JP2018010499A - Program, information processing device, and information processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a program, an information processing device, and an information processing method capable of efficiently blocking an attack from malware.SOLUTION: A prescribed process is determined to be malware when a file writing function called from a prescribed process satisfies a first condition that a file reading function has already been called from the prescribed process and a second condition that the file writing function rewrites the header of a file of a file path for the file path being the same as a file path to which data is written.SELECTED DRAWING: Figure 26

Description

  The present invention relates to a program, an information processing apparatus, and an information processing method.

  In recent years, a type of malware called ransomware has become popular worldwide.

  Ransomware, like other common malware, infects devices via the Internet and email.

  Once the ransomware is infected, it encrypts (locks) some or all of the files on the device, makes it impossible to use the file or the device, and asks to pay a ransom. . It is a threatening malware that demands money in return for restoring encrypted files.

  In the case of ransomware, file encryption starts immediately after infection. For this reason, when the ransomware is an unknown sample for a security product, it is difficult to prevent file encryption because normal detection such as detection by a pattern file is not in time. Even if you notice ransomware infection at an early stage and immediately take measures such as turning off the power of the terminal, it is inevitable that some files will be encrypted by ransomware, and it is very difficult to completely prevent damage It is difficult to.

  As a method for detecting ransomware, operation of input interfaces such as a keyboard and a mouse is performed by utilizing a characteristic operation such as suddenly displaying a window regardless of a user's operation or an input state. A method for detecting a ransomware by monitoring a state and a change state of a display device is known (see Patent Document 1).

US Patent Application Publication No. 2014/0181971

  In the conventional method, it has been difficult to effectively prevent attacks such as file encryption by malware such as ransomware.

  An object of the present invention is to provide a program, an information processing apparatus, and an information processing method that can effectively prevent an attack by malware.

  In the program according to one aspect of the present invention, the file read function is already called from the predetermined process with respect to the same file path as the file write function to which the file write function called from the predetermined process writes data. Function as a determination unit that determines that the predetermined process is ransomware when the file write function satisfies the second condition that the file write function rewrites the header of the file in the file path. It is characterized by making it.

  In the above-described program, when the determination unit satisfies the third condition that the file of the file path is a text file having no header in addition to the first condition and the second condition. May present a user with a processing option as to whether or not to process the predetermined process as ransomware.

  In the above-described program, the determination unit includes, in addition to the first condition and the second condition, a path included in the file path from the predetermined process before the file write function is called. The predetermined process may be determined as ransomware when the fourth condition that a file search function for searching for another file in the same path is called is satisfied.

  In the above-described program, the determination unit is the same as the path included in the file path after calling the file write function from the predetermined process in addition to the first condition and the second condition. When the fifth condition is satisfied that the file movement function is called with the path of the file as the movement source path and the same path as the path included in the file path being called, The process may be determined as ransomware.

  In the program according to one aspect of the present invention, the file read function is already called from the predetermined process with respect to the same file path as the file path deleted by the file deletion function called from the predetermined process. The first condition and the second condition that the first file movement function having the same file path as the file path to be deleted by the file deletion function called from the predetermined process has already been called And a third condition that the file write function is already called from the predetermined process for the same file path as the source file path of the second file move function called from the predetermined process. And a file header of the file path of the movement source of the first file movement function, When the fourth condition that a file header of the file path to be deleted is different from the file path to be deleted by the file deletion function is made to function as a determination unit that determines the predetermined process as ransomware. And

  In the program according to one aspect of the present invention, the file read function is already called from the predetermined process with respect to the same file path as the destination file path of the file move function called from the predetermined process. A second condition that a file write function has already been called from the predetermined process for a file path that is the same as the file path that is the source of the file move function, and the file The predetermined process when the third condition that the header of the file path of the file path of the movement function is different from the header of the file path of the file path of the movement destination of the file movement function is satisfied. It is made to function as a judgment part which judges that is ransomware.

  In the program according to one aspect of the present invention, the file read function is already called from the predetermined process to the computer for the same file path as the file write function to which the file write function called from the predetermined process writes data. When the file write function satisfies the second condition that the file write function rewrites the header of the file in the file path, a procedure for determining the predetermined process as ransomware is executed. It is characterized by that.

  In the program according to one aspect of the present invention, the file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process. The first condition and the second condition that the first file movement function having the same file path as the file path to be deleted by the file deletion function called from the predetermined process has already been called And a third condition that the file write function is already called from the predetermined process for the same file path as the source file path of the second file move function called from the predetermined process. And a file header of the file path of the movement source of the first file movement function, When the fourth condition that a file header of the file path to be deleted is different from the file header to be deleted by the file deletion function, a procedure for determining the predetermined process as ransomware is executed. To do.

  In the program according to one aspect of the present invention, the file read function is already called from the predetermined process for the same file path as the destination file path of the file move function called from the predetermined process. A second condition that a file write function has already been called from the predetermined process for a file path that is the same as the file path that is the source of the file move function, and the file The predetermined process when the third condition that the header of the file path of the file path of the movement function is different from the header of the file path of the file path of the movement destination of the file movement function is satisfied. Is executed as a ransomware.

  In the information processing apparatus according to one aspect of the present invention, the file read function is already called from the predetermined process with respect to the same file path as the file write function called from the predetermined process. And a determination unit that determines that the predetermined process is ransomware when the file write function satisfies a second condition of rewriting a header of a file in the file path. It is characterized by.

  In the information processing apparatus according to one aspect of the present invention, the file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process. And a second condition that a first file movement function having the same file path as the file path to be deleted by the file deletion function called from the predetermined process has already been called. A third condition that a file write function has already been called from the predetermined process for the same file path as the source file path of the second file move function called from the predetermined process; , A file header of the source file path of the first file transfer function, and the file deletion When satisfying the fourth condition that the header of the file of the file path number is deleted is different, characterized by having a determining section for determining the predetermined process and ransomware.

  In the information processing apparatus according to one aspect of the present invention, the file read function is already called from the predetermined process for the same file path as the destination file path of the file move function called from the predetermined process. A first condition; a second condition that a file write function has already been called from the predetermined process with respect to a file path that is the same as a source file path of the file move function; and the file move When the third condition that the header of the file path of the file path to which the function is moved differs from the header of the file path of the file path to which the file movement function is moved is satisfied, the predetermined process is performed. It has a judgment part which judges as ransomware.

  In the information processing method according to one aspect of the present invention, the file read function is already called from the predetermined process with respect to the same file path as the file path in which the file write function called from the predetermined process writes data. The predetermined process is determined to be ransomware when the file write function satisfies the second condition of rewriting the header of the file in the file path. .

  According to an information processing method of one aspect of the present invention, a file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process. And a second condition that a first file movement function having the same file path as the file path to be deleted by the file deletion function called from the predetermined process has already been called. A third condition that a file write function has already been called from the predetermined process for the same file path as the source file path of the second file move function called from the predetermined process; , A file header of the source file path of the first file transfer function, and the file deletion When satisfying the fourth condition that the header of the file of the file path number is deleted is different, and wherein the determining the predetermined process and ransomware.

  In the information processing method according to an aspect of the present invention, the file read function is already called from the predetermined process for the same file path as the destination file path of the file move function called from the predetermined process. A first condition; a second condition that a file write function has already been called from the predetermined process with respect to a file path that is the same as a source file path of the file move function; and the file move When the third condition that the header of the file path of the file path to which the function is moved differs from the header of the file path of the file path to which the file movement function is moved is satisfied, the predetermined process is performed. It is characterized by being determined as ransomware.

  As described above, according to the present invention, the file read function is already called from the predetermined process with respect to the same file path as the file path in which the file write function called from the predetermined process writes data. Since the predetermined process is judged as ransomware when the condition 1 and the second condition that the file write function rewrites the header of the file in the file path are satisfied, the attack by the malware is effective. Can be prevented.

It is a block diagram which shows a general information processing apparatus. It is explanatory drawing (the 1) which shows operation | movement of a computer program in relation to the hardware of a computer. It is explanatory drawing (the 2) which shows operation | movement of a computer program in relation to the hardware of a computer. It is explanatory drawing (the 1) of file encryption by ransomware CryptoLocker. It is explanatory drawing (the 2) of file encryption by ransomware CryptoLocker. It is explanatory drawing (the 3) of file encryption by ransomware CryptoLocker. It is explanatory drawing (the 4) of file encryption by ransomware CryptoLocker. It is explanatory drawing (the 1) of file encryption by ransomware CryptoWall. It is explanatory drawing (the 2) of file encryption by ransomware CryptoWall. It is explanatory drawing (the 3) of file encryption by ransomware CryptoWall. It is explanatory drawing (the 4) of file encryption by ransomware CryptoWall. It is explanatory drawing (the 5) of file encryption by ransomware CryptoWall. It is explanatory drawing (the 6) of file encryption by ransomware CryptoWall. It is explanatory drawing of file encryption by ransomware CERBER. It is explanatory drawing (the 1) of file encryption by ransomware TeslaCrypt. It is explanatory drawing (the 2) of file encryption by ransomware TeslaCrypt. It is explanatory drawing (the 1) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 2) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 3) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 4) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 5) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 6) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 7) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 8) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 9) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 10) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 11) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 12) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 13) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 14) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 15) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 16) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 17) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 18) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 19) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 20) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 21) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 22) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 23) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 24) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 25) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 26) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 27) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 1) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 2) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 3) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 4) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 5) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 6) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 7) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 8) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention.

[Information processing device]
A general information processing apparatus to which the present invention is applied and its operation will be described with reference to FIGS.

  FIG. 1 is a block diagram showing a general information processing apparatus.

  The information processing apparatus 10 in a standard stand-alone environment includes a computer (PC) 20 and an external peripheral device 30.

  The computer (PC) 20 includes a CPU 21 for executing instructions, a hard disk 22 for storing data and programs, a memory 23 for the CPU 21 to read data and programs, and input / output such as a mouse and a keyboard for receiving user operations. The apparatus 24 is configured by a display 25 and the like for displaying operation contents, processing results, and the like.

  The external peripheral device 30 includes a printer 31 for printing processing results and the like, an external storage device 32 such as a USB memory, and the like.

  Next, with reference to FIG. 2 and FIG. 3, a series of operations in the case where a computer program, that is, a processing procedure to be performed by a computer written according to a predetermined format (program language) is executed in the computer 20 will be described. Description will be made in relation to hardware such as the CPU 21, the hard disk 22, and the memory 23.

  Before the computer 20 is started, OS data including programs and data of operation software (OS), programs to be executed by the computer 20, user data such as documents and drawings, and the like are stored in the hard disk 22 as files ( FIG. 2 (a)). In the memory 23, no program or data is developed.

  When the computer 20 is activated and the CPU 21 executes an instruction to load the OS data stored in the hard disk 22 into the memory 23, the OS data is expanded as a process on the memory 23 (FIG. 2B).

  Next, the CPU 21 executes a process of OS data on the memory 23, accesses a program stored in the hard disk 22, and reads the program (FIG. 2C). The program stored in the hard disk 22 is loaded into the memory 23 and expanded as a process on the memory 23 (FIG. 3A).

  Next, the CPU 21 executes a program process on the memory 23 to access user data stored in the hard disk 22 and read / write data from / to the hard disk 22 (FIG. 3B).

  In this way, operations among the CPU 21, the hard disk 22, and the memory 23 are performed by operation software and programs.

  In this specification, “process” means “a program developed on the memory 23”, and “program” means “a program (file) stored in a hard disk or the like”. For ease of understanding, “a program developed on the memory 23”, which is a “process”, may be simply referred to as “program”.

  Further, in this specification, “W” and “Ex” given at the end of the character string of the Windows API function have the same meaning as those not given. For example, “FindFirstFileW” is synonymous with “FindFirstFile”, and “MoveFileEx” is synonymous with “MoveFile”.

[Principle of the Invention]
The principle of the present invention will be described with reference to FIGS.

(Ransomware analysis)
The inventors of the present application first analyzed the behavior related to file operations when performing file encryption on a plurality of main types of ransomware for which damage has been reported both in Japan and overseas. Specifically, we analyzed the behavior of four types of ransomware, CryptoLocker, CryptWall, CERBER, and TeslaCrypt.
(A) Analysis of Ransomware CryptoLocker The operation of ransomware CryptoLocker was analyzed using an analysis tool called API Monitor. The API monitor is a program that can monitor arguments and return values of a Windows API (Application Programming Interface) call called from an application without changing the application. Windows is a registered trademark.

  FIG. 4 shows an API log called when encrypting a file of the ransomware CryptoLocker. This is a log when files in the folder "C: \ Python27 \ Lib \ compiler" are sequentially encrypted by the ransomware CryptoLocker.

  FindNextFile on the first line is a Windows API function that searches for the next file.

  CreateFileW on the second line is a Windows API function that opens the file with the argument "C: \ Python27 \ Lib \ compiler \ consts.py".

  ReadFile on line 3-4 is a Windows API function that reads the file “C: \ Python27 \ Lib \ compiler \ consts.py” opened by CreateFileW.

  WriteFile on line 5-7 is a Windows API function that writes data to the file “C: \ Python27 \ Lib \ compiler \ consts.py” opened by CreateFileW.

  The log on the 1-7th line indicates the following.

  FindNextFile is searched with FindNextFile on the first line, and the file with the argument "C: \ Python27 \ Lib \ compiler \ consts.py" is opened with CreateFileW on the second line. ReadFile and 5-7 on lines 3-4 The file "C: \ Python27 \ Lib \ compiler \ consts.py" is encrypted by WriteFile on the line.

  FindNextFile on the 8th line is a Windows API function that searches for the next file.

  The CreateFileW on the 9th line is a Windows API function that opens the file with the argument “C: \ Python27 \ Lib \ compiler \ future.py”.

  ReadFile on line 10-11 is a Windows API function that reads the file “C: \ Python27 \ Lib \ compiler \ future.py” opened by CreateFileW.

  WriteFile on the 12th to 15th lines is a Windows API function for writing data to the file “C: \ Python27 \ Lib \ compiler \ future.py” opened by CreateFileW.

  The logs on the 8th to 15th lines indicate the following.

  Search for the next file using FindNextFile on the 8th line, and open the file with the argument "C: \ Python27 \ Lib \ compiler \ future.py" using CreateFileW on the 9th line. ReadFile and 12-15 on the 10-11th line WriteFile on the line encrypts the file "C: \ Python27 \ Lib \ compiler \ future.py".

  FindNextFile on the 16th line is a Windows API function that searches for the next file.

  CreateFileW on the 17th line is a Windows API function that opens a file with an argument “C: \ Python27 \ Lib \ compiler \ misc.py”.

  ReadFile on the 18th to 19th lines is a Windows API function that reads the file “C: \ Python27 \ Lib \ compiler \ misic.py” opened by CreateFileW.

  WriteFile on lines 20-22 is a Windows API function that writes data to the file “C: \ Python27 \ Lib \ compiler \ misic.py” opened by CreateFileW.

  The log on lines 16-22 indicates the following.

  The next file is searched by FindNextFile on the 16th line, the file of the argument “C: \ Python27 \ Lib \ compiler \ misic.py” is opened by CreateFileW on the 17th line, ReadFile and 20-22 on the 18th to 19th lines WriteFile on the line encrypts the file "C: \ Python27 \ Lib \ compiler \ misic.py".

  Similarly, the files in the folder "C: \ Python27 \ Lib \ compiler \" are sequentially encrypted.

From this log, you can see that the ransomware CryptoLocker encrypts files as follows:
(1) Search for a file using FindFirstFile and FindNextFile. FindFirstFile and FindNextFile are search Windows API functions used in the set.
(2) Open the file to be encrypted with CreateFile.
(3) For the opened file, rewrite and encrypt the file with ReadFile and WriteFile. That is, ReadFile reads the file contents of the encryption target file, the malware encrypts the read encryption target file contents, and writes the encrypted data to the original encryption target file by WriteFile.

  FIG. 5 shows a log of an API called at the time of file encryption of the ransomware CryptoLocker. This is a log when the file "Wildlife.wmv" under the folder "C: \ User \ Public \ Videos" is searched and encrypted by the ransomware CryptoLocker.

  FindFirstFile on the third line is a Windows API function that searches for the first file of the argument “C: \ Users \ Public \ Videos \ *. *”.

  FindNextFile on line 4-9 is a Windows API function that searches for the next file.

  FindFirstFile on the 10th line is a Windows API function that searches for the first file of the argument “C: \ Users \ Public \ Videos \ Sample Videos \ *. *”.

  FindNextFile on the 11th to 13th lines is a Windows API function that searches for the next file.

  The CreateFileW on the 14th line is a Windows API function that opens the file of the argument “C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv”.

  ReadFile on the 15th to 16th lines is a Windows API function that reads the file “C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv” opened by CreateFileW.

  WriteFile on the 17th to 19th lines is a Windows API function for writing data to a file “C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv” opened by CreateFileW.

  FindNextFile on the 20th line is a Windows API function that searches for the next file.

  The log on lines 3-9 indicates the following.

  A file in the folder “C: \ Users \ Public \ Videos \ *. *” Is searched by FindFirstFile on the 3rd line and FindNextFile on the 4th-9th line, but the file is not found.

  The logs on lines 10-14 indicate the following.

  With FindFirstFile on the 10th line, the folder "C: \ Users \ Public \ Videos \ *. *" Is moved to a lower folder "C: \ Users \ Public \ Videos \ Sample Videos \ *. *", And 11-13 FindNextFile on the line searched the folder "C: \ Users \ Public \ Videos \ Sample Videos \ *. *" And found the file "C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv" So, open with CreateFileW on the 14th line.

  The logs on the 15th to 20th lines indicate the following.

  The file "C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv" opened by CreateFileW is encrypted using ReadFile on the 15th to 16th lines and WriteFile on the 17th to 19th lines.

  Then, the next file in the folder “C: \ Users \ Public \ Videos \ Sample Videos \ *. *” Is searched by FindNextFile on the 20th line.

  As shown in Fig. 5, when a file under a certain folder is searched and encrypted, the file is searched using FindFirstFile, FindNextFile, CreateFile, ReadFile, and WriteFile as in Fig. 4, and the searched file is rewritten. To encrypt.

  FIG. 6 shows the state of the file “Wildlife.wmv” before and after being accessed by the ransomware CryptoLocker. FIG. 6A shows a state before being accessed by the ransomware CryptoLocker, and FIG. 6B shows a state after being accessed by the ransomware CryptoLocker.

  As shown in FIG. 6, after being accessed by the ransomware CryptoLocker, the header of the encrypted file “Wildlife.wmv” is rewritten.

  FIG. 7 shows the header of the file “Wildlife.wmv” before and after being encrypted by the ransomware CryptoLocker. FIG. 7A shows a header before being encrypted by the ransomware CryptoLocker, and FIG. 7B shows a header after being encrypted by the ransomware CryptoLocker.

  As shown in FIG. 7, all bytes from the beginning to the end of the file “Wildlife.wmv” are rewritten. At least in the case of a binary file, the part called “header” (typically several bytes to several tens of bytes from the beginning) representing the information of various types of information according to the file type, size, and file type has been rewritten. .

From the above, it was found that the behavior related to file operations during encryption of the ransomware CryptoLocker is as follows.
(1) FindFirstFile and FindNextFile, which are Windows API functions for file search, are called.
(2) CreateFile, a Windows API function that opens a file, is called.
(3) ReadFile, which is a Windows API function that reads a file, and WriteFile, which is a Windows API function that writes data to the file, are called to the target file of CreateFile.
(4) The target file header of CreateFile is different before and after the access of ransomware CryptoLocker.
(B) Analysis of ransomware CryptoWall The operation of ransomware CryptoWall was analyzed using a debugger (Debugger) which is a program that supports program debugging.

  The ransomware CryptoWall first searches for files in the terminal from the root drive using FindFirstFileW, which is a Windows API function for searching for files.

  FIG. 8 is a screen capture of the debugger showing how the ransomware CryptoWall starts searching for a file.

  The first capture in FIG. 8A shows that “C: \ *”, which is the root of the drive, is passed to FindFirstFileW as an argument.

  The next capture in FIG. 8B shows that “C: \ Users \ *”, which is a folder below the root “C: \ *” of the drive, is passed to FindFirstFileW as an argument.

  The next capture shown in Fig. 8 (c) shows that "C: \ Users \ Publice \ *", which is a folder lower than the folder "C: \ Users \ *", is passed to FindFirstFileW as an argument. ing.

  In the next capture shown in FIG. 8D, “C: \ Users \ Publice \ Videos \ *”, which is a folder below the folder “C: \ Users \ Public \ *”, is passed to FindFirstFileW as an argument. It shows that.

  As a result of further file search in the terminal from the root drive by the Windows API function FindFirstFileW, "C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv" is first searched and encrypted by the ransomware CryptoWall Is done.

  FIG. 9 is a screen capture of the debugger showing how the ransomware CryptoWall encrypts the file “C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv”.

  The first capture in FIG. 9A shows that the file “C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv” has been opened by the Windows API function CreateFileW.

  In the next capture in Fig. 9 (b), the Windows API function ReadFile and the Windows API function WriteFile are called alternately, and the file "C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv" It shows that the data is rewritten and encrypted by a predetermined size.

  The next capture shown in Fig. 9 (c) is the Windows API function MoveFile called, and the original file "C: \ Users \ Public \ Videos \ Sample Videos \ Wildlife.wmv" is encrypted. Indicates that the file name has been changed to another file name.

  FIG. 10 shows the state of the file “Wildlife.wmv” before and after being accessed by the ransomware CryptoWall. FIG. 6A is a state before being accessed by the ransomware CryptoWall, and FIG. 6B is a state after being accessed by the ransomware CryptoWall.

  As shown in FIG. 10, after being accessed by the ransomware CryptoWall, the original file name “wild animal.wmv (Wildlif.wmv in the folder“ C: \ Users \ Public \ Videos \ Sample Videos \ *. * ” ) "Has been changed to a different file name, and the file header has been rewritten.

  FIG. 11 shows the header of the file “Wildlife.wmv” before and after being encrypted by the ransomware CryptoWall. FIG. 11A shows a header before being encrypted by the ransomware CryptoLocker, and FIG. 11B shows a header after being encrypted by the ransomware CryptoLocker. The file name of the encrypted file has been changed.

  As shown in FIG. 11, all bytes from the beginning to the end of the file “Wildlife.wmv” are rewritten. At least in the case of a binary file, the part called “header” (typically several bytes to several tens of bytes from the beginning) representing the information of various types of information according to the file type, size, and file type has been rewritten. .

  Next, how to encrypt another file will be described.

  12 and 13 are screen shots of the debugger showing how the ransomware CryptoWall encrypts the file “C: \ Users \ Public \ Pictures \ Sample Pictures \ Tulips.jpg”.

  The first capture in FIG. 12A shows that the file “C: \ Users \ Public \ Pictures \ Sample Pictures \ Tulips.jpg” has been opened by the Windows API function CreateFile.

  The next capture in FIG. 12B shows that ReadFile, which is a Windows API function, and WriteFile, which is a Windows API function, are repeatedly called.

  The next capture in FIG. 13 shows that the file “C: \ Users \ Public \ Pictures \ Sample Pictures \ Tulips.jpg” is damaged by encryption and cannot be displayed as a thumbnail. Furthermore, the Windows API function MoveFileEX is called, and the original file "C: \ Users \ Public \ Pictures \ Sample Pictures \ Tulips.jpg" is another file name after encryption "C: \ Users \ Public \ Pictures \ Sample Pictures \ p3EiSzLkWhfU5pgrD5SX9PdYPyP5ICa5iXzySi34oaY = .E08A29776586FC717E27.breaking_bad ".

From the above, it was found that the behavior related to file operations during encryption of ransomware CryptoWall is as follows.
(1) FindFirstFile and FindNextFile, which are Windows API functions for file search, are called.
(2) CreateFile, a Windows API function that opens a file, is called.
(3) ReadFile, which is a Windows API function that reads a file, and WriteFile, which is a Windows API function that writes data to the file, are called to the target file of CreateFile.
(4) The target file header of CreateFile is different before and after the access of ransomware CryptoWall.
(5) MoveFileEx, which is a Windows API function for moving files, is called, and the file name is changed with the same movement destination.
(C) Analysis of ransomware CERBER The operation of ransomware CERBER was analyzed using a debugger (Debugger) which is a program that supports program debugging.

  The ransomware CERBER first searches for a file in the terminal by using FindFirstFile and FindNextFile, which are Windows API functions for searching for a file, and creates a list in advance with a file having a specific extension as an encryption target file.

  Next, after opening the listed files to be encrypted in turn with the Windows API function CreateFileW, read the file once with the Windows API function ReadFile, and then write the data to the file with the Windows API function WriteFile. Encryption. Further, when encryption is completed by writing data by WriteFile, the file is moved to the same folder, that is, the file name is changed by MoveFileW which is a Windows API function.

  FIG. 14 is a screen capture of the debugger showing how the ransomware CERBER encrypts a file.

  The first capture in FIG. 14A shows that the file “C: \ Python27 \ Lib \ unittest \ test \ test_assertions.py” is opened by the Windows API function CreateFileW.

  The next capture in FIG. 14B shows that a file opened with CreatFileW is read by ReadFile, which is a Windows API function.

  Further, the next capture in FIG. 14C shows that WriteFileW writes data to a file opened by WriteFile which is a Windows API function.

  Further, the capture shown in FIG. 14D shows that MoveFileW, which is a Windows API function, is called, and the file name of the file opened by CreatFileW is changed.

From the above, it was found that the behavior related to file operations during encryption of ransomware CERBER is as follows.
(1) CreateFile, a Windows API function for file search, is called.
(2) ReadFile, which is a Windows API function that reads a file, and WriteFile, which is a Windows API function that writes data to the file, are called to the target file of CreateFile.
(3) The header of the target file of CreateFile is different before and after the access of ransomware CERBER.
(4) MoveFileEx, which is a Windows API function for moving files, is called, and the file name is changed with the same movement destination.
(D) Analysis of ransomware TeslaCrypt The operation of ransomware TeslaCrypt was analyzed using a debugger (Debugger) which is a program that supports program debugging.

  The ransomware TeslaCrypt first searches for a file in the terminal from directly under the C drive by using FindFirstFile and FindNextFile which are Windows API functions for searching for a file. If there is a file with a specific extension that is the file to be encrypted, it is opened with the Windows API function CreateFileW, then the Windows API function ReadFile is executed multiple times to read the file on the memory, and the memory Encrypt the above file, and then execute the Windows API function WriteFile multiple times to overwrite the file to be encrypted.

  FIG. 15 is a screen shot of the debugger showing how the ransomware TeslaCrypt encrypts a file.

  The first capture in FIG. 15A shows that a file in the terminal is searched from directly under the C drive by the Windows API functions FindFirstFile and FindNextFile.

  The next capture in FIG. 15B shows that the file “C: \ Users \ test \ Desktop \ Decoy.png” has been opened by the Windows API function CreateFileW.

  Further, the next capture shown in FIG. 15C shows that the file opened by CreatFileW is read in a plurality of times by ReadFile which is a Windows API function.

  Further, the next capture shown in FIG. 15D shows that data is written in multiple times in the file opened by CreatFileW by WriteFile, which is a Windows API function.

  FIG. 16 shows the header of the file “C: \ Users \ test \ Desktop \ Decoy.png” before and after being encrypted by the ransomware TeslaCrypt. FIG. 16A is a header before being encrypted by the ransomware TeslaCrypto, and FIG. 16B is a header after being encrypted by the ransomware TeslaCrypto.

  As shown in FIG. 16, all bytes from the beginning to the end of the file “Decoy.png” are rewritten. At least in the case of a binary file, the part called “header” (typically several bytes to several tens of bytes from the beginning) representing the information of various types of information according to the file type, size, and file type has been rewritten. .

From the above, it was found that the behavior related to file operations during encryption of ransomware TeslaCrypt is as follows.
(1) FindFirstFile and FindNextFile, which are Windows API functions for file search, are called.
(2) CreateFile, a Windows API function for file search, is called.
(3) ReadFile, which is a Windows API function that reads a file, and WriteFile, which is a Windows API function that writes data to the file, are called to the target file of CreateFile.
(4) The target file header of CreateFile is different before and after the access of ransomware TeslaCrypt.

(Principle of the present invention)
The inventors of the present application have noticed from the analysis results of these four types of ransomware that the file operation behavior when encrypting a file has the following common behavior.
(1) CreateFile, a Windows API function that opens a file, is called.
(2) ReadFile and WriteFile, which are Windows API functions, are called at least once for the target file of CreateFile.
(3) The header of the target file of CreateFile has changed.

  It is difficult to imagine a general application that behaves like this, and this behavior is unique to ransomware.

  Therefore, the inventors of the present application can detect an unknown ransomware that attempts to encrypt a file by detecting such a behavior, and can effectively prevent an attack by the unknown ransomware. Have come up with the idea of the present invention.

[First Embodiment]
A program, an information processing apparatus, and an information processing method according to the first embodiment of the present invention will be described with reference to FIGS.

(Outline of this embodiment)
The outline of the present embodiment will be described with reference to FIGS. 17 and 18.

  In the present embodiment, all behaviors of a program having a behavior of accessing user data stored in the hard disk 22 are detection targets.

  The CPU 21 executes a process of OS data on the memory 23, accesses a program stored in the hard disk 22, reads the program (FIG. 2C), and stores the program stored in the hard disk 22 in the memory 23. Before being loaded and expanded as a process on the memory 23 (FIG. 3A), the process of the program of the present invention is made resident in the memory 23 (FIG. 17A).

  The program of the present invention may be executed at any time before the ransomware is in danger of being introduced and may be made resident as a process in the memory 23.

  For example, it is started as a startup program when the computer is started. The Windows OS has a mechanism that allows a “startup program” to be registered as a program that is executed when the PC is started. In the present embodiment, the program of the present invention is registered as a startup program using the mechanism. As a result, the program of the present invention is placed on the memory 23 immediately after the PC is started.

  In addition, as a method of starting a program when the PC is started, there is a method of using a registry or a service mechanism, but any method may be used.

  As a result, the computer can always be protected from ransomware immediately after the PC is started.

  As shown in FIG. 17A, the program of the present invention interrupts between an operation in which the program stored in the hard disk 22 is loaded into the memory 23 and an operation in which the CPU 21 executes the program. By hooking the operation based on the program by the CPU 21, the behavior of the program is placed under the monitoring of the program of the present invention immediately before the program is executed.

  Thereby, thereafter, all behaviors of the monitoring target program can be grasped immediately before execution of the program of the present invention. As necessary, functions can be added to or changed in the processing of the monitoring target program.

  When it is determined by the program of the present invention that the behavior of the monitoring target program is unique to the ransomware, as shown in FIG. 17B, the monitoring target program is stored in the hard disk 22 as shown in FIG. Block access just before trying to access the file. In this way, attacks by unknown ransomware are blocked to prevent file encryption.

  The program of the present invention has three functions. Three functions of the program of the present invention will be described with reference to FIG.

  The first function is a function for hooking a Windows API used by a currently running program or a monitoring target program that is a program to be activated later. As shown in FIG. 18, from the program of the present invention, a currently running process, that is, a notepad.exe, WINWORD.exe, calc.exe, Ramsomware.exe, cmd.exe,... To do.

  The second function is a function of notifying and inquiring of the program of the present invention the behavior of the monitored program by the hooked Windows API, and determining whether the monitored program is ransomware based on the result.

  The third function is a function that responds to receipt, recording, and inquiry of notification from the hooked Windows API.

  The first function and the third function are functions of the resident program of the present invention, and the second function is a function of the program of the present invention incorporated in the monitoring target program.

(Windows API function to be hooked)
The program of the present invention realizes detection and protection of ransomware by hooking a Windows API function, which is a common behavior obtained from the analysis result of ransomware, in the process to be monitored.

  As pointed out in the principle of the present invention, the Windows API function that is a common behavior of ransomware is CreateFile (file creation function (file handle acquisition function)), (file generation function), ReadFile (file read function), WriteFile (file write function).

  In this embodiment, CreateFile (file creation function) for opening a file and acquiring a file handle, which is a common Windows API function, is not a hook target, only ReadFile (file read function) and WriteFile (file write function). Is a hook target. The reason is as follows.

  First, in order to execute the common Windows API functions, such as ReadFile (file read function) and WriteFile (file write function), it is essential to obtain a file handle in advance. It is possible to detect that the handle of the file is acquired simply by setting the file reading function) and WriteFile (file writing function) as a hook target.

  In addition, since the file handle can be obtained with Windows API functions other than CreateFile (file creation function), for example, OpenFile (file open function), CreateFile (file creation function) It is not a Windows API function that is essential to obtain.

(HookReadFile)
HookReadFile is a Windows API function that hooks ReadFile (file read function).

  HookReadFile is a Windows API function to which the function of notifying the following information (a) to (c) is added to the program of the present invention in addition to the normal operation of ReadFile.

As the notification means, a high-speed method that does not cause a large delay in the operation of the process, such as inter-process communication, is desirable. Any method may be used as long as the environment can be realized at high speed, such as socket communication or file delivery.
(A) Notification source API name. ReadFile, the name of the Windows API function to hook.
(B) its own process ID; This is the process ID of the monitored process that calls the hooked ReadFile.
(C) Target file path of ReadFile. This is a file path indicating a file handle specified in a parameter of ReadFile that is a notification source API.

  Here, the “file path” includes a “path” of folders that are layered up to the “folder” in which the “file” is stored. For example, the “file path” of the file “note.doc” in the folder “Desktop” in the folder “user” in the folder “Users” on the “C drive” of the hard disk is as follows.

C: \ Users \ user \ desktop \ note.doc
Also, the file path (C: \ Users \ user \ desktop \) excluding the file name (note.doc) from the file path (C: \ Users \ user \ desktop \ note.doc) say.

  Receiving notification from HookReadFile (ReadFile hook function), the program of the present invention sequentially stores the notified contents, that is, the API name, process ID, and file path in the memory 23 as notification record data. This notification record data is used in HookWriteFile (WriteFile hook function) described later.

  Since the operating system has a function of reusing process IDs, there is a possibility that the same process ID may be accidentally assigned to different processes if the process ID continues for a long time. In order to prevent such erroneous detection of ransomware due to an accidental process ID match, it is desirable to periodically clear the notification record data.

  Although the interval for periodically clearing the conference record data is arbitrary, it is desirable to clear it at the end of the operating system or at the restart. The clear interval may be set by the user.

  FIG. 19 shows an image of the operation by the above HookReadFile. The left part of FIG. 19 shows the process of the monitoring target program, and the right part of FIG. 19 shows the process of the program of the present invention.

  The process of the monitoring target program on the left side of FIG. 19 incorporates HookReadFile which is a hook function of the program of the present invention. The incorporated HookReadFile notifies (a) the notification source API name, (b) its own process ID, and (c) the ReadFile target file path to the process of the present invention on the right side of FIG. 19 in addition to the normal ReadFile operation. .

  The process of the present invention program on the right side of FIG. 19 responds to notifications from HookReadFile. The notification from the HookReadFile on the left side of FIG. 19 is received and sequentially recorded as notification record data.

  In FIG. 19, HookReadFile includes (a) [NotFile] API name, (b) own process ID, (c) ReadFile target file path, (a) [ReadFile], (b) pid: 3421, and (c) filename. : c: \ Users \ user \ Desktop \ note.doc; (a) [ReadFile], (b) pid: 1568, and (c) filename: c: \ Users \ user \ Documents \ schedule.xls; (A) [ReadFile], (b) pid: 1568 and (c) filename: c: \ Users \ user \ Documents \ schedule.xls Are recorded as notification record data.

(HookWriteFile)
HookWriteFile is a Windows API function that hooks WriteFile (file write function).

  HookWriteFile is a Windows API function that adds the following functions to the normal WriteFile operation.

  If the parameters specified in WriteFile and the information that can be acquired from the parameters match the “criteria for file encryption operation by ransomware” described later, it is determined that the file encryption operation is by ransomware, and WriteFile A function that terminates the process without writing the data.

  The above “determination criteria for file encryption operation by ransomware” means that the following conditions (A) to (C) are satisfied.

  Condition (A): The current position of the file pointer of the file handle specified as the write target of WriteFile is acquired, and the current position is within the head or header range. The current position of the file pointer can be obtained by using the SetFilePointer function.

  Condition (B): Data changes before and after rewriting by calling WriteFile.

  Condition (C): As a result of inquiring the program of the present invention, ReadFile has already been called from its own process for the file specified when WriteFile is called.

  Based on the condition (A) and the condition (B), it is determined whether the head of the file or the information in the header range has changed.

  The reason for including the condition (C) is as follows.

  In a general file encryption procedure, as a method for implementing a program, a method of encrypting the content read by ReadFile and then directly writing to another file by WriteFile is employed. However, the ransomware analyzed this time did not take such a technique, and rewritten the file read by ReadFile with WriteFile, and then renamed it. This is considered to prevent file restoration by the forensic technique. By overwriting the file read with ReadFile with WriteFile, the data on the disk is overwritten. Therefore, there is a high possibility that the file cannot be restored even by a method using forensic technology. The author of ransomware seems to be aiming for the situation. In the program of the present invention, this behavior is one of the detection conditions, so it is very effective for such ransomware characteristics.

  With this added function, HookWriteFile (WriteFile hook function) determines whether the calling process is ransomware. If it is ransomware, it prevents file encryption, ransomware detection notification, and ransomware process. Can be forcibly terminated.

  An image of condition (A) is shown in FIG.

  The left part of FIGS. 20A and 20B shows the process of the monitoring target program on the memory 23, and the right part of FIGS. 20A and 20B shows the write target file on the hard disk 22.

  A write start position to the write target file on the hard disk 22 is designated from the HookWriteFile incorporated in the monitoring target process on the memory 23.

  In the case of FIG. 20A, the write start position “0x00000020” for the upper write target file on the hard disk 22 is not the start of the file, and the write start position “0x00000000” for the lower write target file is the start of the file. . It is determined that the writing to the lower writing target file whose writing start position is the head of the file satisfies the condition (A) and there is a possibility of writing by ransomware.

  In the case of FIG. 20B, the write start position “0x00000024” for the upper write target file on the hard disk 22 is not within the range of the file header, and the write start position “0x00000004” for the lower write target file is the file. It is not at the beginning but is within the range of the header. It is determined that writing to the lower writing target file whose writing start position is within the range of the file header satisfies the condition (A) and there is a possibility of writing by ransomware.

  In order to determine whether it is within the header range, the header size for each extension of the file needs to be known in advance. The size of the header corresponding to each extension is stored in advance in HookWriteFile (WriteFile hook function). For example, in the PDF file with the extension “pdf”, the first 5 bytes are the header.

  An image of the condition (B) is shown in FIG.

  The left part of FIG. 21 shows the process of the monitoring target program on the memory 23, and the right part of FIG. 21 shows the write target file on the hard disk 22.

  The write-scheduled data to be written by the HookWriteFile incorporated in the monitoring target process on the memory 23 is compared with the data before the writing of the write target file on the hard disk 22.

  In the case of FIG. 21, the data to be written “00 AA 00 BB 00 CC 00 DD 00 EE 00 FF 00 00 08 00” to be written by HookWriteFile and the data before writing of the write target file on the hard disk 22 “50 4B Since 03 04 14 00 06 00 08 00 00 00 21 00 A3 EF ", it is judged that the condition (B) is satisfied and there is a possibility of writing by ransomware.

  An image of the condition (C) is shown in FIG.

  22A shows the process of the monitoring target program on the memory 23 on the left side, and FIG. 22A shows the process of the program of the present invention on the memory 23 on the right side.

  The hook write file incorporated in the monitoring target process on the left side of FIG. 22 (a) is based on the process ID of itself (monitoring target process) and the target file path of WriteFile. The process is inquired of whether there is a record of ReadFile with the same process ID and the same target file path in ReadFile notification record data. The program of the present invention on the right side of FIG. 22 responds to HookWriteFile whether there is a record of ReadFile with the same process ID and the same target file path.

  In the case of FIG. 22A, ReadFile notification record data based on the process ID “pid: 1568” and the file path “C: \ Users \ user \ Documents \ schedule.xls” from the HookWriteFile embedded in the monitored process. Inquire against.

  FIG. 22B shows the notification record data of ReadFile.

  Lines 4-6, 7-9, and 13-15 of ReadFile notification record data show the HookWriteFile process ID “pid: 1568” and file path “C: \ Users \ user \ Documents \ schedule.xls”. Since there is a ReadFile record with the same process ID “pid: 1568” and file path “C: \ Users \ user \ Documents \ schedule.xls”, the condition (C) is satisfied and the ransomware writes It is determined that there is a possibility.

  As a result, the program of the present invention on the right side of FIG. 22A responds to HookWriteFile that ReadFile of the same process ID and the same target file path has been recorded.

(Exclusion list)
Hooking all ReadFile and WriteFile called from all processes running on the system and determining whether the process is ransomware adds a new load to the system. .

  Therefore, in this embodiment, an “exclusion list” in which programs that are clearly not ransomware are registered in advance is created, and the program of the present invention is not executed for the programs registered in the exclusion list.

  FIG. 23 shows a specific example of the exclusion list.

  Regular programs are registered in the exclusion list. For example, “program name”, “program file”, “full file path”, “file size”, “hash value”, “digital signature”, and the like installed in the system are registered as necessary.

  In FIG. 23, “Internet Explorer”, “MS Word”, and “MS Excel” are registered as regular programs.

  The exclusion list is updated each time a program is installed in the system and stored on the hard disk 22. The contents of the exclusion list are read when the program of the present invention is started.

  After the operation of the program of the present invention, the read exclusion list information is mapped onto the memory 23. It is preferable to always update the files on the hard disk 22 so that the contents are not lost even if the memory information is volatilized due to a sudden machine trouble.

  Also, it is desirable to encrypt the exclusion list file to avoid editing by malware or ransomware.

(User added to exclusion list)
The condition (A) of “Judgment criteria for file encryption operation by ransomware” is that the write start position from HookWriteFile to the write target file is within the head or header range. This condition (A) is a condition for determining whether the monitoring target program rewrites the header of the file. When the monitoring target program rewrites the header of the file, it is determined that the monitoring target program may be ransomware. When the program to be monitored rewrites a part other than the header of the file, it is determined that there is no possibility of ransomware because it is a normal rewriting process.

  Generally, files handled by a computer are classified into two types: “text file (text format)” and “binary file (binary format)”.

  Binary files, for example, files with extensions "doc", "ppt", "exe", "pdf", "jpg", "bmp", etc. usually have header information corresponding to the file type. . Even when the contents of a binary file are edited and changed and overwritten, the head part of the file serving as header information is normally not changed, but the data part is changed. When the binary file header is rewritten, the file cannot be opened properly, and this is not done in normal applications. Therefore, the program that rewrites the file header may be ransomware.

  There are applications that perform processing to rewrite the header at the beginning of the file. In this case, the file type is changed by changing the file extension in accordance with the rewriting of the header. Rewriting the header without changing the file name including the extension is not performed in a normal application. Therefore, a program that rewrites the header of a file without changing the file name may be ransomware.

  On the other hand, a text file, for example, a file with extensions “txt”, “csv” or the like usually does not have header information corresponding to the file type. In the case of a text file, the top part of the file is also a data part. Therefore, even if the text file is rewritten from the beginning, it is difficult to determine whether the text file is encrypted by ransomware or rewritten by a normal application.

  In the program of the present invention, when it is determined that the file is in text format based on the extension of the file, the correspondence is left to the user's determination.

  FIG. 24 shows a warning screen when rewriting of a text format file is detected.

  The warning screen asks "The following process is modifying the text file. How do you handle it?", "Process name: AAATextEditor.exe", "Applicable behavior: Modification of file contents", "Target file : C: \ Users \ test \ Desktop \ Minutes.txt "," Content to be written: "[Minutes] \ n Attendees: Sato ..." ".

  In addition, “* If there is a process or file that you are unfamiliar with the current operation, there is a possibility that the file will be encrypted by ransomware.” And the corresponding process selection buttons “End Process”, “This “Leave warning” and “Add process to exclusion”.

  If the user selects “End Process”, the process “AAATextEditor.exe” is immediately ended. This is when the user determines that the process is ransomware.

  When the user selects “Leave this warning”, the process is continued without terminating the process “AAATextEditor.exe”. This is the case when the user cannot determine whether the process is ransomware or withholds the determination.

  When the user selects “Add Process to Exclude”, the process “AAATextEditor.exe” is added to the “Exclusion List” as shown in FIG. 25 so that the warning for the same process is not performed again. . If the user determines that the process is not ransomware.

  The reference and addition of the exclusion list (white list) from the monitoring target program may be implemented so as to directly access a file on the hard disk 22 or once so as to be accessed via a resident program. Also good.

(Coping behavior)
The coping behavior when the program of the present invention determines that the monitored program is ransomware will be described.

  If the monitoring target program is determined to be ransomware, the process by the monitoring target program is forcibly terminated without writing to the file by WriteFile.

  The process is forcibly terminated in the HookWriteFile function that hooks WriteFile. Generally, this can be realized by using the ExitProcess function, the Exit function, or the like, but any instruction that can terminate the process may be used.

  By forcibly terminating the process, file encryption by ransomware can be prevented. When the process is forcibly terminated, the file is not encrypted, so it is not necessary to back up the file in advance.

  In an environment where inconvenience may be caused by terminating the process immediately, for example, the user is notified in advance that the process is scheduled to be forcibly terminated, and the user is asked to determine whether to terminate the process forcibly. Good. Further, a function of “control of detection accuracy by additional function” described later may be used.

(HookReadFile and HookWriteFile)
FIG. 26 collectively shows an image of the operation by HookReadFile and the operation by HookWriteFile according to the program of the present invention.

  The left part of FIG. 26 shows the process of the program to be monitored, and the right part of FIG. 26 shows the process of the program of the present invention.

  The process of the monitoring target program on the left side of FIG. 26 incorporates HookReadFile and HookWriteFile which are hook functions of the program of the present invention.

  The incorporated HookReadFile notifies (a) the notification source API name, (b) its own process ID, and (c) the ReadFile target file path to the process of the present invention on the right side of FIG. 19 in addition to the normal ReadFile operation. .

  The process of the present invention program on the right side of FIG. 26 receives notifications from the HookReadFile on the left side of FIG. 26 and sequentially records them as notification record data.

  The incorporated HookWriteFile is the same process in the ReadFile notification record data with respect to the process of the program of the present invention on the right side of FIG. 26 based on the process ID of itself (monitored process) and the target file path of WriteFile. Queries whether there is a record of ReadFile of ID and the same target file path. The program of the present invention on the right side of FIG. 26 responds to HookWriteFile whether there is a record of ReadFile with the same process ID and the same target file path.

  The incorporated HookWriteFile further notifies the user when the file to be rewritten is a text file, and shows the user the options of how to deal with it.

  If the user selects to add the monitored process to the exclusion list, the process is added to the exclusion list.

  When the end of the monitored process is selected by the user, the monitored process is forcibly terminated.

(Windows API hook method)
A specific method for hooking the Windows API by the program of the present invention will be described with reference to FIGS.

  All Windows programs are arranged in virtual memory called process space (memory space) when started.

  Each process space has an item called Import Address Table (IAT) as shown in FIG. 27, which is an enlarged view of the state of the malware process space, and IAT contains a list of functions (APIs) used by the program. And a memory address (address) corresponding to this. This is a general mechanism for grasping what function is loaded into which memory when the program runs.

  A method for hook control based on this premise will be described.

  First, as shown in FIG. 28, a hook WriteFile function (HookWriteFile function) is embedded in the process space of the monitoring target program. To inject code into other processes other than yourself, that is, to inject code, use the Windows API called VirtualAllocEx function in the memory space of that process, and allocate a memory area of a certain size to an area that has not been used yet. Secure. The shaded portion on the right side of FIG. 28 is the memory area.

   Next, as shown in FIG. 29, the Windows API called WriteProcessMemory is used to execute the code to be executed in the reserved memory area, here the HookWriteFile function body, and the HookWriteFile function to the IAT in the process space of the monitored program. Write function A for inclusion. This operation is indicated by a thick arrow in FIG. Note that the specific address of the secured memory area can be obtained by checking the return value of VirtualAllocEx.

  Next, as shown in FIG. 30, by calling a Windows API called CreateRemoteThread to execute the written code (function A), the arbitrary code can be executed in the malware process space. This operation is indicated by a thick arrow in FIG.

  Here, when attention is paid only to the process space of the monitoring target program, it is as shown in FIG.

  Next, as shown in FIG. 32, when the function A is executed by CreateRemoteThread, the function A is the address of the regular WriteFile function in the IAT of the process space of the monitored program (the address “0x46700000” in FIG. 32). ) Is rewritten to the address of the HookWriteFile function (the address “0x49000000” in FIG. 32). This completes the hook pre-processing.

  To know which function is expanded to which address, that is, the address corresponding to that function in IAT, pass the function name to the Windows API argument GetProcAddress, and the specified function will be in the process space. It is possible to know the specific address of which address is associated with.

  Next, as shown in FIGS. 33 and 34, it is assumed that the monitoring target program tries to rewrite the file content indicated by the file handle “0x3C0”, for example. In this case, when the WriteFile function is called, the monitored program refers to the IAT in its process space, and as a result, passes the parameter “0x3C0” to the HookWriteFile function instead of the regular WriteFile function.

  Arbitrary processing can be performed inside the HookWriteFile function. Specifically, the content of data originally written using WriteFile is checked or changed in advance. The contents of the HookWriteFile function in the program of the present invention are as described above.

(Control of detection accuracy with additional functions)
When the program of the present invention determines that the monitoring target program is ransomware, the process by the monitoring target program is forcibly terminated to prevent file encryption by the ransomware.

  However, depending on the environment, there may be a problem that the process is immediately terminated. Therefore, an additional function is provided in the program of the present invention to control the detection accuracy of ransomware.

(Control by HookFindNextFile)
HookFindNextFile is a Windows API function that hooks FindNextFile (file search function).

  In addition to HookReadFile that hooks ReadFile (file read function) and HookWriteFile that hooks WriteFile (file write function), HookFindNextFile hooks FindNextFile (file search function) to improve the detection accuracy of ransomware.

  FindFirstFile and FindNextFile are Windows API functions used to find and enumerate files and are typically used in sets.

  FIG. 35 shows operations by FindFirstFile and FindNextFile.

  First, when FindFirstFile is called by specifying the location, the information on the first file at that location is returned from the system, and the information on the first file (AAA.txt) can be obtained.

  Next, when FindNextFile is called, the information (BBB.pdf) of the next file at the location can be acquired from the file handle acquired by FindFirstFile.

  Thereafter, by calling FindNextFile, information on the next file at that location (CCC.txt, DDD.exe,...) Can be acquired sequentially.

  Therefore, if FindFirstFile or FindNextFile is always called when the above-described ransomware is detected by HookReadFile and HookWriteFile, it can be determined that the ransomware is continuously encrypting the file.

  As shown in FIG. 36, first, FindFirstFile is called to obtain information on the first file at a certain location. Subsequently, ReadFile and WriteFile are called and the files are encrypted. Next, call FindNextFile to get information about the next file in that location. Subsequently, ReadFile and WriteFile are called and the files are encrypted. Next, similarly, FindNextFile is called to obtain information about the next file at that location. Subsequently, ReadFile and WriteFile are called and the files are encrypted. Thereafter, the same processing is repeated to continuously encrypt the files at that location.

  In order to detect such continuous encryption processing of files, it is only necessary to hook and monitor FindNextFile. FindFirstFile does not have to be hooked and monitored.

  When called, HookFindNextFile that hooks FindNextFile notifies the following information (a) to (c) to the program of the present invention in addition to the normal operation of FindNextFile.

As the notification means, a high-speed method that does not cause a large delay in the operation of the process, such as inter-process communication, is desirable. Any method may be used as long as the environment can be realized at high speed, such as socket communication or file delivery.
(A) Notification source API name. FindNextFile, the name of the Windows API function to hook.
(B) its own process ID; This is the process ID of the monitored process that calls FindNextFile to hook.
(C) File name that can be acquired from the data buffer specified by the parameter of FindNextFile that is the notification source API. The data buffer stores information about the next file.

  Therefore, on the condition that ransomware is detected by HookReadFile and HookWriteFile, FindNextFile is called before the encryption process, and whether the next file name obtained matches the target file of ReadFile and WriteFile. By confirming whether or not, it is possible to determine that the encryption process is continuously performed on a plurality of files.

  In order to determine the above, for example, HookReadFile, HookWriteFile, and HookNextFile respectively notify (a) a notification source API name, (b) a process ID, and (c) a file path that are notified to the program of the present invention. The data is recorded in advance, and the determination is made based on the notification record data.

  FIG. 37 shows a specific example of the notification record data.

  The notification record data in FIG. 37 includes records of FindNextFile process ID “pid: 1568” and file path “C: \ Users \ user \ Documents \ schedule.xls” in the fourth to sixth lines. Lines 9 and 13 to 15 have a record of ReadFile process ID “pid: 1568” and file path “C: \ Users \ user \ Documents \ schedule.xls”. Lines 10 to 12 and 16 to 16 Line 118 has a record of WriteFile process ID “pid: 1568” and file path “C: \ Users \ user \ Documents \ schedule.xls”.

  The process ID and file path of FindNextFile are the same as the process ID and file path of ReadFile and WriteFile. When it is detected by WriteFile that the header of the file “schedule.xls” has been changed, it is determined that the encryption process is continuously performed on a plurality of files.

The notification record data in FIG. 37 further includes the same folder in the 22nd to 36th lines.
It is recorded that the same processing is performed on the file "description.doc" in "C: \ Users \ user \ Documents \". When it is detected by WriteFile that the header of the file “description.doc” has been changed, it is determined that the encryption process is continuously performed on a plurality of files in the same folder.

  By setting whether or not to determine whether or not the encryption process is continuously performed on a plurality of files, it is possible to control the accuracy of the detection behavior for the encryption process by the ransomware.

FIG. 38 is a setting screen for enabling the encryption processing for a plurality of files. The expression method of the setting screen in FIG. 38 is an example, and other expression methods may be used. In the setting screen, “Enter encryption processing for multiple files with detection conditions” is displayed after the check button, and “ If not, encryption processing for single files is also included in the detection target ”. The detection condition can be changed when the user checks the check button.

  For example, in a user environment where there is a possibility of performing encryption processing on a single file, if there is no such detection condition, legitimate encryption processing is erroneously detected as ransomware processing. Such erroneous detection and overdetection due to erroneous detection can be prevented from occurring.

(Control by HookMoveFile)
HookMoveFile is a Windows API function that hooks MoveFile (MoveFileA, MoveFileW, MoveFileExA, MoveFileExW) (file move function).

  In addition to HookReadFile hooking ReadFile (file read function) and HookWriteFile hooking WriteFile (file write function), HookMoveFile hooks MoveFile (file move function) to improve ransomware detection accuracy.

  MoveFile is a Windows API function for moving files and changing file names. As shown in FIG. 39, the first argument of MoveFile is the file path (file name) of the movement source, and the second argument is the file path (file name) of the movement destination.

  If the file path excluding the file name of MoveFile's first argument and the second argument is different, the process is "Move File". If the file path excluding the file name of MoveFile is the same as that of the second argument, the process is essentially “change file name”.

  Some ransomware changes the file name to be encrypted after encryption. This is to make it impossible to determine the original file name of the encrypted file, and not only the contents of the file but also the file name are simultaneously encrypted.

  As shown in FIG. 40, such ransomware also performs encryption of the file name by calling MoveFile immediately after the file encryption process is performed. By detecting the flow, the program of the present invention can grasp the encryption behavior of the file name by the ransomware.

  As shown in FIG. 40, FindNextFile is called to obtain information on the next file at that location. Subsequently, CreateFile, ReadFile, and WriteFile are called and the files are encrypted. Next, MoveFile is called to encrypt the file name. In FIG. 40, the file name of the encrypted file “ABS.pdf” is changed to “g1d4fr.vvv” by MoveFile.

  In order to detect such file name encryption processing, MoveFile is hooked and monitored. When called, HookMoveFile that hooks MoveFile notifies the program of the present invention the following information (a) to (c) in addition to the normal operation of MoveFile.

As the notification means, a high-speed method that does not cause a large delay in the operation of the process, such as inter-process communication, is desirable. Any method may be used as long as the environment can be realized at high speed, such as socket communication or file delivery.
(A) Notification source API name. MoveFile, the name of the Windows API function to hook.
(B) its own process ID; This is the process ID of the monitored process that calls MoveFile to hook.
(C) File path specified by the first argument and the second argument of MoveFile which is the notification source API.

  Therefore, on the condition that ransomware is detected by HookReadFile and HookWriteFile, MoveFile is called after the encryption process, and the path of the first argument and the second argument of MoveFile (excluding the file name from the file path) It is possible to determine that the encryption process for the file name is being performed by confirming whether the file paths are the same.

  In order to determine the above, for example, HookReadFile and HookWriteFile respectively notify (a) a notification source API name, (b) a process ID, (c) a file path, and MoveFile respectively notified to the program of the present invention. (A) Notification source API name, (b) Process ID, (c) File path of the first argument, (d) File path of the second argument are recorded in the notification record data. The determination is made based on the notification record data.

  FIG. 41 shows a specific example of the notification record data.

  In the notification record data of FIG. 41, the ReadFile process ID “pid: 1568” and the file path “C: \ Users \ user \ Documents \ schedule.xls” are recorded in the 4th to 6th lines and the 10th to 12th lines. In lines 7-9 and 13-15, there is a record of WriteFile process ID “pid: 1568” and file path “C: \ Users \ user \ Documents \ schedule.xls”. Line 19 contains MoveFile process ID "pid: 1568", first argument file path "C: \ Users \ user \ Documents \ schedule.xls", second argument file path "C: \ Users \ user \ Documents \ g1d4fr6ps There is a record of ".vvv".

  The process ID of MoveFile is the same as the process ID of ReadFile and WriteFile, the file path of the first argument of MoveFile is the same as the file path of ReadFile and WriteFile, the path of the first argument and the second argument of MoveFile The path is the same. If it is detected by WriteFile that the header of the file "schedule.xls" has been changed, "schedule.xls" is encrypted and the file name of "schedule.xls" is also "g1d4fr6ps.vvv" Is determined to be encrypted.

The notification record data in FIG. 41 further includes the same folder in the 22nd to 37th lines.
It is recorded that the same processing is performed on the file "description.doc" in "C: \ Users \ user \ Documents \". When it is detected that the header of the file “description.doc” has been changed by WriteFile, “description.doc” is encrypted, and the file name of “description.doc” is also “p6dfg7p4.vvv” It is determined that encryption processing has been performed.

  When it is detected that the file name has been changed after detecting the encryption process for the file, the program of the present invention shows the information to the user, and the accuracy of the detection behavior for the encryption process by the ransomware Can be controlled.

FIG. 42 is a setting screen for determining whether or not to warn when a change in file name is detected. The expression method of the setting screen in FIG. 42 is an example, and other expression methods may be used. On the setting screen, “Add“ Change in file name ”to the detection condition” is displayed after the check button and “Do not check” is displayed. If the check box is checked, information about the change in the file name will be displayed at the time of detection, and the action can be selected. " To do. It is possible to set whether or not to warn the user by checking the check button.

  FIG. 43 shows a warning screen when the file content is modified and the file name is modified. Careful users can select how to deal with this information and improve usability, as well as control over-detection due to false positives and false positives.

  The warning screen asks "The following process is changing the text file. How do you handle it?", "Process: AAAA.exe", "Applicable behavior: File content modification, file name modification, "I am going to change to" d1g2r.vvv "", "" Target file: C: \ Users \ test \ Document \ BBB.pdf ".

  Furthermore, the corresponding process selection buttons “end process”, “leave this warning”, and “add process to exclusion” are shown.

  If the user selects “End Process”, the process “AAAA.exe” is immediately ended. This is when the user determines that the process is ransomware.

  If the user selects “Leave this warning”, the process continues without terminating the process “AAAA.exe”. This is the case when the user cannot determine whether the process is ransomware or withholds the determination.

  When the user selects “Add Process to Exclude”, the process “AAAA.exe” is added to the “Exclusion List” described above so that the same process is not warned again. If the user determines that the process is not ransomware.

[Second Embodiment]
A program, an information processing apparatus, and an information processing method according to the second embodiment of the present invention will be described with reference to FIGS.

  The first embodiment of the present invention analyzes the behavior of main ransomware, identifies common parts, and detects and protects behaviors that can be determined to be illegal from there. However, file encryption processing is possible without using the analyzed ransomware method.

  Therefore, the inventors of the present application believe that by detecting possible behavior other than the analyzed ransomware, it is possible to reliably detect unknown ransomware and effectively prevent attacks by ransomware. I came up with an embodiment.

  An encryption method assumed by the inventors of the present application will be described. FIG. 44 shows an encryption method assumed by the inventors of the present application.

  When a certain file A is to be encrypted, in the first embodiment of the present invention, the encrypted file is directly overwritten on the original file. However, the encrypted file can be made to exist in the folder in which the original file existed without directly overwriting.

The encryption method of FIG. 44 will be described in the order of step numbers.
(Step 1): The file A is read and encrypted on the memory 23 by ReadFile.
(Step 2): The encrypted data of the file A on the memory 23 is created as a file B at an arbitrary location by WriteFile.
(Step 3-A): The file name of the encrypted file B is changed to the file C by MoveFile.
(Step 3-B): The file name of the encrypted file B is changed to File A by MoveFile, and the file A is overwritten by moving to the folder where the file A exists.
(Step 4): The file C is moved to the folder in which the file A exists by MoveFile.
(Step 5): File A is deleted by DeleteFile.

  After step 5, the state where the file name of the encrypted file A is changed to the file C in the folder in which the file A exists is changed to “state 1”.

  After step 3-B, the state where the encrypted file A exists in the folder in which the file A exists becomes “state 2”.

  FIG. 45 shows a plurality of cases of the encryption method.

  Case 1 of the encryption method is a case in which the process proceeds in the order of Step 1, Step 2, Step 3-A, Step 4, and Step 5 and becomes State 1.

  Case 1 of the encryption method is a case in which the process proceeds in the order of Step 1, Step 2, and Step 3-B and enters State 2.

  In the present embodiment, for example, by detecting Case 1 and Case 2, an assumed behavior other than the analyzed ransomware is detected.

  Note that the behavior to become “state 1” and “state 2” is not limited to case 1 and case 2, but such other cases can be detected by a method similar to the detection method described later. is there.

  Also in this embodiment, the encryption processing by HookReadFile and HookWriteFile in the first embodiment is detected. In the present embodiment, in addition to that, HookMoveFile that hooks MoveFile (MoveFileA, MoveFileW, MoveFileExA, MoveFileExW) (file move function) and HookDeleteFile that hooks DeleteFile (file delete function) are used.

  Then, HookReadFile, HookWriteFile, and HookDeleteFile respectively notify (a) the notification source API name, (b) process ID, (c) file path to the program of the present invention, and HookMoveFile notifies the program of the present invention ( a) Notification source API name, (b) Process ID, (c) File path of first argument, (d) File path of second argument are notified. These data notified to the program of the present invention are appropriately recorded in a predetermined list.

(Detection of Case 1)
FIG. 48 shows pre-processing for detection of case 1.

  For the program of the present invention, (a) the notification source API name, (b) the process ID, and (c) the file path notified from HookReadFile are recorded as a list A.

  For the program of the present invention, (a) a notification source API name, (b) a process ID, and (c) a file path notified from HookWriteFile are recorded as a list B.

  For the program of the present invention, a list C shows (a) the notification source API name, (b) the process ID, (c) the file path of the first argument, and (d) the file path of the second argument, which are notified from the HookMoveFile. Record as.

  The detection conditions for Case 1 are as follows.

  Condition 1: DeleteFile is called by a process, and an argument file path (a file to be deleted) is included in the list A. That is, the process ID notified from HookDeleteFile is the same as the process ID notified from HookReadFile, and the file path notified from HookDeleteFile is included in list A.

  A specific example of condition 1 is shown in FIG. As shown in FIG. 47, DeleteFile is called by a certain process, and the file path “C: \ DDD \ CC.doc” of the argument is included in the list A.

  This condition 1 means that a process is trying to delete a file that has been read by ReadFile in the past by DeleteFile.

  Condition 2: The folder path of the argument of DeleteFile (for the file to be deleted) is equal to the folder path of the second argument in list C. That is, the process ID notified from HookDeleteFile is the same as the process ID notified from HookMoveFile, and the path obtained by removing the file name from the file path notified from HookDeleteFile is the file name from the second argument of list C. It is the same as the path except for.

  A specific example of condition 2 is shown in FIG. As shown in FIG. 48, the folder path “C: \ DDD \” of the argument of DeleteFile is equal to the folder path “C: \ DDD \” of the second argument of list C.

  This condition 2 means that the location of a file that a certain process is trying to delete has a record in which the process has designated some file as a destination in the past.

  Condition 3: The file of the first argument of MoveFile is included in the list B. That is, the process ID notified from HookWriteFile is the same as the process ID notified from HookMoveFile, and the same file path as the first argument notified from HookMoveFile.

  A specific example of condition 3 is shown in FIG. As shown in FIG. 49, the first argument file “C: \ XXX \ VV.doc” of MoveFile is included in the list B.

  Condition 3 means that a file written by WriteFile in the past is moved by MoveFile.

  Condition 4: The header of the first argument file of MoveFile that satisfies the above condition 2 is different from the header of the file of the argument of DeleteFile that satisfies the first condition.

  A specific example of condition 4 is shown in FIG. As shown in FIG. 50, the header of the first argument file “C: \ DDD \ CC.doc” of MoveFile is the file “C: \ XXX \ VV.doc” of the argument of DeleteFile that satisfies the first condition. Different from the header.

  The condition 4 is the same as the determination condition for the difference in file header in the first embodiment.

(Detection of Case 2)
FIG. 51 shows pre-processing for detection of case 2.

  For the program of the present invention, (a) the notification source API name, (b) the process ID, and (c) the file path notified from HookReadFile are recorded as a list A.

  For the program of the present invention, (a) a notification source API name, (b) a process ID, and (c) a file path notified from HookWriteFile are recorded as a list B.

  The detection conditions for Case 2 are as follows.

  Condition 1: MoveFile is called by a process, and the file path of the second argument is included in the list A. That is, the process ID notified from HookMoveFile is the same as the process ID notified from HookReadFile, and the file path of the second argument notified from HookMoveFile is included in list A.

  This condition 1 means that this process is trying to overwrite a file that has been read by ReadFile in the past with some file.

  Condition 2: At this time, the file path of the first argument of MoveFile is included in the list B. That is, the process ID notified from HookMoveFile is the same as the process ID notified from HookWriteFile, and the file path of the first argument notified from HookMoveFile is included in list B.

  This condition 2 means that this process is going to move a file that has been written by WriteFile in the past.

  Condition 3: The header of the first argument file of MoveFile is different from the header of the file of the second argument.

  Condition 3 is the same as the condition for determining the difference in file headers in the first embodiment.

[Modified Embodiment]
The present invention is not limited to the above embodiment, and various modifications can be made.

  For example, in the above embodiment, the present invention is applied to Microsoft Windows, which is a Microsoft operating system, but Android, BSD, iOS, Linux, OS X, Windows Phone, IBM z / OS (all registered trademarks). The present invention may be applied to other operating systems. Ransomware attacks against each operating system can be reliably and effectively prevented.

10 ... Information processing device 20 ... Computer (PC)
30 ... External peripheral device 21 ... CPU
22 ... Hard disk 23 ... Memory 24 ... Input / output device 25 ... Display 31 ... Printer 32 ... External storage device

Claims (16)

Computer
A first condition that a file read function is already called from the predetermined process with respect to a file path that is the same as a file path in which a file write function called from a predetermined process writes data; and the file write A program for causing a function to function as a determination unit that determines that the predetermined process is ransomware when a function satisfies a second condition of rewriting a header of a file in the file path. The program according to claim 1,
The determination unit
In addition to the first condition and the second condition, when the third condition that the file of the file path is a text file having no header is satisfied, the predetermined process is set as ransomware. A program characterized by presenting the user with processing options for processing or not. The program according to claim 1 or 2,
The determination unit
In addition to the first condition and the second condition, another file in the same path as the path included in the file path is searched from the predetermined process before the file write function is called. A program characterized in that, when the fourth condition that a file search function is called is satisfied, the predetermined process is determined as ransomware. The program according to any one of claims 1 to 3,
The determination unit
In addition to the first condition and the second condition, after calling the file write function from the predetermined process, the same path as the path included in the file path is set as a movement source path, The predetermined process is determined to be ransomware when the fifth condition that a file movement function is called with the same path as the path included in the file path being called is satisfied. Program. Computer
The first condition that the file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process, and the file deletion function called from the predetermined process. The second condition that the first file movement function having the same file path as the file path to be deleted by the file deletion function to be deleted has already been called, and the second condition called from the predetermined process A third condition that the file write function has already been called from the predetermined process for the same file path as the file path of the file move function, and the move source of the first file move function And the file path file to be deleted by the file deletion function. In the case where the Le header satisfies the fourth condition that is different from a program for causing a predetermined process as a determining section for determining a ransomware. Computer
A first condition that a file read function is already called from the predetermined process for a file path that is the same as a destination file path of a file move function called from a predetermined process; A second condition that a file write function has already been called from the predetermined process for the same file path as the source file path, and a file header of the source file path of the file move function And the third condition that the file header of the file path to which the file movement function is moved is different from each other in order to function as a determination unit that determines the predetermined process as ransomware Program. On the computer,
A first condition that a file read function is already called from the predetermined process with respect to a file path that is the same as a file path in which a file write function called from a predetermined process writes data; and the file write A program for executing a procedure for determining that the predetermined process is ransomware when a function satisfies a second condition of rewriting a header of a file of the file path. On the computer,
The first condition that the file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process, and the file deletion function called from the predetermined process. The second condition that the first file movement function having the same file path as the file path to be deleted by the file deletion function to be deleted has already been called, and the second condition called from the predetermined process A third condition that the file write function has already been called from the predetermined process for the same file path as the file path of the file move function, and the move source of the first file move function And the file path file to be deleted by the file deletion function. In the case where the Le header satisfies the fourth condition that is different from a program for executing the steps of determining the predetermined process and ransomware. On the computer,
A first condition that a file read function is already called from the predetermined process for a file path that is the same as a destination file path of a file move function called from a predetermined process; A second condition that a file write function has already been called from the predetermined process for the same file path as the source file path, and a file header of the source file path of the file move function And a third condition that the file header of the file path to which the file movement function is moved are different from each other, the procedure for determining the predetermined process as ransomware is executed. program.   The computer-readable recording medium which recorded the program of any one of Claims 1 thru | or 9. A first condition that a file read function is already called from the predetermined process with respect to a file path that is the same as a file path in which a file write function called from a predetermined process writes data; and the file write An information processing apparatus comprising: a determination unit that determines that the predetermined process is ransomware when a function satisfies a second condition of rewriting a file header of the file path. The first condition that the file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process, and the file deletion function called from the predetermined process. The second condition that the first file movement function having the same file path as the file path to be deleted by the file deletion function to be deleted has already been called, and the second condition called from the predetermined process A third condition that the file write function has already been called from the predetermined process for the same file path as the file path of the file move function, and the move source of the first file move function And the file path file to be deleted by the file deletion function. In the case where the Le header satisfies the fourth condition that is different from the information processing apparatus characterized by having a determining section for determining the predetermined process and ransomware. A first condition that a file read function is already called from the predetermined process for a file path that is the same as a destination file path of a file move function called from a predetermined process; A second condition that a file write function has already been called from the predetermined process for the same file path as the source file path, and a file header of the source file path of the file move function And a determination unit that determines that the predetermined process is ransomware when the file transfer function satisfies a third condition that a file header of a file path of a transfer destination is different. A characteristic information processing apparatus. A first condition that a file read function is already called from the predetermined process with respect to a file path that is the same as a file path in which a file write function called from a predetermined process writes data; and the file write An information processing method comprising: determining a predetermined process as ransomware when a function satisfies a second condition of rewriting a header of a file of the file path. The first condition that the file read function is already called from the predetermined process for the same file path as the file path to be deleted by the file deletion function called from the predetermined process, and the file deletion function called from the predetermined process. The second condition that the first file movement function having the same file path as the file path to be deleted by the file deletion function to be deleted has already been called, and the second condition called from the predetermined process A third condition that the file write function has already been called from the predetermined process for the same file path as the file path of the file move function, and the move source of the first file move function And the file path file to be deleted by the file deletion function. In the case where the Le header satisfies a fourth condition that are different, the information processing method characterized by determining said predetermined process and ransomware. A first condition that a file read function is already called from the predetermined process for a file path that is the same as a destination file path of a file move function called from a predetermined process; A second condition that a file write function has already been called from the predetermined process for the same file path as the source file path, and a file header of the source file path of the file move function And the third condition that the file header of the file path of the file transfer destination of the file transfer function is different, the predetermined process is determined to be ransomware. Processing method.