JP5440973B2 - Computer inspection system and computer inspection method - Google Patents

Description

  The present invention relates to a computer inspection system that inspects a malicious program on a target computer by an inspection server device, and particularly has a feature in a method for searching for a malicious program in a target computer and an analysis method thereof.

  In recent years, with regard to malware (unauthorized programs), “obfuscation” that intentionally makes it difficult to read executable code (here, it refers to the source code of a script or program), or the execution code is dynamically changed intentionally. Development of methods such as “self-transformation” is progressing. As a result, a large number of virus variants with similar functions are generated, and each virus is difficult to analyze. There is a limit to dealing with such unknown malware only by detection and removal using existing techniques such as signatures (malware inspection patterns).

Regarding such malware, it is important to grasp the behavior such as infection behavior in order to generate a removal tool. However, there are some that take a certain amount of time to show behavior, such as pretending to be a legitimate executable code even if infected and not being aware of it, or waiting for an attack command from an external command server.
For this reason, in order to determine whether the program that is running and resident in the user's personal computer is malware, it is currently most useful to analyze the execution code of the program in detail.

However, since the majority of the various programs running and resident in the user's personal computer are legitimate executable codes, only those suspicious executable codes suspected of malware are accurately identified from such programs. It is a difficult situation to sort out.
Moreover, it is very difficult to analyze the execution code in detail on the user's personal computer from the viewpoint of safety.

  On the other hand, security vendors who provide anti-virus software have been conducting detailed analysis and updating and providing pattern files each time such new malware appears. However, the analysis has not caught up, and when the user needs it, it has not reached the point where it can provide what it needs in a timely manner.

On the other hand, various methods have been proposed as related elemental technologies.
First, there is known anti-virus software as a technique for detecting malware. Anti-virus software is the mainstream of current anti-virus measures, but as mentioned above, signature-based methods have limitations against unknown malware.
In order to deal with unknown viruses and the like, for example, Canon IT Solutions Inc. “NOD32 Antivirus” (see Non-Patent Document 1) has a function of monitoring a viral behavior called a heuristic function. This function understands the code analyzed for the file / email to be inspected, detects suspicious behavior, and determines whether to perform virus-like behavior by combining all available information. I do. When it is determined that the behavior is suspicious, a virus warning is issued to alert the user.
In addition, patent documents 1 to 3 can be cited as patent documents related to virus detection.

However, there are problems with the technology that detects these malware, such as malware that works only when new behavior or specific conditions are met, even if it can be detected if it is a typical behavior or a behavior that manifests immediately. In the case of, there was a great risk of escape from detection.
Further, in order not to miss malware, notifying the user if there is even a suspicious behavior will increase the number of erroneous notifications, reduce reliability, and also hinder the user's work.

In addition, in the field of network incident research, various traffic analysis methods using algorithms such as a spectrum analysis algorithm and a time series analysis algorithm have been proposed.
In the research disclosed in Non-Patent Document 2, analysis focusing on fluctuations in the number of packets obtained from a fixed point observation network is performed. This is a technique for detecting a threat based on a change in time-frequency components obtained by performing wavelet analysis on variation data of the number of packets for each parameter such as the IP address and port number of the transmission source and transmission destination.

  Further, in the research disclosed in Non-Patent Document 3, as in the technique of Non-Patent Document 2, analysis focusing on the variation in the number of packets is performed. Here, the time series analysis algorithm called SDAR (Sequential Discounting AR matching) is used for the sequence data (the number of packets per unit time) to realize a light process and to detect anomalies in real time.

Apart from such malware detection technology, technology for analyzing whether a program is malware has also been developed.
For example, nicter (Network Incident analysis Center for Tactical by the applicant)
Emergency Response) (Non-Patent Document 4). In nicter, "macro analysis system" for the purpose of grasping the behavior of scanning etc. by network monitoring, "micro analysis system" for the purpose of static and dynamic analysis of collected malware and other specimens, and mutual results The three main components of analysis are the “macro-micro correlation analysis system”, which aims to collate and derive relevance.

  As disclosed in Patent Documents 4 and 5, the malware analysis technology may include sensor means for detecting unauthorized packet communication, etc., or may prepare a honeypot to observe malware behavior. There is a problem that it is difficult to analyze on a computer in use by a user. In particular, the analysis itself is often hindered in the first place on infected computers.

In the technology to remove malware, in conjunction with the detection and analysis of malware, the necessary removal tool is generated based on the analysis result, and it is quickly provided to users who are affected by infection. It is important to develop a mechanism and necessary functions.
Regarding the function to create and provide malware removal tools, it is necessary to deal with a wide variety of users and a wide variety of malware, and when a user needs to be removed, a removal tool must be provided in a timely manner. Considering the importance of dealing with points, etc., it is necessary to achieve automation and speedup.

  In the conventional technology, it is common to use the functions installed in the above anti-virus software for the removal tool as well, and it is often possible to remove known viruses, but there is a problem that can hardly cope with unknown viruses. .

In addition, Patent Document 6 is cited as a technique for detecting that the terminal device is infected with malware and taking a countermeasure. In this patent document, a system for monitoring the software status of a terminal device connected to a network by a monitoring device is provided.
The monitoring device has a first database that stores software feature information defined including feature information of a file that causes a vulnerability or a file that is generated at the time of malware infection. A second database for sequentially acquiring and storing feature information; The monitoring device transmits the feature information stored in the first database to the terminal device together with the verification request via the network. The terminal device searches the second database, verifies the presence / absence of a file related to the feature information, and transmits the verification result to the monitoring device.
Based on the received verification result, the monitoring device determines the vulnerability of the terminal device or the malware infection status, performs access control, and prevents the spread of damage.

  The present technology is a method for executing the signature-based detection method by sharing between the monitoring device and the terminal device. However, in this method, it is impossible to detect at least the known malware in the monitoring device. Does not lead to a solution.

JP 2006-268687 A JP 2008-022498 A JP 2003-162423 A JP 2008-176752 A JP 2008-176753 A JP 2006-040196 A

Internet URL http://canon-its.jp/product/nd/product_5.htmlSearch February 10, 2009 Masaaki Ishiguro, Hironobu Suzuki, Ichiro Murase “Internet threat detection method based on frequency component change using wavelet analysis” IEICE (2006 Symposium on Cryptography and Information Security (SCIS2006)) January 2006 Junichi Takeuchi, Atsushi Sato, Kenji Rikitake, Koji Nakao “Construction of Incident Detection System Using Change Detection Engine” IEICE (2006 Symposium on Cryptography and Information Security (SCIS2006)) January 2006 "Nicter: An Incident Analysis System using Correlation between Network Monitoring and Malware Analysis" Proceedings of The 1st Joint Workshop on Information Security, JWIS2006, Page363-377, September 2006 Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D .: Theinternet motion sensor: a distributed blackhole monitoring system, The 12th Annual Network and Distributed System Security Symposium (NDSS05), 2005 Moore, D .: Network telescopes: tracking Denial-of-Service attacks and internet worms around the globe, 17thLarge Installation Systems Administration Conference (LISA’03), USENIX, 2003 Yegneswaran, V., Barford, P., Plonka, D .: On the design and use of Internet sinks for network abuse monitoring.Recent Advances in Intrusion Detection (RAID 2004), LNCS 3224, pp 146-165, 2004 Honeypot project, http://www.leurrecom.org/ Internet Motion Sensor, http://ims.eecs.umich.edu/ IT Security Center, Information-Technology Promotion Agency, Japan, https://www.ipa.go.jp/security/index-e.html Japan Computer Emergency ResponseTeam Coordination Center, http://jpcert.jp/isdas/index-en.html National Cyber Security Center, Korea, http://www.ncsc.go.kr/eng/ REN-ISAC: Research and Education Networking Information Sharing and Analysis Center, http://www.ren-isac.net/ SANS Internet Storm Center, http://isc.sans.org/ Telecom Information Sharing and Analysis Center, Japan, https://www.telecom-isac.jp/ @police, http://www.cyberpolice.go.jp/english/obs_e.html Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S .: Practical darknet measurement, 2006 Conference on Information Sciences and Systems (CISS '06), pp. 1496-1501, 2006 Alata, E., Nicomette, V., Kaaniche, M., Dacier, M .: Lessons learned from the deployment of a high-interaction honeypot, 6th European Dependable Computing Conference (EDCC-6), pp. 39-44, 2006 Year Leita, C., Dacier, M., Massicotte, F .: Automatic handling of protocol dependencies and reaction to 0-dayattacks with ScriptGen based honeypots, 9th International Symposium on Recent Advances in Intrusion Detection (RAID2006), pp. 185-205, 2006 Year Provos, N .: Honeyd A virtual honeypotdaemon. 10th DFN-CERT Workshop, 2003 Provos, N .: A virtual honeypot framework.13th USENIX Security Symposium, pp 1-14, 2004 Nakao, K., Matsumoto, F., Inoue, D., Baba, S., Suzuki, K., Eto, M., Yoshioka, K., Rikitake, K., Hori, Y .: Visualization technologies of nicter incident analysis system, IEICE Technical Report, vol.106, no.ISEC-176 pp.83-89, 2006 Isawa, R., Ichikawa, S., Shiraishi, Y., Mohri, M, Morii, M .: A virus analysis supporting system; forautomatic grasping virus behavior by code-analysis result, The Computer Security Symposium 2005 (CSS2005), vol. 1, pp. 169-174, 2006 Hoshizawa, Y., Morii, M., Nakao, K .: A proposal of automated malware behavior analysis system, Information and Communication System Security, IEICE, ICSS2006-07, pp. 41-46, 2006 C. Willems, T. Holz, and F. Freiling, "Toward Automated Dynamic Malware Analysis Using CWSandbox" Security & Privacy Magazine, IEEE, Volume 5, Issue 2, pp. 32-39, 2007 Nakao, K., Matsumoto, F., Inoue, D., Baba, S., Suzuki, K., Eto, M., Yoshioka, K., Rikitake, K., Hori, Y .: Visualization technologies of nicter incident analysis system, IEICE Technical Report, vol.106, no.ISEC-176 pp.83-89, 2006

  The present invention was created in view of the above-described problems of the prior art, and detects a program that exhibits suspected fraud on a computer to be inspected at high speed and with a low load, and is an unknown malicious program. Even if it exists, it aims at providing the technique which can be analyzed with high precision.

In order to solve the above problems, the present invention provides the following computer inspection system.
That is, a computer inspection system that inspects a malicious program on a target computer by an inspection server device, and the target computer and the inspection server device are connected via a communication network. The malicious program in the present invention includes a program that exhibits behavior suspected of being illegal (suspicious program) or that is determined to be illegal by a predetermined method.
The inspection server device according to the present invention receives search program recording means for storing a search program for searching for a malicious program executed on the target computer, search program transmission means for transmitting the search program to the target computer, and receiving the execution result of the search program A search result receiving unit that analyzes the search result and outputs an analysis result; and an analysis result transmission unit that transmits the analysis result to the target computer.

  Further, the target computer receives search program receiving means for receiving the search program, search program execution means for executing the search program, search result transmitting means for sending the execution result of the search program to the inspection server device, and receiving the analysis result. Each of the analysis result receiving means is provided.

  In the computer inspection system, the search program detects an illegal behavior in the target computer with respect to the search program execution means, extracts at least one of the source code and the object code that causes the behavior, and codes as an execution result May be configured to perform the process of transmitting.

  The malicious program analysis means can perform dynamic analysis in which the code received by the search result receiving means is tried and its operation is analyzed. Further, the malicious program analysis means can perform static analysis for analyzing the contents of the code received by the search result receiving means. In the present invention, any one or both of the dynamic analysis and the static analysis can be performed.

  In the computer inspection system of the present invention, the malicious program analysis means can be arranged not in the inspection server device as described above but in an external server device connected through a communication network. Alternatively, a part of the malicious program analysis means may be provided in the inspection server device, and the remaining part may be provided in the external server device.

In addition to the above-described configuration, it may include a removal program generation unit that generates a removal program that invalidates the malicious program based on an analysis result of the unauthorized program analysis unit, and a removal program transmission unit that transmits the removal program to the target computer. Good. Each of these means can be provided in the inspection server apparatus, the external server apparatus provided with the malicious program analysis means, or an external server apparatus different from both.
The target computer includes a removal program receiving unit and a removal program execution unit that executes the removal program.

The present invention can also be provided as a computer inspection method for inspecting a malicious program on a target computer by an inspection server device. The method of the present invention provided as a computer processing method includes the following steps.
(S10) A search program transmission step (S11) in which a search program that is executed on a target computer and searches for a malicious program is stored in the test server device, and the search program is transmitted from the test server device to the target computer via a communication network. Search program execution means for executing the search program (S12) Search result transmission step for transmitting the search program execution result from the target computer to the inspection server device via the communication network (S13) An analysis unit transmits an analysis result from the inspection server device to the target computer via the communication network, in which the analysis unit analyzes the search result and outputs the analysis result (S14).

  In the search program execution step (S11), the search program detects a behavior suspected of being illegal in the target computer with respect to the search program execution means, and obtains at least one of source code and object code that causes the behavior. A configuration may be adopted in which a process of extracting and transmitting a code as an execution result is performed.

  In the malicious program analysis step (S13), a configuration for performing dynamic analysis in which the code received by the search result receiving means is tried and analyzing its operation, or static analysis for analyzing the contents of the code received by the search result receiving means It is also possible to use at least one of the configurations for performing the above.

Based on the analysis result of the malicious program analysis step, the following steps may be included after the analysis result transmission step (S14).
(S20) A removal program generation step in which the removal program generation unit generates a removal program that invalidates the malicious program (S21) a removal program transmission step in which the removal program generation unit transmits the removal program to the target computer via the communication network ( S22) A removal program execution step in which the removal program execution means of the target computer executes the removal program

The present invention may provide only the inspection server device in the computer inspection system.
Further, a search program for searching for malicious programs on the target computer may be provided.

By providing the above configuration, the present invention has the following effects.
In other words, the inspection server device is always provided with the latest search program and provided to the target computer, so that it is possible to search for illegal programs efficiently corresponding to new software.
In addition, it is possible to exhaustively search for the program by searching only the program showing the suspicious behavior without sending detailed analysis on the target computer and sending it to the inspection server device, and to minimize the load on the target computer. Can be suppressed.

On the other hand, the inspection server device can perform advanced analysis processing. For example, an illegal behavior can be detected by dynamic analysis in which source code or object code is received from a target computer and is executed on a trial basis.
Also in code static analysis, the load on the target computer can be reduced and analysis processing based on a large-scale database can be performed.

By providing the removal program generation means, it is possible to provide a removal program for removing the infected malware on the target computer. In particular, by generating a removal program based on the analysis result by the malicious program analysis means, a removal program effective for unknown malware can be created at high speed.
By providing the removal program promptly in this way, it is possible to prevent the spread of malware infection in the network.

1 is an overall configuration diagram of a computer inspection system of the present invention. It is a block diagram of the inspection server which concerns on Example 1 of this invention. It is a block diagram of user PC which concerns on Example 1 of this invention. It is a flowchart of the process in Example 1 of this invention. It is a block diagram of the test | inspection server which concerns on Example 2 of this invention. It is a block diagram of user PC which concerns on Example 2 of this invention. It is a flowchart of the process in Example 2 of this invention. It is another Example of this invention system. It is explanatory drawing which shows the outline | summary of nicter.

Hereinafter, embodiments of the present invention will be described based on examples shown in the drawings. The embodiment is not limited to the following.
First, the outline of the present invention will be described with reference to the overall configuration diagram of the computer inspection system shown in FIG. As elements constituting this system, there are an inspection server (1), a user PC (2) as a computer to be inspected, a malware analysis system (4), and a removal tool generation system (5). Each system can be easily configured by a known personal computer, a workstation, or the like, and each element is connected by a communication network such as the Internet. The communication network may be a WAN (wide area network), a LAN (local area network), a mobile phone, a public line network such as a PHS.

The inspection server (1) sends (1a) a search program to the user PC (2). A search program is activated and operated (2a) on the user PC (2) to search for malware that performs illegal behavior.
As a result, when an illegal behavior is found, the execution code is detected and transmitted (2b) to the inspection server (1).

The inspection server (1) starts analysis (1b) as soon as the execution code is received. In the present invention, a malware analysis system (4) is used for this analysis. The execution code is sent to the analysis system (4), and the code is subjected to static analysis (4a) and dynamic analysis (4b). For such analysis, various techniques have been proposed as micro analysis, and these can be arbitrarily used.
Static analysis is a technique of analyzing malware code and analyzing what kind of unauthorized processing is performed. Specifically, there is a method of disassembling an execution code to acquire processing contents.
Dynamic analysis is a method of actually operating malware and grasping details of fraud processing such as sending out fraudulent packets and file operation processing.
These analysis results (1c) are returned to the inspection server (1). The analysis result (1c) may be notified to the search program (2a) of the user PC (2) and displayed from the search program.

Further, based on the analysis result (1c), the removal tool generation system (5) can perform removal tool generation (5a).
In the present invention, a removal tool can be generated according to malware. However, as a simple method, the malicious code discovered by the static analysis (4a) is deleted or detected by the dynamic analysis (4b). This includes the addition of a new process for canceling an illegal process that has been performed.
The generated removal tool (1d) is sent to the search program (2a) of the user PC (2) via the inspection server (1), and the removal (2c) is executed.

Example 1
Next, specific examples of the present invention will be described. As a first embodiment, a configuration in which the system of the present invention is configured by an inspection server (1) and a user PC (2) and the Internet (3) connecting both will be described, and a configuration that does not include generation of a removal tool will be described.
2 is a configuration diagram of the inspection server (1), FIG. 3 is a configuration diagram of the user PC (2), and FIG. 4 is a flowchart of this embodiment.

  The inspection server (1) is configured as a server device disposed on the Internet. As an essential element of the present invention, a communication adapter such as a CPU (10), an Ethernet (registered trademark) card, and a wireless LAN communication card is used. (11) A storage device (12) such as a hard disk is provided. In addition, as is well known, a memory cooperating with the CPU (10), a keyboard for receiving input from the administrator, a monitor, and the like can be provided, but they are omitted here.

The storage device (12) stores a search program (120) executed by the user PC (2), and it is desirable that this is always revised to the latest version.
The CPU (10) includes a search program transmission unit (100), a search result reception unit (101), a malicious program analysis unit (102), and an analysis result transmission unit (103).

On the other hand, the user PC (2) is configured as a terminal device arranged on the Internet, and may be a personal computer, a PDA (Personal Digital Assistants), a mobile phone, a PHS, or the like.
The user PC (2) includes a CPU (20), a monitor (21) for screen display, a storage device (22), and a communication adapter (23). Other equipment attached will be omitted.

  The CPU (20) includes a search program receiving unit (200), a search program executing unit (201), a search result transmitting unit (202), and an analysis result receiving unit (203).

With the above configuration, the processing shown in FIG. 4 is performed.
First, the search program transmission section (100), reads the search program (120) of the storage device (12), it transmits a search program to search the program receiver via the Internet (3) (200) (S10).
This step (S10) may be initially sold in a package or the like and installed on the user PC (2) from a medium such as a CD ROM, as with known anti-virus software. The inspection server (1) can be updated to the latest version. The search program (120) transmitted in the present invention includes the already installed difference in addition to the entire program.
In this embodiment, the storage unit for the search program (120) and the search program transmission unit are provided in the inspection server (1). However, these are provided in an external server device to provide the search program to the user PC (2 ) Directly.

  In the user PC (2), the search program execution unit (201) executes the received search program (S11). The search program (120) preferably resides with the activation of the user PC (2), and always monitors suspicious behavior in the user PC (2). Such an operation mode can also be configured in the same manner as known anti-virus software.

The search program (120) searches and collects a suspicious object code (execution code) suspected of malware from programs that are running and resident in the user PC (2).
In the present invention, since it can be analyzed by the inspection server (1) whether or not it is malware, it is not necessary to consider the load on the user PC (2) and the fear of erroneous notification to the user. Therefore, it is desirable to extract all the suspicious programs based on the idea that the search program (120) allows false positives (a state in which it is possible to erroneously determine an object that is not illegal).

A simple method is to extract all unknown programs. There is a method in which the search program is provided with information on a program that has been checked by the check server, and a program that is not in the program list is extracted.
In this case, the identity can be determined by combining not only the file name but also a comparison of file capacity, hash value, and the like. In file backup software or the like, a file identity determination technique and a difference extraction technique are known and may be used.

As a more advanced method, there is a method in which a search program monitors the behavior of the program. For example, monitoring whether file management processing such as sending a packet to an illegal port number, deleting or moving a file is performed, and extracting a program that performs suspicious behavior when a predetermined processing is performed .
Even in such a method, it is desirable to extract when there is even a suspicious behavior so that there is no extraction omission.

In the present invention, as an effective method for reducing the extraction amount, it is possible to provide white list information for a tested program. The white list information is stored in the search program (120), and even if it is determined that the behavior is suspicious, the program in the white list information is not extracted.
At this time, a specific behavior such as sending a packet to a specific port number can also be stored in the white list information, and a behavior having no problem can be registered for each program.

  A target to be extracted as a search result may be a source code stored in a storage device in addition to an object code specified from an active process. In UNIX (registered trademark) etc., both source code and installation packages are often distributed. When the active object code and source code are associated with each other, the subsequent analysis processing is performed by transmitting both of them. Can contribute to higher accuracy.

  The searched code is transmitted from the search result transmitting unit (202) to the search result receiving unit (101) via the Internet (3) (S12). At this time, it can be converted into a format suitable for transmission as required.

The search result is analyzed (S13) in the malicious program analysis unit (102). It is also possible to store whitelist information in the malicious program analysis unit and skip the analysis of programs with whitelist information among the programs received from the search program.
For the analysis processing, the technology of nicter (Non-Patent Document 4) by the applicant of the present application or a well-known analysis technology can be used.

Here, nicter will be explained briefly.
nicter has two sub-systems: a macro analysis system that analyzes events collected by wide-area network monitoring and detects incidents from them, and a micro analysis system that collects and analyzes malware samples and extracts their behavior. It has an analysis path via the system (see FIG. 9).

  The correlation results of the analysis results in these two subsystems are analyzed in the correlation analysis system, and the “phenomenon” and “cause” of the incident can be associated with each other. In other words, the macro analysis system can capture the phenomenon of incidents occurring on the network, while the micro analysis system can grasp the behavior of malware that is thought to be the cause of the incident, so both analysis results are collated. As a result, it is possible to identify the cause of the incident that has occurred, and to derive a countermeasure according to the identified malware. As a result, it is possible to output not only the statistical data and the like observed by network monitoring but also the cause of the incident and its countermeasures.

  The macro analysis system receives as input the traffic obtained from network monitoring at multiple observation points. nicter currently observes over 120,000 unused IP addresses in Japan. Originally, packets from outside should not arrive at unused IP addresses, but a substantial number of packets actually arrive. Many of these packets include scanning, which is the first stage of malware infection, DoS attacks, and Backscatter, which is a reply to DoS attacks in which the source IP address is spoofed.

In this way, by collecting and analyzing traffic arriving at unused IP addresses, it becomes possible to grasp the trend of attack activity in a wide area network.
The behavior analysis engine included in the macro analysis system is an engine that slices the traffic observed by nicter for each source host and automatically analyzes the behavior of each host for a short time (30 seconds). The behavior is automatically classified using the following parameters and stored in the DB sequentially.

Source / destination port number Destination IP address Protocol type Scan type (Sequential / Random)

This automatic classification makes it possible to instantaneously determine whether the behavior of a certain source host is a known attack pattern or a new attack pattern.
Furthermore, since the long-term behavior analysis engine analyzes traffic information accumulated over several years in a nicter over a long-term span, it can handle slow scans and the like.

  The change point analysis engine provided in the macro analysis system considers the number of packets per unit time to a specific port, the number of unique hosts of the transmission source, etc. as time series data, and nicter uses 2 to detect rapid changes. High-speed calculation is realized by the learning algorithm of the stage.

  The self-organizing map analysis engine provided in the macro analysis system inputs the multi-faceted attributes of the attack pattern of the source host into the self-organizing map as feature vectors and has the same behavior (that is, infected with the same kind of malware). Cluster) hosts, and detect / analyze the increase / decrease and occurrence / disappearance of clusters. As a result, it is possible to quickly grasp the operation of the botnet.

The nicter has a micro analysis system together with the macro analysis system.
The purpose of the micro-analysis system is to automatically analyze a large amount of malware specimens captured in a honeypot or the like in 5 to 10 minutes per specimen, extract their properties and behavior, and accumulate them in a malware information pool. The following outlines the main engines of the micro analysis system.

・ Static analysis engine
As a typical analysis method of malware, there is a static analysis in which malware execution code is disassembled and its characteristics are extracted. However, some malware executable code has code obfuscation that prevents disassembly, making static analysis more difficult. Therefore, nicter's static analysis engine executes code-obfuscated malware once on a computer, acquires code that is expanded (self-decoding) in memory, and disassembles it, thereby improving the obfuscation effect. A technique for enabling invalidation is used.

Dynamic Analysis Engine Another typical analysis method for malware is dynamic analysis in which malware is placed in an execution state and behaviors such as API and server access used by the malware are analyzed. However, recent malware often has a function that makes dynamic analysis difficult, such as monitoring the network environment around itself and detecting an abnormality to enter a silent state. Therefore, the dynamic analysis engine of nicter imitates the actual Internet environment by preparing a large number of dummy servers such as DNS and IRC in the miniature garden environment that executes malware, and extracts the behavior of malware including scanning.

  Furthermore, a correlation analysis system that performs a correlation analysis between the macro analysis system and the micro analysis system is provided. In the correlation analysis system, the attack patterns detected in the macro analysis system are profiled according to various attributes, matched with the malware profiles that have been analyzed in the micro analysis system, and malware candidates that are considered to be the cause of the incident Find out.

  In the present invention, the technology used in the micro analysis system of such a nicter is used as the processing of the malicious program analysis unit (102), and the details of the behavior of the malware using the analysis result of the correlation analysis system. Analysis may be performed.

In addition, various commercial projects, academic projects, or government-supported projects are being researched as malware analysis methods. (Refer nonpatent literature 4-16.).
As a previous step, many of these projects have focused on providing statistical data, such as a sudden increase in access at specific port numbers, based on network event monitoring. In the course of these activities, it is a common technique to monitor a dark address space, which is a set of unused IP addresses (see Non-Patent Documents 5, 6, and 17) that have been published worldwide.

  In these address spaces, honeypots are installed to attract various types of malware, or incoming packets including scans performed by malware to search for infection destinations and backscatter of DDoS attacks are monitored (black holes). Monitoring) A sensor is prepared (see Non-Patent Documents 18 to 21).

On the other hand, there is another problem in analyzing the actual malware executable file. When analyzing the structure of the malware, reverse engineering techniques are applied to disassemble the malware executable file (see Non-Patent Documents 22 and 23).
Moreover, the behavior of a sandbox analysis performed in an experimental environment in which malware code is actually closed (access is controlled) can observe its behavior (see Non-Patent Documents 22, 24-26).

The malicious program analysis unit (102) analyzes whether the code of the search result is malware by a known analysis process including these documents.
Then, the analysis result is transmitted from the analysis result transmitting unit (103) to the analysis result receiving unit (203) via the Internet (3) (S14).

  Here, the analysis result transmission step may be configured to transmit only when it is determined as malware, or may be transmitted even when it is not malware. In the latter case, it can be recorded as the white list information.

The search program may have a function of displaying the analysis result received by the analysis result receiving unit (203) from the monitor (21). That is, the process of outputting the analysis result (S15) is an important process for notifying the user that the malware is operating, and it is usually desirable to perform this process.
However, in the case of a special target computer such as a dedicated terminal that does not have a means for the user to operate, there is no point in outputting, so the output step (S15) does not necessarily have to be performed.

  In the first embodiment of the present invention, the search program (120) is transmitted from the inspection server (1) to the user PC (2) by the configuration as described above, and comprehensive search for malware by the search program (120) is performed. Can be realized. Since the analysis is performed by the inspection server (1), the greatest feature is that a large load is not applied to the user PC (2) and the analysis can be performed with high accuracy.

(Example 2)
As a second embodiment of the present invention, a configuration having a function of generating a removal program will be described.
FIG. 5 is a configuration diagram of the inspection server (1) according to the second embodiment, FIG. 6 is a configuration diagram of the user PC (2), and FIG. 7 is a flowchart of the processing of the second embodiment. In each figure, the same components as those in the first embodiment are denoted by the same reference numerals, and description thereof is omitted.

The CPU (10) of the inspection server (1) is newly provided with a removal program generation unit (104) and a removal program transmission unit (105). If necessary, a database of the removal pattern (121) may be stored in the storage device (12).
The CPU (20) of the user PC (2) is newly provided with a removal program receiving unit (204) and a removal program execution unit (205).

  As shown in FIG. 7, the search server (1) searches for a program that causes suspicious behavior in the user PC (2) by the search program transmission step (S10) and the search program execution step (S11). The illegal program analysis step (S13) and the analysis result transmission step (S14) are the same as described above.

  In addition, in the second embodiment, the removal program generation unit (104) generates a program for removing malware using the analysis result of the malicious program analysis unit (102) (S20). The removal program may be either an object code or a script.

  A known removal technique can also be used for the processing of the removal program generation unit (104). For example, the code before infection with malware is stored as a removal pattern (121) for each program, and a difference file for restoring the search result code to the code before infection can be generated as a removal program.

From the static analysis result of the unauthorized program analysis unit (102), a removal program for deleting the portion of the code where the unauthorized process is performed may be generated.
From the dynamic analysis result, processing for invalidating the behavior may be performed according to the behavior actually performed by the program. The invalidation process includes, for example, a process for restoring a process performed by malware and a process for canceling a process to be performed. An example of the former is a process of restoring the registry after the registry rewriting process is performed, and an example of the latter is a process of skipping the transmission operation when a packet transmission process is about to be performed.

  Since the behavior of malware is often patterned, the removal program element for each pattern can be stored in the removal pattern (121). Then, according to the behavior of the malware as a search result, a removal program can be generated by combining elements in the removal pattern (121).

The generated removal program is transmitted from the removal program transmission unit (105) to the removal program reception unit (204) via the Internet (3) (S21).
Then, an execution process (S22) is executed by the removal program execution unit (205) to remove the malware.
In the present invention, the search program (120) is automatically processed to receive (S21) and execute (S22) the removal program, so that it is consistent from search to removal without any user operation. It can be carried out.

  According to the configuration of the second embodiment described above, an optimal removal program can be generated and provided to the user according to the search result of the search program. By sharing the inspection server (1) of the present invention among a plurality of users, the malware that has been searched for by one of the user PCs (2) and the removal program has been generated is assigned to the other user PC (2). It contributes to high-speed response by using it for search and removal.

(Another embodiment)
Finally, an example in which each element of the present invention is distributed and arranged in a plurality of external server devices will be described.
FIG. 8 is a configuration diagram in the case where the malicious program analysis unit (102) and the removal program generation unit (104) are provided in the analysis system (4) and the removal tool generation system (5), respectively.
Each system (4) (5) can also be realized by a personal computer, a workstation or the like, and includes communication adapters (41) (51) connected to the Internet (3) together with CPUs (40) (50). The removal tool generation system (5) may include a storage means (52) and store a removal pattern (121).

In this embodiment, the processing is the same as that in the first and second embodiments, but differs in that information is transmitted between the processing units via a network.
That is, the search result received by the search result receiving unit (101) reaches the malicious program analysis unit (102) through the Internet (3), and the analysis result is returned to the analysis result transmission unit (103) again before the user. Sent to PC (2). The analysis result transmission unit (103) may also be provided in the analysis system (4) and transmitted directly to the user PC (2).

The analysis result of the unauthorized program analysis unit (102) is also sent to the removal program generation unit (104) through the Internet (3), and the generated removal program reaches the removal program transmission unit (105) and then the user PC ( 2).
As described above, the removal program transmission unit (105) may be provided in the removal tool generation system (5).

Thus, by distributing the analysis process and the removal program generation process to different external servers, it is possible to use an existing system or reduce the load for each apparatus.
The arrangement of this embodiment is merely an example, and the combination such as a configuration in which the malicious program analysis unit and the removal program generation unit are provided in one server can be arbitrarily changed.

DESCRIPTION OF SYMBOLS 1 Inspection server 1a Search program transmission 1b Execution code analysis start 1c Corresponding execution code basic analysis result 1d Removal tool 2 User PC
2a Search program activation / operation 2b Execution code detection / sending 2c Removal 3 Internet 4 Analysis system 4a Malware static analysis 4b Dynamic malware analysis 5 Removal tool generation system 5a Removal tool generation

Claims (14)

A computer inspection system that inspects an unauthorized or suspicious program (hereinafter referred to as an unauthorized program) on a target computer by an inspection server device, wherein the target computer and the inspection server device are connected via a communication network.
In the inspection server device,
Search program recording means for storing a search program that is executed on the target computer and searches for an unknown malicious program in the inspection server device ;
Search program transmitting means for transmitting the search program to the target computer;
Search result receiving means for receiving the execution result of the search program;
Malware analysis means for analyzing the search result and outputting the analysis result;
An analysis result transmitting means for transmitting the analysis result to the target computer,
The target computer includes
Search program receiving means for receiving the search program;
Search program execution means for executing the search program;
Search result transmitting means for transmitting at least one of source code and object code, which is an execution result of the search program, to the inspection server device;
An analysis result receiving means for receiving the analysis result. A computer inspection system comprising: The search program with respect to the search program execution means,
The computer according to claim 1, wherein an illegal behavior in the target computer is detected, at least one of source code and object code causing the behavior is extracted, and processing for transmitting the code as the execution result is performed. Inspection system. The malicious program analysis means
The computer inspection system according to claim 2, wherein the search result receiving unit performs the dynamic analysis of trying the code received and analyzing the operation thereof. The malicious program analysis means
The computer inspection system according to claim 2, wherein static analysis is performed to analyze a content of the code received by the search result receiving unit. In the computer inspection system,
The computer inspection system according to any one of claims 1 to 4, wherein the malicious program analysis means is arranged in an external server device connected to the inspection server device via a communication network. In the computer inspection system,
Based on the analysis result of the malicious program analyzing means, a removal program generating means for generating a removal program for invalidating the malicious program, and a removal program transmitting means for transmitting the removal program to the target computer, respectively, Provided in a server device or an external server device connected to the inspection server device via a communication network,
The computer inspection system according to any one of claims 1 to 5, wherein the target computer includes the removal program receiving means and a removal program execution means for executing the removal program. A computer inspection method for inspecting an unauthorized or suspicious program (hereinafter referred to as an unauthorized program) on a target computer by an inspection server device,
In a configuration in which a search program that is executed on the target computer and searches for an unknown malicious program in the inspection server device is stored in advance in the inspection server device and used.
A search program transmission step of transmitting the search program from the inspection server device to the target computer via a communication network;
A search program execution step in which the search program execution means of the target computer executes the search program;
A search result transmitting step of transmitting at least one of source code and object code, which is an execution result of the search program, from the target computer to the inspection server device via a communication network;
The malicious program analysis means of the inspection server device analyzes the search result and outputs an analysis result,
An analysis result transmission step of transmitting the analysis result from the inspection server device to the target computer via a communication network. In the search program execution step,
The search program with respect to the search program execution means,
The computer according to claim 7, wherein an illegal behavior in the target computer is detected, at least one of source code or object code causing the behavior is extracted, and processing for transmitting the code as the execution result is performed. Inspection method. In the malicious program analysis step,
The computer inspection method according to claim 8, wherein a dynamic analysis is performed in which the code received by the search result receiving unit is tried and the operation is analyzed. In the malicious program analysis step,
The computer inspection method according to claim 8 or 9, wherein static analysis is performed to analyze a content of the code received by the search result receiving unit. In the computer inspection method,
Based on the analysis result of the malicious program analysis step,
A removal program generation step in which the removal program generation means generates a removal program that invalidates the malicious program;
A removal program transmission step of transmitting the removal program from the removal program generation means to the target computer via a communication network;
The computer inspection method according to any one of claims 7 to 10, wherein the removal program execution means of the target computer includes a removal program execution step of executing the removal program. An inspection server device for inspecting an unauthorized or suspicious program (hereinafter referred to as an unauthorized program) on a target computer,
Search program recording means for storing a search program that is executed on the target computer and searches for an unknown malicious program in the inspection server device ;
Search program transmitting means for transmitting the search program to the target computer via a communication network;
Search result receiving means for receiving at least one of source code and object code as an execution result of the search program;
Malware analysis means for analyzing the search result and outputting the analysis result;
An inspection server device comprising: analysis result transmission means for transmitting the analysis result to the target computer. In the inspection server device,
Based on the analysis result of the malicious program analysis unit, a removal program generation unit that generates a removal program that invalidates the malicious program;
The inspection server apparatus according to claim 12, further comprising: a removal program transmission unit that transmits the removal program to the target computer. A search program used in the computer inspection system according to any one of claims 1 to 6 and transmitted from the inspection server device to the target computer ,
For the search program execution means of the target computer,
Detecting an illegal behavior in the target computer and extracting at least one of source code and object code causing the behavior;
For the search result transmission means of the target computer,
A search program for causing an inspection server device to transmit the code as an execution result via a communication network.

Images