file characteristic that the malicious file storehouse shown in server does not exist the installation kit file of the second software.
Judgment sub-unit, for according to the Query Result comprised in described request response, judges whether the installation kit file of described second software is malicious file.
In one embodiment, judgment sub-unit, according to the Query Result comprised in request response, can judge whether the installation kit file of the second software is malicious file, thus can judge whether the second software is Malware further.Concrete, if the Query Result comprised in request response is for existing, then can judge that the installation kit file of the second software is malicious file, and the second software is Malware; If the Query Result comprised in request response for not exist, then can judge that the installation kit file of the second software is not malicious file, then can run the erection schedule of the second software further, install the second software.
First determining unit 4022, is yes for the judged result when described first judging unit 4021, then determines that described second software is Malware.
Second judge module 403, for judging that described second software is Malware when described first judge module 402, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable.
In the embodiment of the present invention, the second judge module 403 also can comprise with lower unit:
Acquiring unit 4031, for obtaining the prompting mount message to user in the operation process of described first software.
In one embodiment, if the first determining unit 4022 determines that the installation kit file of the second software is malicious file, namely the second software is Malware, then acquiring unit 4031 can obtain the prompting mount message to user in the operation process of the first software further.Wherein, in the operation process of monitoring first software, if monitor the prompting mount message of display to user, record can be carried out to this prompting mount message.Concrete, can when monitoring the first software to user's display reminding frame, the content in record prompting frame, if user operates for this prompting frame, then can the operational order of recording user.
Second judging unit 4032, for judging the installation suggestion whether comprised in described prompting mount message about described second software.
In one embodiment, after acquiring unit 4031 gets prompting mount message, the second judging unit 4032 need judge to point out in mount message the installation suggestion whether comprised about the second software.Concrete, whether installation suggestion can comprise clearly points out user will install the second software, whether to the software information of the second software, that application function describes is clear, whether clearly point out the installation environment of the second software, install as started in the process that the second software unloads at the first software, again or whether point out and be supplied to user etc. with Option Form.Wherein, the software information of the second software can include but not limited to the information such as software author, dbase, software version.
Second determining unit 4033 is no for the result judged when described second judging unit 4032, determines that the behavior that the erection schedule of described second software opened by described first software is unreasonable.
Identification module 404, for judging that the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable when described second judge module 403, then identifies that described first software is Malware.
In one embodiment, if the second judging unit 4032 is judged not comprise above-mentioned information in prompting mount message, then determining unit 4033 can determine that the behavior of opening the erection schedule of the second software in the operation process of the first software is unreasonable, then identification module 404 identifies that the first software is rogue software.Optionally, identifying after the first software is rogue software, the operation process of execution first software also can be continued, because the operation process of the first software self does not exist malicious file, only promote Malware, the application program therefore running the first software can not work the mischief to client terminal system.
Feature sending module 405, after identifying that described first software is Malware at described identification module 404, is sent to the file characteristic of the package file of described first software in described server.
In one embodiment, the file characteristic of the package file of the first software can be sent in server by feature sending module 405, thus when other user terminals carry out scan reset to the package file of the software in terminal, can get the file characteristic of the package file about the first software, thus definable first software is Malware.Wherein, the package file of the first software comprises running package file and installation kit file.
In the embodiment of the present invention, by monitoring the operation process of the first software, the erection schedule whether the first software opens other softwares can be monitored, if the erection schedule of opening the second software in the operation process of the first software detected, then can judge whether the second software is Malware, if judge, the second software is Malware, whether rationally can judge that the behavior of the erection schedule of the second software opened by the first software further, if judge, behavior is unreasonable, then identifiable design first software is also for pushing the rogue software of Malware, i.e. Malware.Can first software program run process in, it is identified, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
See Fig. 5, it is the structural representation of an embodiment of a kind of user terminal in the present invention.This user terminal can comprise: at least one processor 501, as CPU, and at least one user interface 503, storer 504 and at least one communication bus 502.Wherein, communication bus 502 is for realizing the connection communication between these assemblies, user interface 503 can comprise display screen (Display) and keyboard (Keyboard), optionally, user interface 503 can also comprise wireline interface and the wave point of standard, storer 504 can be high-speed RAM storer, also can be non-labile storer (non-volatilememory), as at least one magnetic disk memory, optionally, storer 504 can also be that at least one is positioned at the memory storage away from aforementioned processor 501.Wherein, in storer 504, store batch processing code, and processor 501 calls the program code stored in storer 504, for performing following operation:
Monitor the operation process of the first software;
When monitoring the erection schedule of opening the second software in the operation process of described first software, judge whether described second software is Malware;
If judge, described second software is Malware, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable;
If judge, the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable, then identify that described first software is Malware.
As optional embodiment, processor 501 judges that whether described second software be the concrete mode of Malware and be:
Whether the installation kit file judging described second software is malicious file;
If the result judged is yes, then determine that described second software is Malware.
As optional embodiment, processor 501 judges that whether the installation kit file of described second software is the concrete mode of malicious file and is:
Send inquiry request to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores;
The request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software;
According to the Query Result comprised in described request response, judge whether the installation kit file of described second software is malicious file.
As optional embodiment, processor 501 judges that the whether rational concrete mode of the behavior of the erection schedule of opening described second software in the operation process of described first software is:
Obtain in the operation process of described first software the prompting mount message of user;
Judge the installation suggestion whether comprised in described prompting mount message about described second software;
If the result judged is no, determine that the behavior that the erection schedule of described second software opened by described first software is unreasonable.
As optional embodiment, the described installation suggestion about the second software at least comprises the application function of the software information of the second software, the installation environment of the second software and/or the second software.
As optional embodiment, after processor 501 identifies that described first software is Malware, the program code also called in storer 504 operates for execution is following:
The file characteristic of the package file of described first software is sent in described server.
In the embodiment of the present invention, by monitoring the operation process of the first software, the erection schedule whether the first software opens other softwares can be monitored, if the erection schedule of opening the second software in the operation process of the first software detected, then can judge whether the second software is Malware, if judge, the second software is Malware, whether rationally can judge that the behavior of the erection schedule of the second software opened by the first software further, if judge, behavior is unreasonable, then identifiable design first software is also for pushing the rogue software of Malware, i.e. Malware.Can first software program run process in, it is identified, thus effectively can protect client terminal system, avoid Malware to work the mischief to terminal system.
Device embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying performing creative labour, are namely appreciated that and implement.
Step in embodiment of the present invention method can be carried out order according to actual needs and be adjusted, merges and delete.
Unit in embodiment of the present invention terminal or equipment or subelement can carry out merging, divide and deleting according to actual needs.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that each embodiment can add required general hardware platform by software and realize, and can certainly pass through hardware.Based on such understanding, technique scheme can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can store in a computer-readable storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment or embodiment.
Above-described embodiment, does not form the restriction to this technical scheme protection domain.The amendment done within any spirit at above-mentioned embodiment and principle, equivalently to replace and improvement etc., within the protection domain that all should be included in this technical scheme.

Claims (10)

1. the recognition methods of Malware in user terminal, is characterized in that, comprising:
Monitor the operation process of the first software;
When monitoring the erection schedule of opening the second software in the operation process of described first software, judge whether described second software is Malware;
If judge, described second software is Malware, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable;
If judge, the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable, then identify that described first software is Malware.
2. method as claimed in claim 1, is characterized in that, describedly judges whether described second software is Malware, comprising:
Whether the installation kit file judging described second software is malicious file;
If the result judged is yes, then determine that described second software is Malware.
3. method as claimed in claim 2, it is characterized in that, whether the described installation kit file judging described second software is malicious file, comprising:
Send inquiry request to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores;
The request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software;
According to the Query Result comprised in described request response, judge whether the installation kit file of described second software is malicious file.
4. method as described in as arbitrary in claim 1-3, is characterized in that, describedly judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable, comprising:
Obtain in the operation process of described first software the prompting mount message of user;
Judge the installation suggestion whether comprised in described prompting mount message about described second software;
If the result judged is no, determine that the behavior that the erection schedule of described second software opened by described first software is unreasonable.
5. method as claimed in claim 4, it is characterized in that, the described installation suggestion about the second software at least comprises the application function of the software information of the second software, the installation environment of the second software and/or the second software.
6. method as claimed in claim 1, it is characterized in that, after described first software of described identification is Malware, described method also comprises:
The file characteristic of the package file of described first software is sent in described server.
7. the recognition device of Malware in user terminal, is characterized in that, comprising:
Monitoring modular, for monitoring the operation process of the first software;
First judge module, for when the erection schedule of opening the second software in described monitoring module monitors to the operation process at described first software, judges whether described second software is Malware;
Second judge module, for judging that described second software is Malware when described first judge module, judges that whether the behavior of the erection schedule of opening described second software in the operation process of described first software is reasonable;
Identification module, for judging that the behavior of the erection schedule of opening described second software in the operation process of described first software is unreasonable when described second judge module, then identifies that described first software is Malware.
8. device as claimed in claim 7, it is characterized in that, described first judge module comprises:
First judging unit, for judging whether the installation kit file of described second software is malicious file;
First determining unit, is yes for the judged result when described first judging unit, then determines that described second software is Malware.
9. device as claimed in claim 8, it is characterized in that, described first judging unit comprises:
Send subelement, for sending inquiry request to server, wherein, described inquiry request comprises the file characteristic of the installation kit file of described second software, for whether comprising the file characteristic of the installation kit file of described second software in the malicious file storehouse that querying server prestores;
Receive subelement, for the request response of reception server feedback, wherein, described request response comprises the Query Result of server for the file characteristic of the installation kit file of described second software;
Judgment sub-unit, for according to the Query Result comprised in described request response, judges whether the installation kit file of described second software is malicious file.
10. device as described in as arbitrary in claim 7-9, it is characterized in that, described second judge module comprises:
Acquiring unit, for obtaining the prompting mount message to user in the operation process of described first software;
Second judging unit, for judging the installation suggestion whether comprised in described prompting mount message about described second software;
Second determining unit is no for the result judged when described second judging unit, determines that the behavior that the erection schedule of described second software opened by described first software is unreasonable.
CN201510684202.7A 2015-10-20 2015-10-20 Method and device for identifying malicious software in user terminal and user terminal Pending CN105243324A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510684202.7A CN105243324A (en) 2015-10-20 2015-10-20 Method and device for identifying malicious software in user terminal and user terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510684202.7A CN105243324A (en) 2015-10-20 2015-10-20 Method and device for identifying malicious software in user terminal and user terminal

Publications (1)

Publication Number Publication Date
CN105243324A true CN105243324A (en) 2016-01-13

Family

ID=55040967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510684202.7A Pending CN105243324A (en) 2015-10-20 2015-10-20 Method and device for identifying malicious software in user terminal and user terminal

Country Status (1)

Country Link
CN (1) CN105243324A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105912925A (en) * 2016-04-05 2016-08-31 周奇 Method and system for preventing mobile terminal from automatically installing related applications
WO2017185827A1 (en) * 2016-04-26 2017-11-02 华为技术有限公司 Method and apparatus for determining suspicious activity of application program
CN111639331A (en) * 2020-05-11 2020-09-08 珠海豹趣科技有限公司 Installation package monitoring method and device and computer readable storage medium
CN111639332A (en) * 2020-05-11 2020-09-08 珠海豹趣科技有限公司 Software installation method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103235913A (en) * 2013-04-03 2013-08-07 北京奇虎科技有限公司 System, equipment and method used for identifying and intercepting bundled software
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104123490A (en) * 2014-07-02 2014-10-29 珠海市君天电子科技有限公司 Method and device for processing malicious bundled software and mobile terminal
CN104123496A (en) * 2014-07-03 2014-10-29 珠海市君天电子科技有限公司 Rogue software interception method, device and terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103235913A (en) * 2013-04-03 2013-08-07 北京奇虎科技有限公司 System, equipment and method used for identifying and intercepting bundled software
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104123490A (en) * 2014-07-02 2014-10-29 珠海市君天电子科技有限公司 Method and device for processing malicious bundled software and mobile terminal
CN104123496A (en) * 2014-07-03 2014-10-29 珠海市君天电子科技有限公司 Rogue software interception method, device and terminal

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105912925A (en) * 2016-04-05 2016-08-31 周奇 Method and system for preventing mobile terminal from automatically installing related applications
CN105912925B (en) * 2016-04-05 2019-10-08 周奇 A kind of forbidden moves terminal installs the method and system of related application automatically
WO2017185827A1 (en) * 2016-04-26 2017-11-02 华为技术有限公司 Method and apparatus for determining suspicious activity of application program
CN107315952A (en) * 2016-04-26 2017-11-03 华为技术有限公司 Method and apparatus for determining application program suspicious actions
CN111639331A (en) * 2020-05-11 2020-09-08 珠海豹趣科技有限公司 Installation package monitoring method and device and computer readable storage medium
CN111639332A (en) * 2020-05-11 2020-09-08 珠海豹趣科技有限公司 Software installation method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
US7620990B2 (en) System and method for unpacking packed executables for malware evaluation
US8844038B2 (en) Malware detection
CN111460445B (en) Sample program malicious degree automatic identification method and device
US8959624B2 (en) Executable download tracking system
CN111737696A (en) Method, system and equipment for detecting malicious file and readable storage medium
CN110837640B (en) Malicious file searching and killing method, device, storage medium and device
CN102945348B (en) Fileinfo collection method and device
CN102945349B (en) unknown file processing method and device
US9367687B1 (en) Method for malware detection using deep inspection and data discovery agents
CN106709325B (en) Method and device for monitoring program
US20130239214A1 (en) Method for detecting and removing malware
CN104781824A (en) Dynamic quarantining for malware detection
KR101851233B1 (en) Apparatus and method for detection of malicious threats included in file, recording medium thereof
CN110336835B (en) Malicious behavior detection method, user equipment, storage medium and device
CN105243324A (en) Method and device for identifying malicious software in user terminal and user terminal
US9275226B1 (en) Systems and methods for detecting selective malware attacks
CN102982284A (en) Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing
EP3455773A1 (en) Inferential exploit attempt detection
US9087194B2 (en) Providing information to a security application
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
CN103384240A (en) P2P active defense method and system
CN107231364B (en) Website vulnerability detection method and device, computer device and storage medium
CN114422255A (en) Cloud security simulation detection system and detection method
CN104965731A (en) Data processing method and electronic terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160113