CN107480527B - Lesso software prevention method and system - Google Patents
Lesso software prevention method and system Download PDFInfo
- Publication number
- CN107480527B CN107480527B CN201710655812.3A CN201710655812A CN107480527B CN 107480527 B CN107480527 B CN 107480527B CN 201710655812 A CN201710655812 A CN 201710655812A CN 107480527 B CN107480527 B CN 107480527B
- Authority
- CN
- China
- Prior art keywords
- file
- bait
- software
- lasso
- suspected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a precaution method and a precaution system for Lesog software, wherein the method comprises the following steps: creating a bait file in a system; monitoring the bait file in real time; if the bait file is searched and written by the same process, marking a program corresponding to the process as the suspected lasso software; programs marked as suspected lasso software are prevented from writing to all files. The method and the system for preventing the lasso software can accurately and quickly find out the encryption operation of the lasso virus on the disk file and prevent the lasso virus from encrypting the disk file in time.
Description
Technical Field
The invention relates to the technical field of software antivirus, in particular to a prevention method and a prevention system for Lesog software.
Background
The Lessovirus is a novel computer virus and is mainly transmitted in the forms of mails, program trojans and webpage horse hanging. The Lessovirus can automatically run once entering the local, and meanwhile, a Lessovirus software sample is deleted to avoid searching, killing and analyzing; then, the Lesox virus can encrypt the computer disk file, and the file can hardly be decrypted by other people except the virus developer; after encryption is completed, a high decryption cost is imposed on a computer user, and huge economic loss is brought to the user. For example, in 6 months in 2017, an APP such as a file encryption type ranso virus for android phones, an assistant tool disguised as a hand game and glorious by a prince, and the like is spread in a domestic network, and once a user calls, a mobile phone photo and the like are encrypted. Furthermore, the variety types of the Lesoxoviruses are very fast, the Lesoxoviruses have immunity to conventional antivirus software, and the attacking samples mainly comprise types of exe, js, wsf, vbe and the like, so that the method is a great challenge to conventional safety products depending on feature detection.
The traditional antivirus software analyzes virus characteristics (for example, 443 port of a monitoring inbound) to achieve the effects of virus checking and killing, only can remind the Lesso virus, and cannot achieve encryption prevention.
Disclosure of Invention
Aiming at the defects in the prior art, the prevention method and the prevention system for the lasso software can accurately and quickly find out the encryption operation of the lasso virus on the disk file and timely prevent the encryption operation.
In a first aspect, the present invention provides a precaution method for lasso software, including:
creating a bait file in a system;
monitoring the bait file in real time;
if the bait file is searched and written by the same process, marking a program corresponding to the process as the suspected lasso software;
programs marked as suspected lasso software are prevented from writing to all files.
The traditional antivirus software achieves the effects of virus checking and killing by analyzing virus characteristics (such as 443 port of a monitoring station), only can achieve the luro virus reminding, and cannot achieve encryption prevention. The prevention method for the lasso software provided by this embodiment automatically creates the bait file in the system, uses the bait file as the bait, does not need to perform complex virus characteristic analysis, can accurately and quickly find the encryption operation of the lasso virus on the disk file at the first time only by monitoring whether the bait file is retrieved and rewritten, and can timely prevent the lasso virus from being encrypted.
Preferably, the creating a bait file in the system includes: a bait file is created under each drive root directory and desktop file of the system.
Preferably, the filename of the decoy file is named using special characters.
Preferably, if the bait file is established under a bait folder, the name of the bait folder is named by using special characters.
Preferably, the monitoring the bait file in real time includes: API calls for each non-system process are monitored.
Preferably, the monitoring the bait file in real time includes: monitoring the API that the lasso software must call.
Preferably, the method further comprises the following steps: injecting a HOOK plug-in into each program running in the system;
the method for preventing the program marked as suspected lasso software from writing all files comprises the following steps:
and intercepting a write operation instruction sent by a program marked as suspected lasso software by utilizing the injected HOOK plug-in.
Preferably, the method further comprises the following steps: and after suspected lasso software is detected, popping up a prompt to remind a user.
In a second aspect, the present invention provides a prevention system for lasso software, comprising:
the bait file creating module is used for creating bait files in the system;
the monitoring module is used for monitoring the bait file in real time;
the stranger software judging module is used for marking a program corresponding to the process as the suspected stranger software if the bait file is searched and written by the same process;
and the lasso software blocking module is used for blocking the writing operation of the program marked as suspected lasso software on all files.
The traditional antivirus software achieves the effects of virus checking and killing by analyzing virus characteristics (such as 443 port of a monitoring station), only can achieve the luro virus reminding, and cannot achieve encryption prevention. The prevention system for the lasso software provided by this embodiment automatically creates the bait file in the system, uses the bait file as the bait, does not need to perform complex virus characteristic analysis, can accurately and quickly find the encryption operation of the lasso virus on the disk file at the first time only by monitoring whether the bait file is retrieved and rewritten, and can timely stop the encryption operation, and the monitoring method is simple and is suitable for any lasso software adopting an encryption mode.
In a third aspect, the invention provides a computer-readable storage medium having a computer program stored thereon, the program being characterized in that it, when executed by a processor, implements the method of any of the first aspects.
The computer-readable storage medium provided in this embodiment installs an internal program in a terminal device (such as a computer, a mobile phone, a tablet computer, etc.) that needs to be protected, and runs the program, automatically creates a bait file in a system, takes the bait file as a bait, does not need to perform complex virus characteristic analysis, can accurately and quickly find out an encryption operation of a lemonavirus on a disk file at the first time only by monitoring whether the bait file is retrieved and rewritten, and can timely prevent the encryption operation, and the monitoring method is simple and is suitable for any lemonavirus software that adopts an encryption mode.
Drawings
Fig. 1 is a flowchart of a prevention method of lasso software according to an embodiment of the present invention;
fig. 2 is a block diagram of a prevention system of lasso software according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby.
It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.
As shown in fig. 1, the embodiment provides a precaution method of lasso software, which includes:
step S1, a bait file is created in the system.
Step S2, monitoring the bait file in real time.
Step S3, if it is detected that the bait file is retrieved and written by the same process, marking the program corresponding to the process as the suspected leso software.
In step S4, the program marked as suspected lasso software is prevented from writing all files.
The software program corresponding to the method is installed on the terminal device, the software program can automatically create the bait files in the system, a general user can not search, open and process the bait files in the process of using the terminal device, and only the lasso software can call an interface (FindFirstFile/FindNext/FindClose) of a windows file system to traverse all files of a computer disk. Therefore, once the bait files are searched and written by the same process, the fact that the terminal device is infected by the lasso virus can be judged, and the lasso software is prevented from attacking all files fundamentally in writing operation of all files.
The traditional antivirus software achieves the effects of virus checking and killing by analyzing virus characteristics (such as 443 port of a monitoring station), only can achieve the luro virus reminding, and cannot achieve encryption prevention. The prevention method for the lasso software provided by this embodiment automatically creates the bait file in the system, uses the bait file as the bait, does not need to perform complex virus characteristic analysis, can accurately and quickly find the encryption operation of the lasso virus on the disk file at the first time only by monitoring whether the bait file is retrieved and rewritten, and can timely prevent the lasso virus from being encrypted.
If the terminal lasso software is exploded, the lasso software calls an interface (FindFirstFile/FindNext/findclosse) of the file system to traverse all files (including files in folders) of the computer disk, and the file system searches the files or folders in a default order, for example, preferentially searches the files of the system root directory. Therefore, to ensure that the bait files are first retrieved and returned to the lasso software, a preferred embodiment of said step S1 includes: a bait file is created under each drive root directory and desktop file of the system.
The file system is a method and a data structure used by an operating system for defining files on a storage device (a magnetic disk is common and a solid state hard disk based on NAND Flash) or a partition; i.e. a method of organizing files on a storage device. The software mechanism in the operating system that is responsible for managing and storing file information is called a file management system, referred to as a file system for short. The file system consists of three parts: file system interface, software assembly for manipulating and managing objects, objects and properties. From a system perspective, a file system is a system that organizes and allocates space of a file storage device, is responsible for file storage, and protects and retrieves stored files. In particular, it is responsible for creating files for the user, storing, reading, modifying, dumping files, controlling access to files, revoking files when the user is no longer in use, etc.
The file system interface called by the lasso software retrieves and returns files in the order of their names, for example, windows file system interface will default to returning files and folder names beginning with spaces, special characters, preferably. Therefore, according to any of the above method embodiments, the file name of the decoy file is named by using special characters. For example, special characters (such as spaces, exclamation marks and the like) with small numerical values in the ASCII table are used as the first character of the decoy file name, so that the decoy file can be enumerated firstly when the stranger software calls an API (FidFirstFile/FindNext/Findclose) of an enumeration file system, and the stranger software is prevented from encrypting the original file of a user.
Based on any of the above method embodiments, if the decoy file is not a file directly created in the root directory, but a decoy folder is created, and the decoy file is stored in the decoy folder, the name of the decoy folder should also be named by using special characters, and the naming mode is the same as that of the decoy file, which is not described herein again. Sometimes, a user may call a bait file by misoperation, so that the system considers an executed program to be the lasso software, in order to reduce the probability of misjudgment, when the bait file is created in the system, the bait file is established under the bait folder, and the bait file and the bait folder are monitored in real time.
Based on any one of the above method embodiments, a preferred implementation manner of the step S2 includes monitoring the bait file in real time, and specifically includes: each non-system process's API (Application Programming Interface) call is monitored.
Based on any one of the above method embodiments, a preferred implementation manner of the step S2 includes: the API which is inevitably called by the lasso software is used as a key monitoring object, so that the monitoring efficiency is improved.
Based on any one of the above method embodiments, the prevention method for lasso software provided by this embodiment further includes: a HOOK plug-in is injected in each program running in the system. In which HOOK is a platform for a Windows message handling mechanism on which an application may set a subroutine to monitor certain messages for a given window, and the monitored window may be created by another process that handles the message before the target window handling function when it arrives, the HOOK mechanism allows the application to intercept handling of window messages or specific events.
Based on the injected HOOK plug-in, the preferred method of step S4 includes: and intercepting a write operation instruction sent by a program marked as suspected lasso software by utilizing the injected HOOK plug-in. The HOOK plug-in is actually a program segment for processing messages, and whenever a program suspected to be lasso software sends a specific message (such as a write operation instruction), the HOOK program captures the message before the message reaches a target file, obtains a control right, forcibly ends the transmission of the message, and prevents the suspected lasso software from carrying out encryption operation on any file in the system.
Based on any one of the above method embodiments, the prevention method of the lasso software further includes: and after suspected lasso software is detected, popping up a prompt to remind a user.
Based on the same inventive concept as the aforementioned strolling software precaution method, this embodiment further provides a strolling software precaution system, as shown in fig. 2, including:
the bait file creating module is used for creating bait files in the system;
the monitoring module is used for monitoring the bait file in real time;
the stranger software judging module is used for marking a program corresponding to the process as the suspected stranger software if the bait file is searched and written by the same process;
and the lasso software blocking module is used for blocking the writing operation of the program marked as suspected lasso software on all files.
Preferably, the bait file creation module is specifically configured to: a bait file is created under each drive root directory and desktop file of the system.
Preferably, the filename of the decoy file is named using special characters.
Preferably, if the bait file is established under a bait folder, the name of the bait folder is named by using special characters.
Preferably, the monitoring module is specifically configured to: API calls for each non-system process are monitored.
Preferably, the monitoring module may be further configured to: monitoring the API that the lasso software must call.
Preferably, the system further comprises a HOOK plug-in injection module, configured to: a HOOK plug-in is injected in each program running in the system. Accordingly, the lasso software blocking module is specifically configured to: and intercepting a write operation instruction sent by a program marked as suspected lasso software by utilizing the injected HOOK plug-in.
Preferably, the reminder module is configured to: and after suspected lasso software is detected, popping up a prompt to remind a user.
The precaution system of the lasso software provided by the embodiment adopts the same inventive concept as the precaution method of the lasso software, has the same beneficial effects, and is not described herein again.
Based on the same inventive concept as the aforementioned strolling software countermeasure, the present embodiment provides a computer-readable storage medium on which a computer program is stored, which, when executed by a processor, implements the countermeasure method of any of the strolling software described in the aforementioned method embodiments.
The computer-readable storage medium provided by the embodiment and the prevention method of the lasso software adopt the same inventive concept, have the same beneficial effects, and are not described herein again.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (4)
1. A stroller software prevention method, comprising:
creating a bait file in a system; the creating of the bait file in the system comprises: creating a bait file under each drive root directory and desktop file of the system;
monitoring the bait file in real time;
if the bait file is searched and written by the same process, marking a program corresponding to the process as suspected lasso software, and preventing the program marked as the suspected lasso software from writing all files; the file name of the decoy file is named by adopting special characters; the name of the bait folder is named by adopting special characters;
the real-time monitoring of the bait file includes: monitoring API calls of each non-system process, monitoring APIs which are inevitably called by Lesog software, including an API for enumerating a system and an API for encryption, and injecting a HOOK plug-in into each program running in the system;
the method for preventing the program marked as suspected lasso software from writing all files comprises the following steps: and intercepting a write operation instruction sent by a program marked as suspected lasso software by utilizing the injected HOOK plug-in.
2. The method of claim 1, further comprising: and after suspected lasso software is detected, popping up a prompt to remind a user.
3. A security system for lasso software, comprising:
the bait file creating module is used for creating bait files in the system; the creating of the bait file in the system comprises: creating a bait file under each drive root directory and desktop file of the system;
the monitoring module is used for monitoring the bait file in real time;
the stranger software judging module is used for marking a program corresponding to the process as the suspected stranger software if the bait file is searched and written by the same process;
the system comprises a lasso software blocking module, a file storing module and a file storing module, wherein the lasso software blocking module is used for blocking the writing operation of a program marked as suspected lasso software on all files; the file name of the decoy file is named by adopting special characters; the name of the bait folder is named by adopting special characters; the real-time monitoring of the bait file includes: monitoring API calls of each non-system process; monitoring APIs which are inevitably called by the lasso software, including an API of an enumeration system and an encryption API; injecting a HOOK plug-in into each program running in the system; the method for preventing the program marked as suspected lasso software from writing all files comprises the following steps: and intercepting a write operation instruction sent by a program marked as suspected lasso software by utilizing the injected HOOK plug-in.
4. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of one of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710655812.3A CN107480527B (en) | 2017-08-03 | 2017-08-03 | Lesso software prevention method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710655812.3A CN107480527B (en) | 2017-08-03 | 2017-08-03 | Lesso software prevention method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107480527A CN107480527A (en) | 2017-12-15 |
| CN107480527B true CN107480527B (en) | 2021-07-30 |
Family
ID=60596937
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710655812.3A Active CN107480527B (en) | 2017-08-03 | 2017-08-03 | Lesso software prevention method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107480527B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109472140B (en) * | 2017-12-29 | 2021-11-12 | 北京安天网络安全技术有限公司 | Method and system for preventing lasso software encryption based on window header verification |
| TWI668593B (en) * | 2018-03-27 | 2019-08-11 | 崑山科技大學 | Network ransomware protection system and method thereof |
| CN109359467B (en) * | 2018-10-10 | 2020-11-20 | 杭州安恒信息技术股份有限公司 | Precise identification and full-network linkage defense method and system for unknown Lesox virus |
| CN110874474A (en) * | 2018-12-21 | 2020-03-10 | 北京安天网络安全技术有限公司 | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium |
| CN110222508A (en) * | 2019-06-12 | 2019-09-10 | 深圳市网心科技有限公司 | Extort virus defense method, electronic equipment, system and medium |
| CN110879884A (en) * | 2019-11-14 | 2020-03-13 | 维沃移动通信有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
| CN111062035B (en) * | 2019-11-18 | 2024-02-20 | 安天科技集团股份有限公司 | Lesu software detection method and device, electronic equipment and storage medium |
| CN111475806B (en) * | 2020-03-08 | 2022-08-05 | 苏州浪潮智能科技有限公司 | Method for detecting and defending Lesso software based on access authority |
| CN111614662B (en) * | 2020-05-19 | 2022-09-09 | 奇安信网神信息技术(北京)股份有限公司 | Interception method and device for Lesovirus |
| CN112560031B (en) * | 2020-11-16 | 2022-05-06 | 杭州美创科技有限公司 | Lesovirus detection method and system |
| CN112287346A (en) * | 2020-11-16 | 2021-01-29 | 山西三友和智慧信息技术股份有限公司 | IRP analysis-based encrypted Lesso software real-time monitoring system and method |
| CN112560040A (en) * | 2020-12-25 | 2021-03-26 | 安芯网盾(北京)科技有限公司 | General detection method and device for computer infectious virus |
| CN113609483B (en) * | 2021-07-16 | 2024-05-03 | 山东云海国创云计算装备产业创新中心有限公司 | Method, device, equipment and readable medium for processing server virus |
| CN113626811A (en) * | 2021-07-19 | 2021-11-09 | 武汉大学 | Lured-software early detection method and system based on decoy file |
| CN113672925B (en) * | 2021-08-26 | 2024-01-26 | 安天科技集团股份有限公司 | Method and device for preventing lux software attack, storage medium and electronic equipment |
| CN116611058A (en) * | 2022-02-08 | 2023-08-18 | 华为云计算技术有限公司 | Lexovirus detection method and related system |
| CN115189944A (en) * | 2022-07-08 | 2022-10-14 | 山石网科通信技术股份有限公司 | Lexus virus interception method and device, electronic equipment and storage medium |
| CN115221524B (en) * | 2022-09-20 | 2023-01-03 | 深圳市科力锐科技有限公司 | Service data protection method, device, equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484605A (en) * | 2014-12-10 | 2015-04-01 | 央视国际网络无锡有限公司 | Method of detecting viral sources in cloud storage environment |
| CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106951781A (en) * | 2017-03-22 | 2017-07-14 | 福建平实科技有限公司 | Extort software defense method and apparatus |
-
2017
- 2017-08-03 CN CN201710655812.3A patent/CN107480527B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484605A (en) * | 2014-12-10 | 2015-04-01 | 央视国际网络无锡有限公司 | Method of detecting viral sources in cloud storage environment |
| CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107480527A (en) | 2017-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107480527B (en) | Lesso software prevention method and system | |
| US11645383B2 (en) | Early runtime detection and prevention of ransomware | |
| US20220075868A1 (en) | Mitigation of return-oriented programming attacks | |
| US9680876B2 (en) | Method and system for protecting data flow at a mobile device | |
| JP5586216B2 (en) | Context-aware real-time computer protection system and method | |
| US9152784B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| US10079835B1 (en) | Systems and methods for data loss prevention of unidentifiable and unsupported object types | |
| US6907396B1 (en) | Detecting computer viruses or malicious software by patching instructions into an emulator | |
| US8281410B1 (en) | Methods and systems for providing resource-access information | |
| US9100440B1 (en) | Systems and methods for applying data loss prevention policies to closed-storage portable devices | |
| US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
| US9852294B1 (en) | Systems and methods for detecting suspicious applications based on how entry-point functions are triggered | |
| US10685116B2 (en) | Anti-ransomware systems and methods using a sinkhole at an electronic device | |
| US11882134B2 (en) | Stateful rule generation for behavior based threat detection | |
| Jiang et al. | Android malware | |
| CN104484599A (en) | Behavior processing method and device based on application program | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| US10275596B1 (en) | Activating malicious actions within electronic documents | |
| Ramachandran et al. | Android anti-virus analysis | |
| CN108038380B (en) | Inoculator and antibody for computer security | |
| US9003533B1 (en) | Systems and methods for detecting malware | |
| US7487548B1 (en) | Granular access control method and system | |
| US20180032745A1 (en) | System and method of blocking access to protected applications | |
| US8688657B1 (en) | Systems and methods for data loss prevention | |
| CN105550582A (en) | Method and system for accessing to virtual disk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |