CN109800574A - Computer Virus Detection Method and system based on cryptographic algorithm analysis - Google Patents
Computer Virus Detection Method and system based on cryptographic algorithm analysis Download PDFInfo
- Publication number
- CN109800574A CN109800574A CN201811520117.7A CN201811520117A CN109800574A CN 109800574 A CN109800574 A CN 109800574A CN 201811520117 A CN201811520117 A CN 201811520117A CN 109800574 A CN109800574 A CN 109800574A
- Authority
- CN
- China
- Prior art keywords
- shell
- virus document
- virus
- document
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of Computer Virus Detection Methods and system based on cryptographic algorithm analysis, it comprises the following modules: shell adding condition judgment module: for handling virus document, judge the shell adding state of virus document, the shell adding state includes there are known shell, there are unknown shell or there is no any one in shell;Static analysis module: for carrying out static analysis to virus document, the static data information of virus document is obtained;Dynamic analysis module: for carrying out dynamic analysis to virus document, the dynamic data information of virus document is obtained.The technology combined using static analysis and dynamic analysis, application method of the cryptographic algorithm durings shell adding of computer virus, network communication encryption and data file encryption etc. is analyzed, provides foundation for the Encryption Algorithm identification and detection defence of computer virus.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of computer virus inspection based on cryptographic algorithm analysis
Survey method and system.
Background technique
Currently, password be the network information security core technology and basic theory support, be data protection and certification most
One of important means.But the development of cryptographic algorithm is a double-edged sword, password be also hacker and offender hide detection and
It tracing and provides technical support, they gradually grasp and use password encryption technology, for protecting Virus Sample not to be detected,
Communication hiding feature hides network protection equipment and encryption user file etc..Password encryption means by the extensive use of attacker,
Secure enterprise and government are increased to the workload and difficulty of viral diagnosis and analysis, brings huge economic loss to user.
Meanwhile with the rapid development of cipher application attack pattern in computer virus file, the password of computer virus is tested and analyzed
Ability, which increasingly becomes one, must be accorded to the safety detection content paid attention to.
Computer virus analysis method is broadly divided into two class of static analysis and dynamic analysis at present.Static analysis passes through reverse
Engineering extracts Virus Sample static nature, and analysis PE file format, api function call and the sequences such as assembly instruction.But it calculates
Machine virus will use the means confrontation static analysis such as Code obfuscation, encryption shell adding, cause staticaanalysis results inaccurate.Dynamic is examined
Survey is that program operation is analyzed by way of API interception or behavior monitoring using sandbox or virtual machine dry run Virus
When dynamic behaviour feature, file operation, network operation, registry operations, process in analytical calculation machine virus implementation procedure
Operation etc., identification malicious act carry out viral diagnosis.
The correlative study of viral encryption technology.Shell is that a kind of protection virus of being responsible for specially is not modified or one section of decompiling
Program, it is usually to run prior to virus, can just be discharged viral entities in the process of implementation, can effectively be hidden based on static special
Levy the killing of code.Encryption shell-side is that the secrecy of software program is not easy to be cracked again, and encryption shell type is relatively more.Computer virus adds
Shell signature analysis and context of detection, many security industries circle and academia personnel are studied.Sichuan University Wang Junfeng etc.
Human hair bright " the PE file shell adding detection method based on static nature " carries out static file analysis to it first, extracts the PE
9 characteristic values of file, then carry out shell adding detection using PE document sorter.Beijing Rising International Software Co., Ltd's hair
Bright " a kind of module and method for shelling to file " includes: virtual machine, for simulating actual computer;Control
Device, for detecting the shell type of the file;And shelling module determines the text for the shell type based on the detection
The code for needing to execute in the actual computer in the shelling program of part.
The correlative study of viral encryption network communication.Computer virus generally all has the function of network communication, conveniently connects
The data that the instruction and transmitting for receiving hacker are stolen.Trojan horse is a kind of typical computer-virus program, the broiler chicken electricity of user
Brain and remote control terminal need covert communications, often using symmetric encipherment algorithms such as AES, or use HTTPS agreement encryption biography
Transmission of data.Emphasis to the coded communication analysis of internet worm program includes conversed analysis two of Encryption Algorithm and communication process
Aspect.The analysis of Encryption Algorithm guarantees the data packet for being decrypted correctly intercepting and capturing, and the analysis of communication process guarantees analytic solutions
Data packet after close.By the conversed analysis of the Encryption Algorithm of the network communication process to Virus, ciphering process is completed
Reduction is verified and is even cracked.It is pointed out in " network encryption flow Study of recognition summary and the prospect " that Pan Wubin et al. is delivered, wood
Horse and Botnet etc. bypass firewall and intruding detection system by encryption and tunneling technique, send confidential information to outer
Net, and existing encryption flow identification technology is summarized and compared.What Blake Anderson et al. was delivered
A kind of identification malice is proposed in " Deciphering Malware ' s use of TLS (without Decryption) " article
The method for the tls protocol flow that code uses, and the feature by analyzing flow can distinguish the family of malicious code.
Extort correlative study of the software to file encryption.Extorting software (Ransomware) is nearly 2 years popular viral journeys
Sequence, by deleting and encrypting the modes such as user file, using user data assets or computer resource can not normal use, and with this
It is condition to user's extortionist.Research typical case extorts the cryptographic algorithm that software uses, analyze all kinds of cryptographic algorithms advantage and
Application scenarios provide foundation to extort defence and the blocking of software.It extorts software and mainly uses symmetric cryptography and asymmetric encryption
Scheduling algorithm.Software development is extorted to today, more and more using rivest, shamir, adelman such as RSA etc., this to solve ciphertext
Part almost at can not because the private key of decryption is be stored in the server of attacker.Extort software Locky, using pair
Title+asymmetric encryption mode, encrypts file using RSA-2048 and AES-128 algorithm.Software Pyran is extorted,
The cipher mode of use is base64+AES, because being symmetric encipherment algorithm, can write out decoding tool decryption by the malice
The file of program infector encryption.Software WannaCry is extorted, AES key can be generated at random, using AES-128-CBC method to text
Part is encrypted, and is then encrypted corresponding AES key by RSA-2048, then by the key and AES encryption mistake after rsa encryption
File be written in final WNCRY file, and decruption key is saved on hacker's server, only user pays ransom
Corresponding decruption key can be obtained.
Application of the Current Password algorithm in computer virus file is more prevalent, detection and defence work to virus
Bring great difficulty.But domestic test and analyze to computer virus password lacks systematic method at present.
Summary of the invention
The present invention provides a kind of Computer Virus Detection Method and system based on cryptographic algorithm analysis, using static analysis
The technology combined with dynamic analysis adds cryptographic algorithm in the shell adding of computer virus, network communication encryption and data file
Application method during close etc. is analyzed, and provides foundation for the Encryption Algorithm identification and detection defence of computer virus.
A kind of Computer Virus Detection Method, comprising the following steps:
Virus document is handled, judges the shell adding state of virus document, the shell adding state include there are known shell,
There are unknown shell or there is no any one in shell;
Static analysis is carried out to virus document, obtains the static data information of virus document;
Dynamic analysis are carried out to virus document, obtain the dynamic data information of virus document.
Further,
It is described that virus document is handled, judge that the shell adding state of virus document, the shell adding state include existing
Know shell, there are unknown shell or there is no the step of any one in shell to include:
The shell condition code for obtaining the shell of virus document, by particular tool by the condition code of shell condition code and existing known shell
Be compared, if there is with the consistent condition code of shell condition code, there are known shells for shell adding state.
Further,
In the shell condition code of the shell for obtaining virus document, by particular tool by shell condition code and existing known shell
After condition code is compared further include:
If there is no with the consistent condition code of shell condition code, then calculate the every partial data of virus document entropy Ei and the portion
Divide size Ni;
By following formula weighted sum, the entropy of entire virus PE file is obtained, comprising:
Entropy=∑ Ei*Ni/ ∑ Ni (i=1,2 ... n);
T is preset value;
If Entropy > T, the state of the virus document is that there are unknown shells;If Entropy < T, the virus document
State is that there is no shells.
Further,
Described to carry out static analysis to virus document, the step of obtaining the static data information of virus document, includes:
The static nature code for obtaining virus document, determines that the static nature code is according to the cryptographic algorithm of static nature code
Any one in Hash function, block cipher and public key algorithm.
Further,
Described to carry out static analysis to virus document, the step of obtaining the static data information of virus document, includes:
Dis-assembling is carried out to virus document, obtains the static nature code of virus document.
Further,
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
The calling data of virus document are obtained by analysis virtual machine, execute data and mirror image data;
The execution data include that virus document creates new file, modification file, deletes file, reads file, lower published article
Part, screenshot capture;
The mirror image data includes the complete memory mirror of the memory mirror of virus document and the client computer of virus document.
Further,
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
The cryptographic algorithm dynamic link library loaded in identification Virus implementation procedure;
The virus document encryption function and Transfer Parameters are determined by the HOOK of api function, and function name and transmitting are joined
Number carries out identification and generates calling sequence, obtains the combination of the call flow and multiclass cryptographic algorithm of cryptographic algorithm in virus document.
Further,
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
Obtain the pcap file of virus document, and according to pcap file determine coded communication agreement that virus document uses,
IP address and port information.
A kind of Computer parallel processing system, comprises the following modules:
Shell adding condition judgment module: for handling virus document, judging the shell adding state of virus document, it is described plus
Shelly-shaped state includes there are known shell, there are unknown shell or there is no any one in shell;
Static analysis module: for carrying out static analysis to virus document, the static data information of virus document is obtained;
Dynamic analysis module: for carrying out dynamic analysis to virus document, the dynamic data information of virus document is obtained.
Further,
The shell adding condition judgment module includes known shell judgment module, and the known shell judgment module is for obtaining virus
Shell condition code is compared, if deposited by the shell condition code of the shell of file by particular tool with the condition code of existing known shell
With the consistent condition code of shell condition code, there are known shells for shell adding state.
Further,
The shell adding condition judgment module includes unknown shell judgment module, if the unknown shell judgment module is used for not
In the presence of with the consistent condition code of shell condition code, then calculate the entropy Ei and part size Ni of the every partial data of virus document;
By following formula weighted sum, the entropy of entire virus PE file is obtained, comprising:
Entropy=∑ Ei*Ni/ ∑ Ni (i=1,2 ... n);
T is preset value;
If Entropy > T, the state of the virus document is that there are unknown shells;If Entropy < T, the virus document
State is that there is no shells.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention
It applies example to be used to explain the present invention together, not be construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the flow chart of Computer Virus Detection Method;
Fig. 2 is the flow chart of shell adding state judgment step;
Fig. 3 is the flow chart of static analysis step;
Fig. 4 is the flow chart of dynamic analysis step;
Fig. 5 is the structural schematic diagram of Computer parallel processing system;
Fig. 6 A is the first schematic images;
Fig. 6 B is the second schematic images;
Fig. 7 A is third schematic images;
Fig. 7 B is the 4th schematic images;
Fig. 8 A is the 5th schematic images;
Fig. 8 B is the 6th schematic images;
Fig. 9 A is the 7th schematic images;
Fig. 9 B is the 8th schematic images;
Figure 10 A is the 9th schematic images;
Figure 10 B is the tenth schematic images;
Figure 11 A is the 11st schematic images;
Figure 12 B is the 12nd schematic images;
Figure 13 A is the 13rd schematic images;
Figure 13 B is the 14th schematic images;
Figure 13 A is the 15th schematic images;
Figure 14 B is the 16th schematic images.
Specific embodiment
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings, it should be understood that preferred reality described herein
Apply example only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention.
The embodiment of the invention provides a kind of Computer Virus Detection Method, its flow chart as shown in Figure 1, including following step
It is rapid:
S1, shell adding state judgment step: handling virus document, judges the shell adding state of virus document, described to add
Shelly-shaped state includes there are known shell, there are unknown shell or there is no any one in shell.
In one embodiment, as shown in Fig. 2, described handle virus document, judge the shell adding shape of virus document
State, the shell adding state includes the steps that there are known shell, includes A1, there are unknown shell or there is no any one in shell
Know shell judgment step: obtaining the shell condition code of the shell of virus document, by particular tool by shell condition code and existing known shell
Condition code is compared, if there is with the consistent condition code of shell condition code, there are known shells for shell adding state.Using Exeinfo
The tools such as PE identify viral shell adding algorithm.Known shell, whether compression shell, or encryption shell, is all to have specific shell adding
Algorithm.When different application uses shell adding algorithm for encryption of the same race, file some machine code after shell adding be it is identical, it
Be referred to as shell " fingerprint " or " condition code ".Such as Exeinfo PE detection instrument, it is by the feature in condition code library
Code distinguishes shell, wherein the condition code of UPX be one section " 60BE?????? 00 8D BE? FF ", "?? " it can correspond to and appoint
Meaning byte, as long as this part of machine code occurs in virus document, so that it may think that the virus document is added to UPX shell.
In one embodiment, in the shell condition code of the shell for obtaining virus document, by particular tool by shell feature
Code be compared with the condition code of existing known shell after further include A2, unknown shell judgment step: if there is no with shell condition code
Consistent condition code then calculates the entropy Ei and part size Ni of the every partial data of virus document;
By following formula weighted sum, the entropy of entire virus PE file is obtained, comprising:
Entropy=∑ Ei*Ni/ ∑ Ni (i=1,2 ... n);
T is preset value;
If Entropy > T, the state of the virus document is that there are unknown shells;If Entropy < T, the virus document
State is that there is no shells.Calculate virus PE file comentropy by way of detect file whether shell adding.Comentropy is logical
One concept in letter field is the probability of occurrence of Discrete Stochastic event, can be regarded as the information of a PE file in shell detection
Amount or the wherein information content of certain section (Section), since compression or encrypted data often carry more information content,
If the PE files of all computer viruses carry information content it is excessive mean that the virus document may be by shell adding.Due to adding
Shell is primarily directed to parts such as the code segment of PE file and data segments, in order to improve the accuracy rate of shell detection, the letter of virus document
The calculating of breath entropy (Entropy) cannot generally calculate entire PE file.In the present invention, the data packet for calculating comentropy is not needed
It includes: PE file header, derived table, importing table, resource data, tail portion full 0 data etc..
As shown in figure 3, S2, static analysis step: carrying out static analysis to virus document, obtain the static number of virus document
It is believed that breath.Described to carry out static analysis to virus document, the step of obtaining the static data information of virus document, includes:
B1, the first static analysis step: the static nature code of virus document is obtained, according to the cryptographic algorithm of static nature code
Determine that the static nature code is any one in Hash function, block cipher and public key algorithm.Above-mentioned steps
Mainly by extracting static nature code used in Encryption Algorithm, and this kind of Encryption Algorithm is identified with this, cryptographic algorithm it is quiet
The reliability of state condition code directly determines the precision that cryptographic algorithm identifies in the present invention.Not according to cipher algorithm encryption principle
It is same cryptographic algorithm to be divided into Hash function, block cipher, public key algorithm.
A) Hash function can use initial chaining value (ICV) when realizing to realize the processing to encryption data.Such as generate 256
The SHA256 algorithm of hashed value has used 8 32 initial chaining value (ICV)s during initialization, which can use different
Implementation completes the above initial work, but this 8 constants are constant, so 8 initial chaining value (ICV)s of Algorithms of Selecting are made
For the static nature of SHA256 algorithm.
B) block cipher can use the constants such as S box, displacement box when realizing.By taking AES block cipher as an example, S box is
The object that table lookup operation is carried out during block encryption, is generally defined as static array, using S box as static nature code, scanning
Detect computer virus file, if being matched to the S box that AES block cipher defines in this document, the calculating
It just probably include aes algorithm in machine virus document.
C) public key algorithm can also use many static natures when realizing.If RSA is based on big integer factor point
Solution problem, algorithm need to construct a large amount of Big prime when generating key, and the code for generating Big prime often includes a small element
Number table, small table of primes is generally present in the data segment of virus document, so look-up table and small prime number code snippet can be used as mark
Know the static nature code of RSA public key algorithm.
Described to carry out static analysis to virus document, the step of obtaining the static data information of virus document, includes:
B2, the second static analysis step: dis-assembling is carried out to virus document, obtains the static nature code of virus document.On
It states using reverse-engineering to executable file dis-assembling, establishes cipher function signature character, assembly instruction feature, programmed logic knot
Structure and more wheel cycle specificities etc..Cryptographic algorithm is handled in data procedures, generally using more wheels or the similar function of multistep to data
It is handled, is specifically exactly the code loop appearance of model identical;It on the other hand, is one during cipher algorithm encryption
Highdensity data manipulation treatment process, arithmetical operation, logical operation and shifting in dis-assembling result in core processing subroutine
Bit manipulation instruction occurs more intensive.So the realization mechanism of cryptographic algorithm determines its instruction system possessed by compilation rank
Feature is counted, the similarity determination of object code and cryptographic algorithm can be carried out as clue, to realize the purpose of identification.
As shown in figure 4, S3, dynamic analysis step: carrying out dynamic analysis to virus document, obtain the dynamic number of virus document
It is believed that breath.Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
C1, data determination: the calling data of virus document are obtained by analysis virtual machine, execute data and mirror image
Data;The execution data include virus document create new file, modification file, delete file, read file, downloading file,
Screenshot capture;The mirror image data includes the complete memory mirror of the memory mirror of virus document and the client computer of virus document
Picture.Cuckoo sandbox mainly by central management software and each analysis virtual robot arm at.Central management software is also referred to as Host
Machine is responsible for the analysis work of each sample of management, such as starting analysis work and generation report;Analysis virtual machine is also known as
For Guest Machine, main completion analyzes the work such as result to the analysis of rogue program and to central management software report.
Each analysis virtual machine is all a relatively independent clean performing environment, and energy each rogue program of security isolation is held
Row and analysis work.The major function of Cuckoo has: all calling situations of track record Malware;Malware is obtained to exist
New file is created in implementation procedure, modification file, is deleted file, reads file or is downloaded the behavior of file;Obtain Malware
Memory mirror;Obtain the screenshot capture in Malware implementation procedure;Obtain the complete interior of the client computer for executing Malware
Deposit mirror image.
The distribution of Cuckoo environment is built, and can be accelerated to handle sample analysis speed, held to reduce malice sample
The experimental situation of sample analysis is arranged in virtual machine for the harm that may cause in row, is provided with snapshot and checking mechanism.When
When system detection attempts escape analysis machine to malice sample, starting snapshot rolls back to clean state.
In one embodiment,
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
C2, virus document password determine step: the cryptographic algorithm dynamic link loaded in identification Virus implementation procedure
Library;The virus document encryption function and Transfer Parameters are determined by the HOOK of api function, and function name and Transfer Parameters are carried out
Identification generates calling sequence, obtains the combination of the call flow and multiclass cryptographic algorithm of cryptographic algorithm in virus document.
Part of Virus can't directly write cryptographic algorithm source code, but by calling existing password to calculate
Faku County (such as CryptApi, OpenSSL) realizes, therefore uses static analysis means passwords algorithm from computer virus
The method of feature is not being proved effective.This method uses the viral Encryption Algorithm library calling process identification technology based on dynamic analysis.
This method can identify the cryptographic algorithm dynamic link library loaded in Virus implementation procedure, pass through the HOOK energy to api function
The encryption function of identifying call and the parameter of transmitting can generate password calculation by analytic function name and parameter recognition code algorithm
Method calling sequence is finally reached the call flow of cryptographic algorithm and the mistake of multiclass cryptographic algorithm being applied in combination in acquisition virus
Journey.
Common cryptographic libraries (CryptApi, OpenSSL etc.) is widely used in software, the enciphering and deciphering algorithm information of this class libraries
With important research significance, because in the cryptographic algorithms' implementation in common library, the parameter of the meaning of cryptographic algorithm and function is returned
It returns value definition to define, and parameter when calling function, returning to value information can also obtain.Common cryptographic libraries are analyzed, discovery is summarized
There are two common ground when realizing algorithm for common cryptographic libraries: (1) library function is when realizing a certain algorithm, the algorithm of algorithm in program
Name, the encryption and decryption data of symmetry algorithm, key, encryption and decryption mode, the hash cryptographic Hash of hash algorithm, Diffie-Hellman
Output key, the information such as public and private key of public key algorithm can extract from the parameter, return value, function name of function;(2)
The pattern information that algorithm is realized can sum up to come from a series of functions for realizing algorithm.Such as a certain add is realized with OpenSSL
Decipherment algorithm, there are three types of approach: first is that calling directly most basic function realizes algorithm;Second is that the EVP envelope by calling algorithm
Dress mode completes operation;Third is that by calling BIO (Basic I/O abstraction) packaged type to realize.Three kinds of realization sides
Formula can from realize algorithm function in extraction algorithm information.And CryptApi is used to realize that algorithm is somewhat different, the library
Algorithm information and encryption and decryption data information are all obtained to be extracted from parameter, and when realization symmetric cryptographic algorithm, key schedule is also
Hash algorithm can be used.
In one embodiment, described that dynamic analysis are carried out to virus document, obtain the dynamic data information of virus document
The step of include:
C2, virus document address determine step: obtaining the pcap file of virus document, and determined according to pcap file
Coded communication agreement, IP address and the port information that virus document uses.Wherein network of the virus in dynamic analysis process
Data on flows will save into pcap file, can analyze the coded communications agreements such as the HTTPS that virus uses from pcap file,
Analyze the IP address and port information of communication.For infected machine, regardless of host operating system type, it all may
It is communicated using network with attacker, and in order to hide detection often using coded communication means.By analyzing coded communication stream
Amount, can obtain the control terminal of viral external connection or act on behalf of the IP address of transit node.For simple coded communication mode,
It can attempt to restore flow.High-intensitive cipher mode can also communicated even if reduction flow is difficult
On the basis of IP address, timely and effective blocking is carried out to wooden horse and Botnet etc. by firewall product, reduces user information
The risk of loss and various harm.
A kind of Computer parallel processing system, its structural schematic diagram as shown in Figure 5, comprises the following modules:
Shell adding condition judgment module: for handling virus document, judging the shell adding state of virus document, it is described plus
Shelly-shaped state includes there are known shell, there are unknown shell or there is no any one in shell;
Static analysis module: for carrying out static analysis to virus document, the static data information of virus document is obtained;
Dynamic analysis module: for carrying out dynamic analysis to virus document, the dynamic data information of virus document is obtained.
In one embodiment,
The shell adding condition judgment module includes known shell judgment module, and the known shell judgment module is for obtaining virus
Shell condition code is compared, if deposited by the shell condition code of the shell of file by particular tool with the condition code of existing known shell
With the consistent condition code of shell condition code, there are known shells for shell adding state.
In one embodiment,
The shell adding condition judgment module includes unknown shell judgment module, if the unknown shell judgment module is used for not
In the presence of with the consistent condition code of shell condition code, then calculate the entropy Ei and part size Ni of the every partial data of virus document;
By following formula weighted sum, the entropy of entire virus PE file is obtained, comprising:
Entropy=∑ Ei*Ni/ ∑ Ni (i=1,2 ... n);
T is preset value;
If Entropy > T, the state of the virus document is that there are unknown shells;If Entropy < T, the virus document
State is that there is no shells.
In one embodiment, the static analysis module includes the first static analysis module, for obtaining virus document
Static nature code, according to the cryptographic algorithm of static nature code determine the static nature code be Hash function, block cipher
And any one in public key algorithm.
In one embodiment, the static analysis module include the second static analysis module, for virus document into
Row dis-assembling obtains the static nature code of virus document.
In one embodiment,
The dynamic analysis module includes data determining module:
For obtaining the calling data of virus document by analysis virtual machine, executing data and mirror image data;
The execution data include that virus document creates new file, modification file, deletes file, reads file, lower published article
Part, screenshot capture;
The mirror image data includes the complete memory mirror of the memory mirror of virus document and the client computer of virus document.
In one embodiment,
The dynamic analysis module includes virus document password determining module:
The cryptographic algorithm dynamic link library loaded in Virus implementation procedure for identification;
The virus document encryption function and Transfer Parameters are determined by the HOOK of api function, and function name and transmitting are joined
Number carries out identification and generates calling sequence, obtains the combination of the call flow and multiclass cryptographic algorithm of cryptographic algorithm in virus document.
In one embodiment,
The dynamic analysis module includes virus document address determining module:
Determine that the coded communication that virus document uses is assisted for obtaining the pcap file of virus document, and according to pcap file
View, IP address and port information.
In one embodiment, by taking software WannaCry is extorted in encryption as an example.WannaCry is extorted virus-like by the present invention
Originally after being put into the operation of cryptographic algorithm analysis system, a series of encryption and decryption function calls and its parameter are detected, by analyzing to it
Process restore as follows:
(1) virus document call CryptAcquireContextA function, come obtain specified CSP cryptographic key containers sentence
Handle, wherein parameter provider_type is used to specify the type of Encryption Algorithm, and numerical value 24 represents PROV_RSA_AES, i.e., specified
Virus is by the way of asymmetric cryptographic algorithm RSA and symmetric cryptographic algorithm AES Hybrid Encryption, such as Fig. 6 A and Fig. 6 B institute
Show.
(2) CryptGenKey function is called, for generating RSA sub-key (including sub- public key and sub- private key), wherein
Algorithm_identifier=0x0000a400 (CALG_RSA_KEYX) represents RSA Algorithm, and flags=2048 represents RSA
The key length of algorithm is 2048.As shown in figures 7 a and 7b.
(3) CryptExportKey function is called, for exporting RSA public key.Wherein blob_type=6, meaning are
PUBLICKEYBLOB indicates export public key.As shown in Figure 8 A and 8 B.
(4) NtWriteFile function is called, RSA public key is written in " 00000000.pky " file.Such as Fig. 9 A and figure
Shown in 9B.
(5) CryptExportKey function is called, for exporting RSA private key.Wherein blob_type=7, meaning are
PRIVATEKEYBLOB indicates export private key.As shown in figs. 10 a and 10b.
(6) " LdrGetProcedureAddress " function of " system " class is called, and is called in the library " CRYPTSP "
" CryptGetKeyParam " function, the function can specify additional encryption parameter.As seen in figs. 11a and 11b.
(7) " Encrypt " function is called, the main public key encryption RSA private key of RSA is used.As illustrated in figs. 12 a and 12b.
(8) " NtWriteFile " function is called, the result after step 7 to be encrypted to RSA private key is saved into
" 00000000.eky " file.As shown in figures 13 a and 13b.
(9) program@WannaDecryptor@.exe will create one " 00000000.res ", and content is the file of encryption
The information such as quantity, size, subsequent@WannaDecryptor@.exe sample take the darknet that this document content passes back to attacker
Business device.As shown in figs. 14 a and 14b.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (10)
1. a kind of Computer Virus Detection Method, which comprises the following steps:
Virus document is handled, judges that the shell adding state of virus document, the shell adding state include there are known shell, exist
Unknown shell or there is no any one in shell;
Static analysis is carried out to virus document, obtains the static data information of virus document;
Dynamic analysis are carried out to virus document, obtain the dynamic data information of virus document.
2. the method according to claim 1, wherein
It is described that virus document is handled, judge the shell adding state of virus document, the shell adding state include there are known shell,
There are unknown shell or there is no the step of any one in shell to include:
The shell condition code for obtaining the shell of virus document is carried out shell condition code and the condition code of existing known shell by particular tool
Compare, if there is with the consistent condition code of shell condition code, there are known shells for shell adding state.
3. according to the method described in claim 2, it is characterized in that,
In the shell condition code of the shell for obtaining virus document, by particular tool by the feature of shell condition code and existing known shell
After code is compared further include:
If there is no with the consistent condition code of shell condition code, then entropy Ei and the part for calculating the every partial data of virus document are big
Small Ni;
By following formula weighted sum, the entropy of entire virus PE file is obtained, comprising:
Entropy=∑ Ei*Ni/ ∑ Ni (i=1,2 ... n);
T is preset value;
If Entropy > T, the state of the virus document is that there are unknown shells;If Entropy < T, the state of the virus document
For there is no shells.
4. the method according to claim 1, wherein
Described to carry out static analysis to virus document, the step of obtaining the static data information of virus document, includes:
The static nature code for obtaining virus document determines that the static nature code is Hash letter according to the cryptographic algorithm of static nature code
Any one in number, block cipher and public key algorithm.
5. according to the method described in claim 4, it is characterized in that,
Described to carry out static analysis to virus document, the step of obtaining the static data information of virus document, includes:
Dis-assembling is carried out to virus document, obtains the static nature code of virus document.
6. the method according to claim 1, wherein
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
The calling data of virus document are obtained by analysis virtual machine, execute data and mirror image data;
The execution data include that virus document creates new file, modification file, deletes file, reads file, downloading file, screen
Curtain screenshot;
The mirror image data includes the complete memory mirror of the memory mirror of virus document and the client computer of virus document.
7. the method according to claim 1, wherein
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
The cryptographic algorithm dynamic link library loaded in identification Virus implementation procedure;
Determine the virus document encryption function and Transfer Parameters by the HOOK of api function, and to function name and Transfer Parameters into
Row identification generates calling sequence, obtains the combination of the call flow and multiclass cryptographic algorithm of cryptographic algorithm in virus document.
8. the method according to claim 1, wherein
Described to carry out dynamic analysis to virus document, the step of obtaining the dynamic data information of virus document, includes:
The pcap file of virus document is obtained, and with determining the coded communication agreement, IP that virus document uses according to pcap file
Location and port information.
9. a kind of Computer parallel processing system, which is characterized in that comprise the following modules:
Shell adding condition judgment module: for handling virus document, judge the shell adding state of virus document, the shell adding shape
State includes there are known shell, there are unknown shell or there is no any one in shell;
Static analysis module: for carrying out static analysis to virus document, the static data information of virus document is obtained;
Dynamic analysis module: for carrying out dynamic analysis to virus document, the dynamic data information of virus document is obtained.
10. system according to claim 9, which is characterized in that
The shell adding condition judgment module includes known shell judgment module, and the known shell judgment module is for obtaining virus document
Shell shell condition code, shell condition code is compared with the condition code of existing known shell by particular tool, if there is with
The consistent condition code of shell condition code, there are known shells for shell adding state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811520117.7A CN109800574A (en) | 2018-12-12 | 2018-12-12 | Computer Virus Detection Method and system based on cryptographic algorithm analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811520117.7A CN109800574A (en) | 2018-12-12 | 2018-12-12 | Computer Virus Detection Method and system based on cryptographic algorithm analysis |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109800574A true CN109800574A (en) | 2019-05-24 |
Family
ID=66556631
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811520117.7A Pending CN109800574A (en) | 2018-12-12 | 2018-12-12 | Computer Virus Detection Method and system based on cryptographic algorithm analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109800574A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110190968A (en) * | 2019-06-03 | 2019-08-30 | 魏靖 | Block chain big data security processing system and method |
CN110210225A (en) * | 2019-05-27 | 2019-09-06 | 四川大学 | A kind of intelligentized Docker container malicious file detection method and device |
CN110826064A (en) * | 2019-10-25 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Malicious file processing method and device, electronic device and storage medium |
CN112367336A (en) * | 2020-11-26 | 2021-02-12 | 杭州安恒信息技术股份有限公司 | Webshell interception detection method, device, equipment and readable storage medium |
CN112580032A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | File shell identification method and device, storage medium and electronic device |
CN112825059A (en) * | 2019-11-21 | 2021-05-21 | 北京天融信网络安全技术有限公司 | Security determination method and device and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1760620A2 (en) * | 2005-08-16 | 2007-03-07 | EEye Digital Security | Methods and Systems for Detection of Forged Computer Files |
CN101162485A (en) * | 2006-10-11 | 2008-04-16 | 飞塔信息科技(北京)有限公司 | Method and system for processing computer malicious code |
CN102024112A (en) * | 2010-12-17 | 2011-04-20 | 四川大学 | PE (portable executable) file pack detection method based on static characteristics |
CN104778413A (en) * | 2015-04-15 | 2015-07-15 | 南京大学 | Software vulnerability detection method based on simulation attack |
CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
-
2018
- 2018-12-12 CN CN201811520117.7A patent/CN109800574A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1760620A2 (en) * | 2005-08-16 | 2007-03-07 | EEye Digital Security | Methods and Systems for Detection of Forged Computer Files |
CN101162485A (en) * | 2006-10-11 | 2008-04-16 | 飞塔信息科技(北京)有限公司 | Method and system for processing computer malicious code |
CN102024112A (en) * | 2010-12-17 | 2011-04-20 | 四川大学 | PE (portable executable) file pack detection method based on static characteristics |
CN104778413A (en) * | 2015-04-15 | 2015-07-15 | 南京大学 | Software vulnerability detection method based on simulation attack |
CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
Non-Patent Citations (4)
Title |
---|
JOCHENZOU: ""Cuckoo Sandbox"", 《HTTPS://BLOG.CSDN.NET/YOUKAWA/ARTICLE/DETAILS/46563583》 * |
李志勇: ""基于沙箱技术的恶意代码行为自动化检测方法"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
李继中: ""密码算法识别技术研究"", 《技术研究》 * |
秦鹏: ""基于Cuckoo的恶意程序行为分析及检测系统研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110210225A (en) * | 2019-05-27 | 2019-09-06 | 四川大学 | A kind of intelligentized Docker container malicious file detection method and device |
CN110190968A (en) * | 2019-06-03 | 2019-08-30 | 魏靖 | Block chain big data security processing system and method |
CN112580032A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | File shell identification method and device, storage medium and electronic device |
CN110826064A (en) * | 2019-10-25 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Malicious file processing method and device, electronic device and storage medium |
CN112825059A (en) * | 2019-11-21 | 2021-05-21 | 北京天融信网络安全技术有限公司 | Security determination method and device and electronic equipment |
CN112825059B (en) * | 2019-11-21 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Security determination method and device and electronic equipment |
CN112367336A (en) * | 2020-11-26 | 2021-02-12 | 杭州安恒信息技术股份有限公司 | Webshell interception detection method, device, equipment and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109800574A (en) | Computer Virus Detection Method and system based on cryptographic algorithm analysis | |
Xiao et al. | Stacco: Differentially analyzing side-channel traces for detecting SSL/TLS vulnerabilities in secure enclaves | |
Shuai et al. | Modelling analysis and auto-detection of cryptographic misuse in android applications | |
Hsiao et al. | The static analysis of WannaCry ransomware | |
US10097536B2 (en) | Space-time separated and jointly evolving relationship-based network access and data protection system | |
Aslan et al. | Investigation of possibilities to detect malware using existing tools | |
Chatzikonstantinou et al. | Evaluation of cryptography usage in android applications | |
CN113542253B (en) | Network flow detection method, device, equipment and medium | |
Taubmann et al. | TLSkex: Harnessing virtual machine introspection for decrypting TLS communication | |
Li et al. | CipherXRay: Exposing cryptographic operations and transient secrets from monitored binary execution | |
Cohney et al. | Practical state recovery attacks against legacy RNG implementations | |
Kumar et al. | Understanding the behaviour of android ransomware attacks with real smartphones dataset | |
CN110110507A (en) | A kind of method, apparatus, system and the storage medium of soft ware authorization and protection | |
Engels et al. | On security with the new Gen2 RFID security framework | |
Genç et al. | Security analysis of key acquiring strategies used by cryptographic ransomware | |
Singh et al. | A comparative review of malware analysis and detection in HTTPs traffic | |
Lee et al. | Security issues on the CNG cryptography library (Cryptography API: Next Generation) | |
Masid et al. | Application of the SAMA methodology to Ryuk malware | |
Borzacchiello et al. | Reconstructing C2 servers for remote access trojans with symbolic execution | |
Almousa et al. | Identification of ransomware families by analyzing network traffic using machine learning techniques | |
Asghar et al. | Use of cryptography in malware obfuscation | |
Cai et al. | Appcracker: Widespread vulnerabilities in user and session authentication in mobile apps | |
Nataraj et al. | An Investigation on Attacks in Application Layer Protocols and Ransomeware Threats in Internet of Things | |
Rajba et al. | Data hiding using code obfuscation | |
Ucci et al. | Near-real-time anomaly detection in encrypted traffic using machine learning techniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190524 |
|
RJ01 | Rejection of invention patent application after publication |