JP2016122262A - Specification device, specification method and specification program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently acquire an attack object of malware.SOLUTION: A specification device 10 uses a tag attached to communication data to detect an occurrence of alteration of the communication data, and specifies identification information of a C&C server that commands the alteration. Then, the specification device 10 specifies a program code for determining whether identification information of a transmission source or a transmission destination of the communication data is identification information of an attack object from an execution trace in which the occurrence of alteration is detected on the basis of the identification information of the C&C server and identification information of the attack object by malware 11A during the occurrence of alteration in the case that the occurrence of the alteration is detected. After that, the specification device 10 analyzes the specified program code, and acquires data to be referred in determining whether the program code is identification information of an attack object from an execution trace as a list of identification information of attack objects.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a specific device, a specific method, and a specific program.

  In recent years, fraudulent remittance damage in online banking has increased rapidly. One of the causes is the MITB attack (Man-In-The-Browser attack) by malware, and the account that was exploited after wiretapping / falsification of communication contents between the terminal user and the Web service by the MITB attack. Information is misused for fraudulent remittance. Actually, malware such as ZBot and SpyEye has a MITB attack function, and when infected with the malware, an attack such as display of an impersonation input form is performed when the attack target site is accessed.

  In such a recent MITB attack by malware such as ZBot and SpyEye, the attack target site is described in the configuration file from the C & C server (Command & Control server), and is set when changing the attack target The contents of the file are updated.

  In addition, the Web service that is the target of the attack is generally identified by malware analysis. However, manually performing analysis to identify the attack target is expensive, and taking into account the huge amount of new malware that is generated every day, follow changes in the attack target through manual analysis. It is difficult.

  For this reason, there have been proposed techniques for automatically analyzing malware that may perform a MITB attack by dynamic analysis. For example, a technique has been proposed in which malware can be analyzed without affecting the Web service to detect falsification and identify a falsification location (for example, see Non-Patent Document 1). Further, a method has been proposed in which taint analysis is applied to detect tampering of communication data, and a C & C server that specifies the contents of tampering is specified (for example, see Non-Patent Document 2).

Tetsuya Segawa, Masanori Kamisu, Yuji Hoshizawa, Katsunari Yoshioka, Tsutomu Matsumoto “A Safe Dynamic Analysis Method for Malware Performing Man-in-the-Browser Attack” IEICE Technical Report, 2013-CSEC-61, pp. 1-8, issued in May 2013 Tomonori Ikusei, Kazufumi Aoki, Atsushi Yagi, Takeo Haruo “Proposal of C & C server identification method based on confirmation of falsification data origin” Proceedings of IEICE Communication Society Conference, no.2, pp.16, 2014 9 Monthly issue

  However, although the above-described conventional technology can specify the occurrence of falsification of the site and the C & C server, there is a problem that the attack target of malware cannot be acquired efficiently. For example, in the conventional technology, in order to acquire identification information (URL, FQDN, IP address, etc.) of malware attack targets, the attacks operated by dynamic analysis are analyzed one by one to identify attack targets. Since the information is specified, it takes a processing load and a processing time, and it is not possible to efficiently acquire the identification information of the attack target including those in which no attack occurred.

  In order to solve the above-described problems and achieve the object, the specific apparatus of the present invention gives a tag including attribute information associated with identification information of a transmission source or a transmission destination of the communication data to the communication data And a tracking unit that tracks the propagation of the communication data to which the tag is attached, and a command server that detects the occurrence of the tampering of the communication data using the tag attached by the tracking unit and instructs the tampering. Occurrence of tampering based on the identification information of the command server and the identification information of the attack target by malware at the time of tampering when the occurrence of tampering is detected by the detection unit The program code for determining whether the identification information of the transmission source or the transmission destination of the communication data is the identification information of the attack target from the execution trace in which the detection is detected Analyzing the program code specified by the determination unit and the specifying unit, and referring to data to be referred to when determining whether the program code is attack target identification information as the list of attack target identification information, the execution trace And an acquisition unit for acquiring from.

  Further, the specifying method of the present invention is a specifying method executed by a specifying device, and a tag including attribute information associated with identification information of a transmission source or a transmission destination of the communication data is assigned to the communication data. And a tracking step for tracking the propagation of communication data to which the tag is attached, and a command server that detects the occurrence of tampering of the communication data using the tag attached by the tracking step and instructs the tampering. Occurrence of falsification based on the identification information of the command server and the identification information of the attack target by malware at the time of falsification when the detection process detects the occurrence of falsification. A program code for determining whether the identification information of the transmission source or the transmission destination of the communication data is the identification information of the attack target from the execution trace where A list of identification information of the attack target and a reference process for analyzing the program code specified by the specification step and determining whether the program code is the identification information of the attack target And an acquisition step of acquiring from the execution trace.

  In addition, the specific program of the present invention provides a tag including attribute information associated with identification information of a transmission source or a transmission destination of the communication data to the communication data, and propagation of the communication data to which the tag is added A tracking step for tracking the communication data, a detection step for detecting the occurrence of falsification of the communication data using the tag given by the tracking step, and identifying the identification information of the command server that commanded the falsification, and the detection When the occurrence of tampering is detected by the step, based on the identification information of the command server and the identification information of the attack target by malware at the time of tampering, the execution trace in which the occurrence of tampering is detected, and the communication data A specific step for specifying a program code for determining whether the identification information of the transmission source or transmission destination is the identification information of the attack target And analyzing the program code specified by the specifying step, and referring to the reference data when determining whether the program code is the identification information of the attack target from the execution trace as a list of the identification information of the attack target The acquisition step of acquiring is executed by a computer.

  According to the present invention, there is an effect that a malware attack target can be efficiently acquired.

FIG. 1 is a configuration diagram illustrating an outline of a specific device according to the present embodiment. FIG. 2 is a block diagram illustrating a configuration of a virtual machine monitor and a data propagation tracking unit in the specific apparatus according to the present embodiment. FIG. 3 is a diagram illustrating a configuration example of a tag according to the present embodiment. FIG. 4 is a diagram illustrating an example of information stored in the identification information DB according to the present embodiment. FIG. 5 is a diagram illustrating a process for comprehensively acquiring identification information of a legitimate site that is an attack target by causing a browser operation unit to communicate with a communication destination that is not the target of the falsification attack. FIG. 6 is a flowchart showing a flow of processing for identifying identification information of a legitimate site to be attacked by the identifying apparatus according to the present embodiment. FIG. 7 is a diagram illustrating a computer that executes a specific program.

  Hereinafter, embodiments of a specific device, a specific method, and a specific program according to the present application will be described in detail with reference to the drawings. In addition, the specific apparatus, the specific method, and the specific program which concern on this application are not limited by this embodiment.

[Embodiment]
In the following embodiments, the configuration and processing flow of the specific device according to the embodiment will be described in order, and then the effects of the embodiment will be described last.

[Specific device configuration]
First, the configuration of the specifying device 10 will be described with reference to FIG. FIG. 1 is a configuration diagram illustrating an outline of a specific device according to the present embodiment. As illustrated in FIG. 1, the identification device 10 includes a malware execution environment unit 11, an analysis result DB (Data Base) 12, and a C & C server identification information DB 13. Hereinafter, the processing of each of these units will be described.

  The malware execution environment unit 11 includes a browser 11B, a browser operation unit 11C, a guest OS (Operating System) 11D, and a virtual machine monitor 11E. The guest OS 11D is an environment for dynamically analyzing the malware 11A. Further, in the specific device 10, the malware 11A is executed on the guest OS 11D, and various processes such as the browser 11B serving as a place where the malware 11A is tampered with are operated on the guest OS 11D. The browser operation unit 11C is for performing an operation for causing the browser 11B to communicate with a predetermined communication destination. For example, an input device such as a mouse or a keyboard, or a program for automatically operating the browser and a circulation destination It consists of a URL list.

  The virtual machine monitor 11E includes a data propagation tracking unit 110, a command monitoring unit 111, a falsification detection unit 112, an identification information DB 113, a specifying unit 114, and an acquisition unit 115.

  The data propagation tracking unit 110 attaches a tag including attribute information associated with the identification information of the transmission source or the transmission destination of the communication data to the communication data, and tracks the propagation of the communication data to which the tag is attached To do. That is, in order to monitor the operation of executing the malware 11A, the data propagation tracking unit 110 tracks the propagation of data when the malware 11A is executed by setting a tag representing attribute information for the data by taint analysis. At this time, in order to uniquely identify the transmission destination or transmission source of the communication data, the tag holds attribute information or the like corresponding to the identification information. In the following description, when a transmission destination and a transmission source are collectively referred to, “communication destination” is appropriately described. The identification information is, for example, information such as a communication destination IP address, FQDN (Fully Qualified Domain Name), and URL (Uniform Resource Locator).

  Here, a configuration example of the tag will be described with reference to FIG. FIG. 3 is a diagram illustrating a configuration example of a tag according to the present embodiment. As shown in FIG. 3, the tag includes “ID (identification)” and “attribute information”. Here, the attribute information is information corresponding to identification information of a transmission source or a transmission destination of communication data. The ID is information set to have a continuous value (serial number) for each attribute information. That is, a tag can be uniquely identified by a combination of attribute information and ID. Note that a tag is assigned to certain communication data for each predetermined data length unit, for example.

  As an example, a case will be described in which a tag is attached to 10-byte received data received from a communication destination having an IP address “192.168.0.1”. In this example, a case will be described in which a tag is assigned in 1-byte units and the attribute information corresponding to the IP address “192.168.0.1” is “0x1”. In this case, since tags are attached to the received data of 10 bytes in units of 1 byte, 10 tags are assigned to the received data. Among these, the first tag includes ID “1” and attribute information “0x1”, the second tag includes ID “2” and attribute information “0x1”, and the third tag is ID “3” and attribute information “0x1” are included. The tenth tag includes ID “10” and attribute information “0x1”.

  Thus, each tag includes an ID assigned by a serial number and attribute information corresponding to the communication destination. When data is received again from the communication destination with the IP address “192.168.0.1”, for example, a plurality of tags including serial numbers starting with ID “11” are attached to the received data. Is done. When data is received from a communication destination having an IP address different from the above, such as “192.168.0.2”, the received data includes, for example, a serial number ID starting from ID “1”. Multiple tags are assigned.

  In addition, as described above, a plurality of tags according to the present embodiment are assigned to communication data in a predetermined data length unit, and each ID of the plurality of tags is assigned by a serial number. This is because the contents of tampering with communication data can be specified. For example, if assigned by serial numbers, the ID values included in each of the plurality of tags are continuous according to the order of tags. However, if the ID values included in each of the plurality of tags are not continuous according to the order of the tags, the falsification detection unit 112 detects falsification of the communication data and the neighboring data that is not continuous is falsified. Can be identified. Furthermore, for example, if the ID number is lost or another tag is mixed, the falsification detection unit 112 can specify that the communication data has been rewritten or added. Further, if there is a deviation in the ID number, the falsification detection unit 112 can specify that the data in the vicinity has been deleted.

  That is, the data propagation tracking unit 110 sets a tag for the communication data, transfers the attribute information included in the set tag and the identification information corresponding to the attribute information to the identification information DB 113, and then transmits the virtual machine. The propagation of communication data is traced on the monitor 11E. The identification information DB 113 stores attribute information and identification information transferred from the data propagation tracking unit 110 in association with each other. Information stored in the identification information DB 113 will be described later.

  The data propagation tracking unit 110 sets a tag for uniquely identifying the transmission source and what number of received data for the communication data received by the malware 11A, and uses keyboard input or API (Application Programming Interface). When identification information is designated as an argument of, a tag indicating identification information is set.

  Here, taint analysis technology is one of the methods for automating data flow analysis, and is a technology for tracking the propagation of data in the system by setting a tag for data and propagating the tag according to a propagation rule. It is. A tag is attribute information given to data, and the origin and type of data are set. The propagation rule is a condition for propagating a tag, and generally, data copy or calculation is set as a propagation condition.

  For example, when analyzing the usage of received data, a tag that can uniquely identify the acquisition source is set for the received data, and the tag is propagated according to data copy or calculation. By confirming that a tag is set for data passed as an API argument, it is possible to analyze that the received data is data used as an API argument. The taint analysis technique is generally realized by using a virtual computer technique, and the tag is held in a dedicated recording area different from the data so as to be associated with the data.

  The instruction monitoring unit 111 monitors instructions issued in the system. Specifically, the command monitoring unit 111 monitors commands such as API calls and system calls issued by the malware 11A.

  For example, the instruction monitoring unit 111 monitors and records an API call executed by the program code of the malware 11A and a command referring to data with a specific tag, and the data propagation tracking unit 110 has a tag setting and falsification detection unit. 112 is requested to confirm whether or not tampering has occurred.

  The tampering detection unit 112 detects the occurrence of tampering of communication data using the tag given by the data propagation tracking unit 110 and identifies the identification information of the C & C server that commanded the tampering. Specifically, when an API call or a system call is detected as a command by the command monitoring unit 111, tampering is detected with respect to communication data. The tampering detection unit 112 detects tampering of communication data when the communication data includes a tag including attribute information different from attribute information corresponding to the transmission source of the communication data.

  For example, the falsification detection unit 112 confirms whether the received data has been falsified at the return address after the API call that receives the data, and confirms whether the transmission data has been falsified at the virtual NIC 119A (see FIG. 2). Here, the alteration is detected on the basis that data having different origin information is mixed in the data, and the acquisition source of the mixed data is specified as the C & C server.

  Then, when the falsification is detected, the falsification detection unit 112 identifies the data corresponding to the tag including the attribute information different from the attribute information corresponding to the transmission source of the communication data as the falsification content, and the identified falsification content is identified. Transfer to analysis result DB12. The analysis result DB 12 stores analysis results including the contents of falsification transferred from the falsification detection unit 112.

  In addition, when the falsification is detected, the falsification detection unit 112 identifies a communication destination associated with a tag including attribute information different from the attribute information corresponding to the transmission source of the communication data as a C & C server. Then, the falsification detection unit 112 transfers the identified identification information to the C & C server identification information DB 13 as C & C server identification information. The C & C server identification information DB 13 stores the identification information of the C & C server transferred from the falsification detection unit 112.

  When the falsification is detected by the falsification detection unit 112, the identification unit 114 detects the falsification based on the identification information of the C & C server and the identification information of the attack target by the malware 11A when the falsification occurs. A program code for determining whether the identification information of the transmission source or the transmission destination of the communication data is the identification information of the attack target is specified from the execution trace.

  Specifically, the specifying unit 114 acquires an execution trace at the time of performing a falsification attack, and refers to both a tag indicating identification information of an attack target candidate and a tag associated with the C & C server from the execution trace. An operation instruction and a comparison instruction are extracted, and a program code including the operation instruction and the comparison instruction is specified as a program code for selecting an attack target. Here, the identification information of the attack target candidate is identification information input from the browser operation unit 11C, and is identification information such as a URL that is a candidate for the attack target by the malware 11.

  The acquiring unit 115 analyzes the program code specified by the specifying unit 114, and uses the data to be referred to when determining whether the program code is the communication target of the attack target as a list of attack target identification information from the execution trace. get.

  Specifically, the acquisition unit 115 analyzes the program code specified by the specifying unit 114, and if the tag indicating identification information and the tag associated with the C & C server are compared, The data to which the tag to be associated is attached is recorded, and the list of legitimate sites to be attacked is acquired by extracting the character string existing at the acquisition source memory address of the recorded data.

  Next, a configuration example of the virtual machine monitor 11E will be described with reference to FIG. FIG. 2 is a block diagram illustrating a configuration of a virtual machine monitor and a data propagation tracking unit in the specific apparatus according to the present embodiment. The virtual machine monitor 11E is software that provides virtual hardware to the guest OS 11D. The virtual machine monitor 11E includes a virtual NIC (Network Interface Card) 119A, a virtual disk 119B, a virtual HW controller 116, a virtual memory 117, a virtual CPU 118, and the like.

  The data propagation tracking unit 110 sets a tag for data and performs data propagation tracking to store a tag corresponding to the data on the virtual disk 119B in the disk tag storage area 110A and the virtual memory 117. A memory tag storage area 110D for storing a tag corresponding to the data of the virtual register 118B, and a register tag storage area 110F for storing a tag corresponding to the data on the virtual register 118B.

  The tag assignment unit 110B of the data propagation tracking unit 110 sets a tag that can uniquely identify the transmission source for the communication data, transfers the tag to the identification information DB 113, and stores the tag in the memory tag storage area 110D. When the tag is set to be received data, the data is copied from the virtual NIC 119A to the virtual memory 117, or immediately after the API / system call for receiving the data is called (from the function to the caller) In the case of transmission data, it is a timing at which a legitimate application such as the browser 11B issues an API call or a system call for transmitting data. The tag set in the data is propagated by the tag propagation unit 110C (tag propagation unit A) in accordance with the data propagation.

  The tag propagation unit 110C propagates tags between the disk tag storage area 110A and the memory tag storage area 110D. Further, the tag propagation unit 110E (tag propagation unit B) propagates tags between the memory tag storage area 110D and the register tag storage area 110F and between the register tag storage areas 110F.

  The instruction monitoring unit 111 also monitors API calls executed by legitimate applications such as the browser 11B. When a legitimate application calls an API related to data reception, all the arguments of the function are recorded at the time of calling, and the alteration detection unit 112 is notified at the time of return. Further, when the API is related to data transmission, the instruction monitoring unit 111 notifies the data propagation tracking unit 110 at the time of calling. The data propagation tracking unit 110 that has received the notification sets a tag that can uniquely specify the data transmission destination for the transmission data in the tag assignment unit 110B. Note that APIs related to data reception and data transmission are set before analysis by a malware analyst or the like.

  After receiving the notification from the instruction monitoring unit 111, the falsification detection unit 112 confirms the tag corresponding to the received data, thereby detecting falsification of the received data, specifying the falsification content, and specifying the C & C server specifying the falsification content. Do. Further, the falsification detection unit 112 confirms the tag corresponding to the transmission data at the time of data transmission in the virtual NIC 119A, thereby detecting falsification of the transmission data, specifying the falsification content, and specifying the C & C server specifying the falsification content. When communication data is passed as received data / transmitted data to an API that performs encryption / decryption processing at the time of data propagation, a process for forcibly propagating a tag to the return value of the API is also performed. May be. At that time, the ID may be reassigned.

  Here, information stored in the identification information DB 113 will be described with reference to FIG. FIG. 4 is a diagram illustrating an example of information stored in the identification information DB 113 according to the present embodiment. As illustrated in FIG. 4, the identification information DB 113 stores attribute information included in a tag, transmission / reception information, and identification information in association with each other. This transmission / reception information is information indicating whether the communication with the communication destination is reception or transmission. For example, “R” indicates reception and “S” indicates transmission. FIG. 4 illustrates a case where an IP address is stored as identification information.

  In the example illustrated in FIG. 4, the identification information DB 113 stores attribute information “0x1”, transmission / reception information “R”, and identification information “192.168.0.1” in association with each other. This indicates that the attribute information given to the received data from the IP address “192.168.0.1” is “0x1”. Also, the identification information DB 113 stores attribute information “0xA”, transmission / reception information “R”, and identification information “192.168.1.10” in association with each other. This indicates that the attribute information given to the received data to the IP address “192.168.1.10” is “0xA”.

  4, the identification information DB 113 stores attribute information “0x3”, transmission / reception information “S”, and identification information “192.168.0.1” in association with each other. . This means that even if the IP address is the same as the IP address “192.168.0.1” on the first line, the transmission / reception information is different from “R (reception)” on the first line, “S (transmission)”. Indicates that different attribute information “0x3” is assigned. That is, in the identification information DB 113, attribute information is uniquely set for a combination of transmission / reception information and identification information. The identification information DB 113 does not necessarily store transmission / reception information. In this case, the attribute information is stored for each communication destination without being limited to the transmission / reception direction. The attribute information has a fixed length at the time of analysis, but the length may be changed for each analysis.

  Note that, as described above, the identification information DB 113 stores attribute information and identification information in association with each other because it is possible to detect tampering of communication data. For example, the falsification detection unit 112 refers to the identification information DB 113 and acquires attribute information corresponding to a transmission destination or a transmission source of communication data to be processed. Then, the falsification detection unit 112 refers to the attribute information included in the communication data and collates with the acquired attribute information. Here, if not tampered, all attribute information included in the communication data should match the attribute information acquired from the identification information DB 113. On the other hand, if they do not match, the tampering detection unit 112 can detect tampering. Furthermore, if a communication destination different from the original communication destination is linked, the falsification detection unit 112 can specify the communication destination as a C & C server.

  Then, the specifying unit 114 starts processing for specifying the program code for selecting the attack target due to the C & C server specification in the tampering detection unit 112. The specifying unit 114 notifies the instruction monitoring unit 111 to acquire an execution trace of the program code of the malware 11A after specifying the C & C server. In the execution trace, an execution address, a register used, a memory area in which reading and writing are performed, data held by the memory, and a set tag are recorded. Further, when acquiring an execution trace, a tag is set for the identification information when an API for designating a communication destination is called.

  For example, when an InternetConnect function is called in Internet Explorer on a Windows (registered trademark) OS, a tag indicating identification information is set for an FQDN or an IP address. The tag may be a flag value, or a unique value may be set in order to ascertain which identification information is specified as an argument of which function.

  In a state where the execution trace is valid, the browser operation unit 11C is made to access a site where the occurrence of the falsification attack is confirmed, and the execution trace when the falsification attack is performed is acquired. The reason why the execution trace is not validated before tampering detection is to reduce the analysis load. After acquiring the execution trace at the time of performing the tampering attack, the specifying unit 114 compares the operation instruction or comparison that refers to both the tag representing the identification information of the attack target candidate and the tag associated with the C & C server from the execution trace. The command is extracted and specified as a program code for selecting an attack target. For example, if a tag with a value of 0x1 is set in the identification information and a tag with a value of 0x2 is set for the data received from the C & C server, the comparison command “cmp eax, ebx” uses eax or ebx. It is identified that the tag is a program code for selecting an attack target by confirming that a tag having a value of 0x1 is set in the tag and a tag having a value of 0x2 is set in the other tag.

  After that, the acquisition unit 115 acquires an execution trace of processing for determining whether or not it is a falsification attack target by causing the browser operation unit 11C to access a site where the occurrence of the falsification attack is not confirmed. From the execution trace, obtain the data with the tag linked to the C & C server referenced by the program code for selecting the attack target, and follow the execution trace in the reverse order of execution. The memory area of the acquisition source is specified, and the character string information of the memory area is extracted. Here, the character string information is a data string composed of a predetermined number or more of ASCII codes. This obtains a list of legitimate sites that are attack targets.

  As described above, when performing the process of acquiring a list of authorized sites, first, the browser operation unit 11C is made to access a site where the occurrence of a falsification attack has not been confirmed. This is for comprehensively acquiring site identification information.

  Here, with reference to FIG. 5, a process for comprehensively acquiring identification information of a legitimate site that is an attack target by causing the browser operation unit 11 </ b> C to communicate with a communication destination that is not a falsification attack target will be described. FIG. 5 is a diagram illustrating a process for comprehensively acquiring identification information of a legitimate site that is an attack target by causing a browser operation unit to communicate with a communication destination that is not the target of the falsification attack. In the example of FIG. 5, a case where the URL “http://zzzbank.co.jp/” is input via the browser operation unit 11C as identification information that is not a falsification attack target will be described as an example. The identification information that is not the target of the tampering attack may be set in advance and automatically input, or may be input manually.

  As illustrated in FIG. 5, in the program code for determining whether the identification information of the transmission source or the transmission destination of communication data is the identification information of the attack target, first, the URL “http: //zzzbank.co.jp/ ”is compared with the URL“ http://AAAbank.com/* ”which is the identification information of the attack target. As a result, if they do not match, as shown in FIG. 5, the collation result is “×”, and the URL “http://zzzbank.co.jp/”, which is identification information that is not the target of the next tampering attack. The URL “http: //BBBbank.*/login.html”, which is the identification information of the attack target, is matched or compared, and if not matched, the matching result is “x”. The “*” in the above URL represents an arbitrary character string.

  Similar comparison processing is also performed on URLs “http://CCCbank.com/*” and “http://DDDbank.com/*” which are identification information of the attack target. In other words, as a result of the above comparison, if they match, the comparison process ends, but by communicating with a communication destination that is not the target of the tampering attack, A comparison process is performed on the identification information. In this way, by comparing with the communication destination that is not the target of the tampering attack, comparison processing is performed on the identification information of the authorized sites that are all attack targets, so by analyzing the program code, the identification information of the authorized sites Can be acquired comprehensively.

[Example of specific device processing]
Next, the flow of processing in the specifying device 10 will be described with reference to FIG. FIG. 6 is a flowchart showing a flow of processing for identifying identification information of a legitimate site to be attacked by the identifying apparatus according to the present embodiment. The following process is a process that is started after the falsification is detected by the falsification detection unit 112 and the identification information of the C & C server is specified.

  As illustrated in FIG. 6, the identification unit 114 of the identification device 10 acquires the C & C server, the tag, and the communication destination at the time of occurrence of alteration from the alteration detection unit 112 (step S <b> 101). Here, if the identification unit 114 cannot acquire the C & C server and the tag (No at Step S102), the process ends.

  If the identification unit 114 can acquire the tag with the C & C server (Yes at Step S102), the instruction monitoring unit 111 enables the execution trace acquisition (Step S103), and the browser operation unit 11C communicates when tampering occurs. First, communication is performed (step S104). That is, in a state where the execution trace is valid, the browser operation unit 11C is made to access the site where the occurrence of the falsification attack is confirmed, and the execution trace at the time of the falsification attack is acquired. The reason why the execution trace is not validated before tampering detection is to reduce the analysis load.

  Then, after acquiring the execution trace when the falsification attack is performed, the specifying unit 114 specifies the program code that refers to the tag of the C & C server and the tag of the identification information from the execution trace (step S105). Specifically, the specifying unit 114 extracts an operation instruction or a comparison instruction that refers to both a tag representing identification information of an attack target candidate and a tag associated with the C & C server from the execution trace, and the attack target It is specified as a program code for selection. Note that if the condition does not exist in step S105 (No in step S106), the process ends here.

  The processing specified as the program code will be described using a specific example. A tag with a value of 0x1 is set in the identification information, and a tag with a value of 0x2 is set for the received data from the C & C server. In this case, the identification unit 114 confirms that a tag with a value of 0x1 is set in eax or ebx in the comparison instruction “cmp eax, ebx” and a tag with a value of 0x2 is set on the other side. Specify the program code to select the attack target.

  If there is a program code that meets the conditions in step S105 (Yes in step S106), the browser operation unit 11C is made to communicate with a communication destination that is not the target of the tampering attack (step S107). In this way, the browser operation unit 11C communicates with a communication destination that is not subject to a falsification attack, for example, by accessing a site where the occurrence of a falsification attack has not been confirmed, for example, execution trace of processing for determining whether or not a falsification attack has occurred. To get.

  And the acquisition part 115 memorize | stores the data by which the tag linked | related with a C & C server was set among the data referred with the said program code (step S108). Then, the acquisition unit 115 traces back the execution trace and specifies the acquisition source address (step S109). Then, the acquisition unit 115 acquires a character string from the acquisition source address as attack target identification information (step S110).

  That is, for example, the acquisition unit 115 acquires data with a tag associated with the C & C server referred to by the program code for selecting an attack target from the execution trace, and executes the execution trace in the reverse order of execution. By tracing and confirming the data transfer relationship one by one, the memory area from which the recorded data is obtained is specified, and the character string information of the memory area (eg, normalized URL or IP address) To extract. As a result, a list of identification information of the legitimate sites that are attack targets is acquired. Note that only the information that satisfies a predetermined condition may be extracted from the acquired identification information. For example, when only the identification information related to the financial service is to be extracted, a condition for extracting the identification information related to the financial service is set in advance, and only the identification information related to the financial service is extracted from the acquired identification information. It may be.

[Effect of the embodiment]
As described above, the identification device 10 assigns a tag including attribute information associated with identification information of a transmission source or a transmission destination of the communication data to the communication data, and propagates the communication data to which the tag is attached. To track. Then, the specifying device 10 detects the occurrence of tampering of communication data using the assigned tag, and specifies the identification information of the C & C server that commanded the tampering. Subsequently, when the occurrence of falsification is detected, the specific device 10 executes the execution trace in which the occurrence of falsification is detected based on the identification information of the C & C server and the identification information of the attack target by the malware 11A when the falsification occurs. The program code for determining whether the identification information of the transmission source or the transmission destination of the communication data is the identification information of the attack target is specified. After that, the specifying device 10 analyzes the specified program code, and acquires data to be referred to when determining whether the program code is attack target identification information from the execution trace as a list of attack target identification information. . For this reason, it is possible to efficiently acquire malware attack targets.

  In addition, the identification device 10 detects not only a tampering attack performed by the malware 11A on the communication data, but also identifies a C & C server that specifies the contents of the tampering, and identifies a legitimate site that is the target of the tampering attack. Useful. Further, in the specific device 10, the identified identification information of the legitimate site to be attacked is suitable for input generation to the browser operation unit 11 </ b> C of the specific device 10, alerting, and the like. It is also possible to specify the contents of tampering that is performed when accessing each legitimate site targeted for attack.

[Other Embodiments]
In addition, although said embodiment demonstrated the case applied to the analysis in a malware execution environment, it is not limited to this. For example, each part concerning this embodiment may be introduced into a user terminal. In addition, when using this embodiment, for the purpose of determining whether or not the malware has a falsification function or notifying that a falsification attack has occurred, the C & C server identification process is not performed, and a falsification attack is detected. Only processing may be performed. When the C & C server identification process is performed, communication may be blocked on the VMM (Virtual Machine Monitor) side based on the contents of the C & C server identification information DB 13, or an external IPS (Intrusion Prevention System) A communication blocking measure may be taken in cooperation with a device or the like. The C & C server is also referred to as a “command server”.

[System configuration, etc.]
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic. For example, the specifying unit 114 and the acquisition unit 115 may be integrated.

  In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
In addition, a program described in a language that can be executed by a computer can be created for the processing executed by the specific apparatus 10 described in the above embodiment. For example, it is possible to create a specific program described in a language that can be executed by a computer for the processing executed by the specific device 10 according to the embodiment. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the specific program. Furthermore, such a specific program may be recorded on a computer-readable recording medium, and the processing similar to the above-described embodiment may be realized by recording the specific program on the recording medium and causing the computer to read and execute the specific program. An example of a computer that executes a specific program that implements the same function as that of the specific device 10 illustrated in FIG. 1 will be described below.

  FIG. 7 is a diagram illustrating a computer 1000 that executes a specific program. As illustrated in FIG. 7, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090 as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1041 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120 as illustrated in FIG. The video adapter 1060 is connected to a display 1130, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 7, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the specific program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.

  In addition, various data described in the above embodiment is stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary, and executes them.

  Note that the program module 1093 and the program data 1094 related to the specific program are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive or the like. Good. Alternatively, the program module 1093 and the program data 1094 related to the specific program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and are transmitted via the network interface 1070. May be read by the CPU 1020.

DESCRIPTION OF SYMBOLS 10 Specific apparatus 11 Malware execution environment part 11A Malware 11B Browser 11C Browser operation part 11D Guest OS
11E Virtual machine monitor 110 Data propagation tracking unit 110A Disk tag storage area 110B Tag assignment unit 110C Tag propagation unit A
110D memory tag storage area 110E tag propagation part B
110F register tag storage area 111 instruction monitoring unit 112 falsification detection unit 113 identification information DB
114 Identification Unit 115 Acquisition Unit 116 Virtual HW Controller 117 Virtual Memory 118 Virtual CPU
118B Virtual register 119A Virtual NIC
119B Virtual disk 12 Analysis result DB
13 C & C server identification information DB

Claims (7)

A tag that includes attribute information associated with identification information of the source or destination of the communication data is attached to the communication data, and a tracking unit that tracks the propagation of the communication data to which the tag is attached,
A detection unit that detects the occurrence of falsification of the communication data using the tag given by the tracking unit, and identifies the identification information of the command server that commanded the falsification,
When the detection of the alteration is detected by the detection unit, based on the identification information of the command server and the identification information of the attack target by the malware at the time of the alteration, the communication is performed from the execution trace in which the occurrence of the alteration is detected. A specifying unit for specifying a program code for determining whether the identification information of the data transmission source or the transmission destination is the identification information of the attack target;
Obtaining from the execution trace, as a list of identification information of the attack target, data to be referred to when analyzing the program code specified by the specifying unit and determining whether the program code is the identification information of the attack target And a specific device. A command monitoring unit for monitoring commands issued in the system;
The detection unit detects the occurrence of the alteration of the communication data when an API (Application Programming Interface) call or a system call is detected as the command by the command monitoring unit. Item 2. The specific device according to Item 1.   The detection unit detects the occurrence of falsification of the communication data when the communication data includes a tag including attribute information different from attribute information corresponding to a transmission source of the communication data, and the different attribute The identification device according to claim 1 or 2, wherein identification information of a transmission source associated with a tag including information is identified as identification information of a command server that commanded the falsification.   The specifying unit extracts an instruction that refers to both a tag that represents identification information of an attack target candidate and a tag associated with a command server from the execution trace, and the program code including the command is extracted from the attack code. The identification device according to any one of claims 1 to 3, wherein the identification code is identified as a program code for determining whether the target identification information is included.   The acquisition unit performs communication with a communication destination that is not the attack target, analyzes the program code, and compares a tag representing the attack target identification information with a tag associated with the command server. In this case, a list of identification information of the attack target is acquired by extracting a character string in communication data to which a tag associated with the command server is attached. The specific device according to one. A specific method performed by a specific device,
For the communication data, a tag including attribute information associated with identification information of a transmission source or a transmission destination of the communication data is provided, and a tracking process for tracking the propagation of the communication data to which the tag is assigned,
Using the tag attached by the tracking step, detecting the occurrence of tampering with the communication data, and detecting the identification information of the command server that commanded the tampering;
From the execution trace in which the occurrence of falsification is detected based on the identification information of the command server and the identification information of the attack target by malware at the time of the falsification when the occurrence of falsification is detected by the detection step, the communication A specific step of identifying a program code for determining whether the identification information of a data transmission source or transmission destination is identification information of an attack target;
Obtaining from the execution trace, as a list of identification information of the attack target, data to be referred to when analyzing the program code specified by the specifying step and determining whether the program code is the identification information of the attack target A specifying method characterized by including a process. A tracking step of giving a tag including attribute information associated with identification information of a transmission source or a transmission destination of the communication data to the communication data, and tracking the propagation of the communication data to which the tag is attached,
A detection step for detecting the occurrence of tampering of the communication data using the tag given by the tracking step and identifying the identification information of the command server that commanded the tampering;
When the occurrence of tampering is detected by the detection step, the communication is detected from the execution trace in which the occurrence of tampering is detected based on the identification information of the command server and the identification information of the attack target by malware at the time of tampering. A specific step of identifying a program code for determining whether the identification information of the data transmission source or transmission destination is the identification information of the attack target;
Obtaining from the execution trace, as a list of identification information of the attack target, data to be referred to when analyzing the program code specified by the specifying step and determining whether the program code is the identification information of the attack target A specific program that causes a computer to execute steps.

Images