JPWO2016117317A1 - Software judgment device, software judgment method, software judgment program, software analysis device, and malware diagnosis device - Google Patents

Abstract

Provided is a software determination device that can easily verify the operation of software. The software determination apparatus 101 includes setting information representing a configuration of the virtual computer 106, software information in which at least one file required to execute the target software and a procedure for setting the file in the virtual computer are associated with each other, and In the process of determining whether or not the target software is being executed, determination information in which an execution process executed outside the virtual computer 106, a timing for executing the execution process, and a determination condition representing the determination condition are associated with each other. A configuration setting unit 102 that sets a virtual computer 106 having a configuration based on setting information, and software that sets a file in the storage unit 107 that configures the virtual computer 106 according to the procedure included in the software information when given Starts the setting unit 103 and the set virtual machine 106 Based on the activation unit 104 and the determination information, the execution process is executed at the timing, it is determined whether the determination result satisfies the determination condition regarding the execution result, and the target software is executed when the determination condition is satisfied And a determination unit 105 that determines that the target software is not executed when the determination condition is not satisfied.

Description

  The present invention relates to, for example, a software determination device that determines whether or not software operates.

  The static analysis program analyzes a source program with respect to computer software (hereinafter referred to as “software”) without analyzing the object program, thereby analyzing a defect or the like included in the software. The static analysis program provides information for supporting software development by pointing out a part (flow) determined to be a defect in the source program.

  For example, Patent Document 1 discloses an analysis device that outputs a warning text based on a result of analyzing a source program using a static analysis program. The analysis apparatus creates a file representing the result of analyzing the source program for each of a plurality of versions, and creates a difference between the files. Next, the analysis apparatus outputs a warning text associated with the created difference.

  On the other hand, when a source program related to software is not disclosed, reverse engineering is known as a technique for analyzing the software. In reverse engineering, software functions are elucidated by disassembling software object programs. In addition, it is possible to take countermeasures against malware by reverse-engineering malware representing software that performs illegal operations.

  For example, Patent Document 2 discloses a technique for extracting malware from a packing program that includes malware. Patent Documents 3 and 4 disclose techniques for analyzing software by analyzing the software in a virtual computer.

  Patent Document 2 discloses an extraction device that extracts malware from a packing program based on a change in an area accessed in a memory by a process executed by software.

  Patent Document 3 discloses a verification service providing system that verifies software using a program for analyzing software and a verification tool. The providing system introduces an analysis tool for analyzing a program into the virtual computer, and analyzes the software using the introduced analysis tool in the virtual computer.

  Patent Document 4 discloses a malware analysis apparatus that determines whether or not a sample is malware based on session information or the like output in association with processing executed by a malware candidate sample in a virtual computer. When determining that the sample is malware, the malware analysis apparatus outputs a signature that can identify the malware.

JP 2004-126866 A Japanese Patent No. 5389734 Japanese Patent No. 5540160 Special table 2014-519113 gazette

  For example, it is possible to verify whether or not the software operates in a certain computer environment by analyzing a source program related to software using the analysis device disclosed in Patent Document 1. The computer environment represents a mode in which components constituting hardware, software installed in the computer, and the like are combined.

  However, even if the software is analyzed using any of the above-described apparatuses, a large amount of processing (calculation amount) is required for the processing for verifying the operation of the software. For example, in the analysis work for analyzing a source program, it is necessary to analyze each statement, so that the analysis work requires a large amount of processing. Also, when reverse engineering an object program, it takes a lot of manpower (work, processing amount) to analyze the result obtained by disassembling.

  Therefore, a main object of the present invention is to provide a software determination device or the like that reduces the amount of processing for verifying the operation of software.

In order to achieve the above object, in one aspect of the present invention, a software determination device includes:
Setting information representing the configuration of the virtual machine, software information in which at least one or more files required for executing the target software and a procedure for setting the file in the virtual machine are associated, and the target software executes Determination processing in which execution processing executed outside the virtual machine, processing timing to execute the execution processing, and determination conditions representing the determination conditions are associated with each other is determined. A configuration setting means for setting the virtual machine having the configuration based on the setting information;
In accordance with the procedure included in the software information, software setting means for setting the file in storage means constituting the virtual machine;
Starting means for starting the set virtual machine;
Based on the determination information, the execution process is executed at the timing, it is determined whether or not the determination condition is satisfied with respect to an execution result, and the target software is executed when the determination condition is satisfied. Determining means for determining that the target software is not executed when the determination condition is not satisfied.

As another aspect of the present invention, the software determination method includes:
Setting information representing the configuration of the virtual machine, software information in which at least one or more files required for executing the target software and a procedure for setting the file in the virtual machine are associated, and the target software executes Determination processing in which execution processing executed outside the virtual machine, processing timing to execute the execution processing, and determination conditions representing the determination conditions are associated with each other is determined. In this case, the virtual machine having the configuration is set based on the setting information,
According to the procedure included in the software information, the file is set in the storage means configuring the virtual machine,
Start the virtual machine that has been set,
Based on the determination information, the execution process is executed at the timing, it is determined whether or not the determination condition is satisfied with respect to the execution result, and the target software is executed when the determination condition is satisfied. If the determination condition is not satisfied, it is determined that the target software is not being executed.

As another aspect of the present invention, the software determination program is
Setting information representing the configuration of the virtual machine, software information in which at least one or more files required for executing the target software and a procedure for setting the file in the virtual machine are associated, and the target software executes Determination processing in which execution processing executed outside the virtual machine, processing timing to execute the execution processing, and determination conditions representing the determination conditions are associated with each other is determined. A configuration setting function for setting the virtual machine having the configuration based on the setting information;
In accordance with the procedure included in the software information, a software setting function for setting the file in a storage unit configuring the virtual machine;
A start function for starting the set virtual machine;
Based on the determination information, the execution process is executed at the timing, it is determined whether or not the determination condition is satisfied with respect to the execution result, and the target software is executed when the determination condition is satisfied. And a determination function for determining that the target software is not being executed when the determination condition is not satisfied.

  Further, the object is realized by a computer-readable recording medium that records the software determination program.

  According to the software determination apparatus and the like according to the present invention, the operation of software can be easily verified.

It is a block diagram which shows the structure which the software determination apparatus which concerns on the 1st Embodiment of this invention has. It is a flowchart which shows the flow of a process in the software determination apparatus which concerns on 1st Embodiment. It is a figure which represents notionally an example of the structure which setting information has. It is a figure which represents notionally an example of the structure which software information has. It is a figure which represents notionally an example of the structure which judgment information has. It is a block diagram which shows the structure which the software determination apparatus concerning the 2nd Embodiment of this invention has. It is a flowchart which shows the flow of a process in the software determination apparatus which concerns on 2nd Embodiment. It is a figure which represents notionally an example of the structure which a setting information set has. It is a figure which represents notionally an example of the setting information displayed on a display part. It is a block diagram which shows the structure which the malware-analysis apparatus concerning the 3rd Embodiment of this invention has. It is a flowchart which shows the flow of a process in the malware analyzer which concerns on 3rd Embodiment. It is a figure which represents notionally an example of the structure which a software information set has. FIG. 3 is a diagram conceptually illustrating an example of a configuration included in a determination information set. It is a figure showing an example of the user interface which concerns on 3rd Embodiment. It is a block diagram which shows the structure which the malware diagnostic apparatus which concerns on the 4th Embodiment of this invention has. It is a flowchart which shows the flow of a process in the malware diagnostic apparatus which concerns on 4th Embodiment. It is a block diagram which shows roughly the hardware structural example of the calculation processing apparatus which can implement | achieve the software determination apparatus etc. which concern on each embodiment of this invention.

  Next, embodiments for carrying out the present invention will be described in detail with reference to the drawings.

<First Embodiment>
The configuration of the software determination apparatus according to the first embodiment of the present invention and the processing performed by the software determination apparatus will be described in detail with reference to FIG. 1 and FIG. FIG. 1 is a block diagram showing the configuration of the software determination apparatus 101 according to the first embodiment of the present invention. FIG. 2 is a flowchart showing the flow of processing in the software determination apparatus 101 according to the first embodiment.

  A software determination apparatus 101 according to the first embodiment includes a configuration setting unit 102, a software setting unit 103, an activation unit 104, and a determination unit 105.

  The software determination apparatus 101 can be connected to the virtual computer 106 by communication. The virtual computer 106 includes a storage unit 107 that can store information in a nonvolatile manner. Data relating to processing executed in the virtual computer 106 is stored in a main memory (hereinafter referred to as “memory”) 108. Data related to processing is, for example, processing data (information) that is a target to be processed by software, an execution program representing the software, and the like.

  The configuration setting unit 102 receives the setting information illustrated in FIG. 3, the software information illustrated in FIG. 4, and the determination information illustrated in FIG. Based on this, the constituent elements included in the virtual machine 106 are set (step S101). That is, the configuration setting unit 102 sets configuration elements included in the virtual computer 106 based on the given information in response to the setting information, software information, and determination information. FIG. 3 is a diagram conceptually illustrating an example of a configuration included in the setting information. FIG. 4 is a diagram conceptually illustrating an example of a configuration included in software information. FIG. 5 is a diagram conceptually illustrating an example of a configuration included in the determination information. After describing the setting information, software information, and determination information with reference to FIGS. 3 to 5, the process shown in FIG. 2 will be described in detail.

  The setting information will be described with reference to FIG. The setting information is information in which a name (identifier) representing a component included in the virtual computer 106 is associated with a value set for the component. Referring to the example shown in FIG. 3, for example, the setting information includes information in which the name “number of processors” is associated with the setting value “4”. This represents setting the number of processors constituting the virtual computer 106 to four. The setting information includes information in which the name “display resolution (vertical)” and the setting value “480” are associated with each other. This represents that the vertical resolution of the display constituting the virtual computer 106 is set to 480. IP represents an Internet protocol. OS represents an operating system.

Next, software information will be described with reference to FIG. The software information is information in which a file related to software to be determined (hereinafter, referred to as “target software”) and a setting procedure for setting the file in the storage unit 107 are associated with each other. In the software information, in addition to the file and the setting procedure, the name (identifier) of the target software may be further associated. Referring to the example shown in FIG. 4, the software information includes the following three items. That is,
Name “A”,
Files "AAA.exe, BBB.dll, CCC.dll",
Setting procedure “AAA.exe” is stored in “¥ 111 ¥ 222 ¥ 333” as “AAA.exe”. BBB. “Save dll in“ ¥ 111 ””.

  However, “¥” corresponds (corresponds) to a so-called backslash in an English keyboard. “¥” represents the configuration of a directory (folder) representing a location for storing files and the like.

  The software information illustrated in FIG. 4 indicates that the software “A” (the target software in this example) includes the file “AAA.exe”, the file “BBB.dll”, and the file “CCC.dll”. Represent. The file may be, for example, an input / output file referred to by the software “A” instead of the file included in the software A. In the setting procedure, “AAA.exe” is stored in “¥ 111 ¥ 222 ¥ 333” with the name “AAA.exe” in the storage unit 107, and “BBB.dll” is stored in “¥ 111”. This indicates that the virtual machine 106 that executes the software “A” can be set.

  Next, the determination information will be described with reference to FIG. The determination information indicates an execution process representing the process executed in the virtual computer 106, a timing for executing the execution process, and a condition for determining whether the target software is being executed based on the result of the execution process. Information associated with a condition. In the determination information, in addition to the execution process, the timing, and the determination condition, a name of software may be further associated. The determination condition in the determination information represents a condition referred to when determining whether or not the target software is being executed in the virtual computer 106.

For example, in the example shown in FIG. 5, the determination information represents determination information related to software A. In this case, the process for determining whether or not the software A is being executed in the virtual computer 106 can be realized by sequentially executing the following item 1 and item 2, for example. That is,
(Item 1) After 10 minutes have passed since the virtual computer 106 was started, the response time for the virtual computer 106 is measured (column “execution process” and column “execution process execution timing” in FIG. 5).
(Item 2) When the measured response time is 3 seconds or more, it is determined that the software A is being executed. If the measured response time is less than 3 seconds, it is determined that the software A is not being executed (column “determination condition” in FIG. 5).

  In each embodiment of the present invention, it is assumed that the execution process included in the determination information is a process executed on the virtual machine 106. That is, it is assumed that the execution process is not a process executed in the virtual computer 106 but a process for monitoring the virtual computer 106 from the outside. For example, the execution process is a process such as measuring a response time related to the virtual machine 106, dumping the memory 108, or reading communication contents transmitted / received with respect to the virtual machine 106.

  The software determination apparatus 101 according to the present embodiment will be described in detail with reference to the examples illustrated in FIGS. When the configuration setting unit 102 receives the setting information illustrated in FIG. 3, the configuration setting unit 102 includes, for example, a configuration included in the virtual computer 106 by setting the number of processors to 4 according to the received setting information in step S <b> 101. Set the element.

  Next, the software setting unit 103 sets a file associated with the procedure in the storage unit 107, which is one of the components included in the virtual machine 106, according to the procedure included in the software information illustrated in FIG. (Step S102). As a result, the virtual machine 106 can execute the target software by reading the file set by the software setting unit 103 from the storage unit 107 and executing the read file.

  Next, the activation unit 104 activates the virtual computer 106 (step S103). The activation unit 104 may further activate the target software set by the software setting unit 103. When the software information is information related to malware, the activation unit 104 may be set not to activate the target software. In this case, the target software is activated as the virtual computer 106 is activated.

  Next, based on the determination information illustrated in FIG. 5, the determination unit 105 executes an execution process associated with the timing at the timing included in the determination information (step S104). For example, the execution process is a process of measuring the response time of the virtual machine 106, a process of dumping the memory 108, or a process of reading communication contents transmitted / received with respect to the virtual machine 106. For example, when the software “A” has a function of communicating with the outside, the execution process is a process of measuring a time until a response is made after sending the communication to the software A.

  Next, based on the result of executing the execution process, the determination unit 105 determines whether the target software is being executed in the virtual machine 106 based on the determination condition associated with the execution process (step S105). . When determining that the execution result of the execution process satisfies the determination condition (YES in step S105), the determination unit 105 determines that the target software is being executed (step S106). If the determination unit 105 determines that the execution result of the execution process does not satisfy the determination condition (NO in step S105), the determination unit 105 determines that the target software is not being executed (step S107).

  In the case of the determination information illustrated in FIG. 5, the determination unit 105 measures the response time of the virtual computer 106 after 10 minutes have elapsed since the virtual computer 106 was started in step S <b> 103. Next, the determination unit 105 determines whether or not the target software is being executed in the virtual computer 106 by determining whether or not the measured response time is 3 seconds or more.

  When the determination information includes a plurality of execution processes (timing and determination conditions) for one target software, the determination unit 105 executes the processes shown in steps S104 to S107 for each execution process.

  Next, effects related to the software determination apparatus 101 according to the first embodiment will be described.

  According to the software determination apparatus 101, the operation of the target software can be easily verified. This is because the software determination apparatus 101 starts the virtual computer 106 set based on the setting information without analyzing the source program, and the target software executes based on the execution result of the execution process executed after the start. This is because it is determined whether or not it has been done.

  As described in “Background Art”, the process of analyzing a source program requires many processes. On the other hand, the determination process for determining whether or not the target software is executed based on the execution result is a process executed by determining whether or not a certain determination condition is satisfied. Does not require much processing. Therefore, according to the software determination apparatus 101 according to the present embodiment, the operation of the target software can be easily verified.

  In addition, since the software determination apparatus 101 performs execution processing from outside the virtual computer 106, analysis software for analyzing whether the target software is being executed is not set in the virtual computer 106. For example, when the analysis software affects processing related to the target software that is the determination target, the target software that is the determination target cannot be accurately determined. Therefore, according to the software determination apparatus 101 according to the present embodiment, the operation of the target software is more accurately verified even when the operation of the target software varies depending on the presence or absence of the analysis software in the virtual computer 106. be able to.

<Second Embodiment>
Next, a second embodiment of the present invention based on the first embodiment described above will be described.

  In the following description, the characteristic parts according to the present embodiment will be mainly described, and the same components as those in the first embodiment described above will be denoted by the same reference numerals, and redundant description will be omitted. To do.

  The configuration of the software determination apparatus 201 according to the second embodiment and the processing performed by the software determination apparatus 201 will be described with reference to FIGS. FIG. 6 is a block diagram showing the configuration of the software determination apparatus 201 according to the second embodiment of the present invention. FIG. 7 is a flowchart showing a flow of processing in the software determination apparatus 201 according to the second embodiment.

  A software determination apparatus 201 according to the second embodiment includes a configuration setting unit 102, a software setting unit 103, an activation unit 104, a determination unit 105, an information transmission unit 202, and a display unit 203. The software determination device 201 may be connected to the setting information storage unit 204.

  In the following description, for convenience of explanation, the information transmission unit may be expressed as an “information providing unit”.

  The software determination apparatus 201 can be connected to the virtual computer 106 by communication.

  First, the information transmission unit 202 receives software information as illustrated in FIG. 4 and determination information as illustrated in FIG. Next, the information transmitting unit 202 creates setting information based on a setting information set (illustrated in FIG. 8) including a plurality of types of setting information (step S201). FIG. 8 is a diagram conceptually illustrating an example of a configuration included in the setting information set. The setting information storage unit 204 stores a setting information set.

  The setting information set illustrated in FIG. 8 includes a name of a component included in the virtual computer 106, a type of a value set in the component, an initial value and a maximum value of the value, and possible values as the value. And the step size of the value (“step” in FIG. 8) and the number of rows when setting the value in the setting information illustrated in FIG. 3 are associated with each other. The setting information set may include items other than the items described above. In addition, the setting information set does not necessarily include all the items described above.

  For example, the first line of the setting information set illustrated in FIG. 8 represents a series of values that can be set for the item “number of processors” that is one of the components of the virtual computer 106. In this case, the information transmission unit 202 reads the setting information set from the setting information storage unit 204 and relates to the item “number of processors” from one (initial value) to eight (maximum value) one by one (step). The setting information set in the first line (setting line number) in the setting information (illustrated in FIG. 3) is created. That is, in this case, the information transmission unit 202 creates eight types of setting information.

  The sixth line of the setting information set illustrated in FIG. 8 represents a series of values that can be set for the item “processor name” that is one of the components of the virtual computer 106. In this case, the information transmission unit 202 reads the setting information set from the setting information storage unit 204, and reads “AAA” and “BBB” regarding the item “processor name”, respectively, as setting information (illustrated in FIG. 3). ) In the second line (set number of lines), two types of setting information are created.

  When creating setting information regarding the two items described above, the information transmission unit 202 creates 16 (= 8 × 2) types of setting information that are combinations of the two items. That is, the information transmission unit 202 creates setting information by combining the constituent elements included in the setting information set.

  Next, the information transmission unit 202 receives the received determination information (illustrated in FIG. 5), the received software information (illustrated in FIG. 4), and one setting information of the created setting information. 102. That is, the information transmitting unit 202 (information providing unit) provides the received setting information, received software information, and one setting information of the created setting information to the configuration setting unit 102.

  Thereafter, the configuration setting unit 102, the software setting unit 103, the activation unit 104, and the determination unit 105 execute the same processing as the processing shown in steps S101 to S107 in FIG. 2 (step S202).

  Next, the information transmission unit 202 receives the determination result from the determination unit 105, and creates result information in which the received determination result is associated with the setting information transmitted to the configuration setting unit 102 (step S203).

  The information transmitting unit 202 executes the process from step S201 to step S203 with respect to the created setting information (repetitive process from step S201 to step S204).

  Next, the display unit 203 specifies setting information associated with a determination result that satisfies the determination condition from the created result information, and displays the specified setting information. For example, as illustrated in FIG. 9, the display unit 203 may display setting information that collectively includes the specified setting information. FIG. 9 is a diagram conceptually illustrating an example of setting information displayed on the display unit 203.

  In the setting information illustrated in FIG. 9, the operating system (OS) column includes two types, OS_A and OS_B. The column for the number of processors includes three types of 2, 3, and 4. This indicates that among the setting information, there are 6 (= 2 × 3) kinds of setting information satisfying the determination condition, which are combinations of the OS and the number of processors.

  Although the display unit 203 collectively displays the setting information that satisfies the determination condition, each setting information that satisfies the determination condition may be displayed according to the determination by the determination unit 105.

  Next, effects related to the software determination device 201 according to the second embodiment will be described.

  According to the software determination apparatus 201 according to the present embodiment, the operation of the target software can be easily verified. Furthermore, according to the software determination apparatus 201 according to the present embodiment, setting information on which the target software operates can be easily identified from among a plurality of setting information included in the setting information set.

The reason is Reason 1 and Reason 2. That is,
(Reason 1) The configuration of the software determination apparatus 201 according to the second embodiment includes the configuration of the software determination apparatus 101 according to the first embodiment.
(Reason 2) When the determination unit 105 determines that the determination condition is satisfied for each setting information included in the setting information set (illustrated in FIG. 8), the display unit 203 outputs the setting information. When the determination condition is satisfied, the target software operates on the virtual computer 106 configured based on the setting information. As a result, the display unit 203 outputs setting information for operating the target software.

<Third Embodiment>
Next, a third embodiment of the present invention based on the above-described second embodiment will be described.

  In the following description, the description will focus on the characteristic parts according to the present embodiment, and the same components as those in the second embodiment described above will be denoted by the same reference numerals, and redundant description will be omitted. To do.

  The configuration of the malware analysis apparatus 301 according to the third embodiment and the process performed by the malware analysis apparatus 301 will be described with reference to FIGS. 10 and 11. FIG. 10 is a block diagram showing the configuration of the malware analysis apparatus 301 according to the third embodiment of the present invention. FIG. 11 is a flowchart showing the flow of processing in the malware analysis apparatus 301 according to the third embodiment. Note that the malware analysis device 301 is a device that analyzes software, and hence may be hereinafter referred to as a software analysis device.

  The malware analysis device 301 according to the third embodiment includes a determination information setting unit 302, a software information setting unit 303, and a software determination device 201. Furthermore, the malware analysis apparatus 301 may include a determination information storage unit 304, a software information storage unit 305, and a storage unit 107.

  The software information storage unit 305 stores a software information set including a plurality of types of software information as illustrated in FIG. FIG. 12 is a diagram conceptually illustrating an example of the configuration of the software information set.

  In the example shown in FIG. 12, the software information includes, for example, a software name “F”, a file “FFFF.exe”, and a file processing procedure “save FFFF.exe in“ ¥ 12345 ””. Associate. This indicates that the virtual machine 106 capable of executing the software “F” can be set by saving “FFFF.exe” in the storage area “¥ 12345”. The software may be malware, for example.

  The determination information storage unit 304 stores a determination information set including a plurality of types of determination information as exemplified in FIG. FIG. 13 is a diagram conceptually illustrating an example of a configuration included in the determination information set.

  In the determination information set illustrated in FIG. 13, for example, software name “F”, “memory dump”, “virtual machine starts communication”, “character string“ CRYPT ENGINE ”in memory Is there? ”. This is because when the virtual machine starts communication, a software dump is created, and the software F executes depending on whether or not the character string “CRYPT ENGINE” exists in the created memory dump (ie, memory) It represents that it is determined whether or not. “CRYPT ENGINE” represents, for example, a function (program, engine) for encryption.

  First, the software information setting unit 303 receives the name of the target software, for example, via a user interface (man machine interface, graphical user interface) illustrated in FIG. FIG. 14 is a diagram illustrating an example of a user interface according to the third embodiment.

  For example, the user inputs the name of the target software in the software name column in the user interface as illustrated in FIG. 14, and then checks the check box to the left of the “Execute” column, Press the “Browse” button. As a result, the name of the software and the instruction to execute the target software are transmitted to the software information setting unit 303.

  Next, the software information setting unit 303 refers to the software information storage unit 305 to select software information including the received software name from the software information set (step S301). Next, the software information setting unit 303 transmits (gives) the selected software information to the software determination apparatus 201.

  The determination information setting unit 302 refers to the determination information storage unit 304, and selects determination information including the name received by the software information setting unit 303 from the determination information set (step S302). Next, the determination information setting unit 302 transmits the selected determination information to the software determination apparatus 201.

  Next, in response to receiving the determination information and the software information, the software determination apparatus 201 executes processing from step S201 to step S204 illustrated in FIG. 7 (step S303). The software determination device 201 may display the determination result (step S304).

  Next, effects related to the malware analysis apparatus 301 according to the third embodiment will be described.

  According to the malware analysis apparatus 301 according to the present embodiment, for example, regarding software such as malware that executes different operations according to setting information, setting information on which the software operates can be specified. As a result, according to the malware analysis apparatus 301 according to the present embodiment, for example, information for taking measures against software such as malware can be provided.

<Fourth Embodiment>
Next, a fourth embodiment of the present invention based on the first embodiment described above will be described.

  In the following description, the characteristic parts according to the present embodiment will be mainly described, and the same components as those in the first embodiment described above will be denoted by the same reference numerals, and redundant description will be omitted. To do.

  The configuration of the malware diagnostic apparatus 401 according to the fourth embodiment and the processing performed by the malware diagnostic apparatus 401 will be described with reference to FIGS. 15 and 16. FIG. 15 is a block diagram showing the configuration of the malware diagnosis apparatus 401 according to the fourth embodiment of the present invention. FIG. 16 is a flowchart showing the flow of processing in the malware diagnosis apparatus 401 according to the fourth embodiment.

  A malware diagnosis apparatus 401 according to the fourth embodiment includes a software determination apparatus 101, a transfer unit 402, and a determination unit 403.

  First, the malware diagnosis apparatus 401 receives setting information (illustrated in FIG. 3), software information (illustrated in FIG. 4), and determination information (illustrated in FIG. 5). In this case, the malware diagnosis apparatus 401 receives at least one of a plurality of types of setting information or a plurality of types of determination information.

  Next, the transfer unit 402 transmits the received setting information, the received software information, and the received determination information to the software determination apparatus 101. The transfer unit 402 executes the above-described processing for each piece of setting information included in a plurality of types of setting information and each piece of determination information included in a plurality of types of determination information.

  In response to receiving the information described above, the software determination apparatus 101 executes processing according to the processing described in the first embodiment (step S401).

  Next, the determination unit 403 receives a determination result calculated by the software determination apparatus 101 executing the process. That is, the determination unit 403 receives the determination result for each setting information transferred by the transfer unit 402 or for each determination information transferred by the transfer unit 402. The determination unit 403 determines whether the target software is executed or the target software is not executed in the received plural types of determination results (step S402).

  If there are setting information for executing the target software and setting information for not executing the target software in the plurality of types of determination results received (YES in step S402), the determination unit 403 determines the target related to the received software information. It is determined that the software is malware (step S403). The determination unit 403 determines that the target software related to the received software information is not malware (NO in step S402) when one of the determination results of the received plural types of determination results (NO in step S402).

  Next, effects related to the malware diagnosis apparatus 401 according to the fourth embodiment will be described.

  According to the malware diagnosis apparatus 401 according to the present embodiment, for example, malware whose operation changes according to the computer environment can be found.

  This is because the malware diagnosis apparatus 401 determines that the target software is malware when the determination results differ for a plurality of types of setting information.

  More specifically, when only a plurality of types of setting information are set, the software determination apparatus 101 does not set analysis software (for example, a debugger) that can analyze malware or the like in the virtual machine 106, but the virtual machine 106 Analyze the target software by analyzing the effects of. For example, the software determination apparatus 101 can examine the influence of the virtual machine by monitoring the communication executed by the virtual machine from the outside or analyzing the dump of the main memory used by the virtual machine.

The plurality of pieces of determination information may include determination information 1 and determination information 2 shown below. That is,
(Determination information 1) represents a case where the execution process starts software (for example, analysis software) different from the target software included in the software information.
(Decision information 2) This represents a case where the execution process does not execute the different software (for example, the analysis software).

  In this case, according to the malware diagnosis apparatus 401 according to the present embodiment, even malware that detects analysis software for analyzing software can be detected.

  Many malwares that stop activity in response to detecting that analysis software (e.g., a debugger) capable of analyzing the software is activated are also known. In this case, the malware stops the activity in the virtual machine 106 in which the analysis software is activated. On the other hand, the malware operates in a virtual machine on which analysis software is not activated. Therefore, since the malware diagnosis apparatus 401 determines whether or not the determination results are different for a plurality of pieces of determination information, it can determine whether or not the input target software is malware.

  Further, the analysis software described above may have a function of analyzing communication information (contents) inside the virtual computer 106. In this case, the malware diagnosis apparatus 401 can detect even malware that detects analysis software that analyzes communication information.

(Hardware configuration example)
A configuration example of hardware resources for realizing the software determination device, the software analysis device, and the malware diagnosis device in each embodiment of the present invention described above using one calculation processing device (information processing device, computer) will be described. . However, the software determination device, the software analysis device, and the malware diagnosis device may be realized using at least two calculation processing devices physically or functionally. In addition, the software determination device, the software analysis device, and the malware diagnosis device may be realized as a dedicated device.

  FIG. 17 is a diagram schematically illustrating a hardware configuration example of a calculation processing device capable of realizing a software determination device, a software analysis device, and a malware diagnosis device in each embodiment of the present invention. The computer 20 includes a central processing unit (Central_Processing_Unit, hereinafter referred to as “CPU”) 21, a memory 22, a disk 23, and a nonvolatile recording medium 24. The calculation processing device 20 further includes a communication interface (hereinafter referred to as “communication IF”) 27 and a display 28. The calculation processing device 20 may be connected to the input device 25 and the output device 26. The calculation processing device 20 can transmit / receive information to / from other calculation processing devices and communication devices via the communication IF 27.

  The nonvolatile recording medium 24 is, for example, a compact disk (Compact_Disc) or a digital versatile disk (Digital_Versatile_Disc) that can be read by a computer. The nonvolatile recording medium 24 may be a universal serial bus memory (USB memory), a solid state drive (Solid_State_Drive), or the like. The non-volatile recording medium 24 retains such a program without being supplied with power, and can be carried. The nonvolatile recording medium 24 is not limited to the above-described medium. Further, the program may be carried via the communication network via the communication IF 27 instead of the nonvolatile recording medium 24.

  That is, the CPU 21 copies a software program (computer program: hereinafter simply referred to as “program”) stored in the disk 23 to the memory 22 when executing it, and executes arithmetic processing. The CPU 21 reads data necessary for program execution from the memory 22. When the display is necessary, the CPU 21 displays the output result on the display 28. When output to the outside is necessary, the CPU 21 outputs an output result to the output device 26. When inputting a program from the outside, the CPU 21 reads the program from the input device 25. The CPU 21 is a software determination program (FIG. 2 or FIG. 7) in the memory 22 corresponding to the function (process) represented by each unit shown in FIG. 1, FIG. 6, FIG. 10, or FIG. The analysis program (FIG. 11) or the malware diagnosis program (FIG. 16) is interpreted and executed. The CPU 21 sequentially performs the processes described in the above-described embodiments of the present invention.

  That is, in such a case, it can be understood that the present invention can also be realized by such a software determination program, a malware analysis program, or a malware diagnosis program. Furthermore, it can be understood that the present invention can also be realized by a computer-readable non-volatile recording medium in which the software determination program, the malware analysis program, or the malware diagnosis program is recorded.

  The present invention has been described above using the above-described embodiment as an exemplary example. However, the present invention is not limited to the above-described embodiment. That is, the present invention can apply various modes that can be understood by those skilled in the art within the scope of the present invention.

  This application claims the priority on the basis of Japanese application Japanese Patent Application No. 2015-010119 for which it applied on January 22, 2015, and takes in those the indications of all here.

DESCRIPTION OF SYMBOLS 101 Software determination apparatus 102 Configuration setting part 103 Software setting part 104 Starting part 105 Determination part 106 Virtual machine 107 Storage part 108 Memory 201 Software determination apparatus 202 Information transmission part 203 Display part 204 Setting information storage part 301 Malware analysis apparatus 302 Determination information setting Unit 303 Software Information Setting Unit 304 Determination Information Storage Unit 305 Software Information Storage Unit 401 Malware Diagnosis Device 402 Transfer Unit 403 Determination Unit 20 Computing Processing Device 21 CPU
22 Memory 23 Disk 24 Non-volatile recording medium 25 Input device 26 Output device 27 Communication IF
28 display

Claims (11)

Setting information representing the configuration of the virtual machine, software information in which at least one or more files required for executing the target software and a procedure for setting the file in the virtual machine are associated, and the target software executes Determination processing in which execution processing executed outside the virtual machine, processing timing to execute the execution processing, and determination conditions representing the determination conditions are associated with each other is determined. A configuration setting means for setting the virtual machine having the configuration based on the setting information;
In accordance with the procedure included in the software information, software setting means for setting the file in storage means constituting the virtual machine;
Starting means for starting the set virtual machine;
Based on the determination information, the execution process is executed at the timing, it is determined whether or not the determination condition is satisfied with respect to the execution result, and the target software is executed when the determination condition is satisfied And a determination unit that determines that the target software is not executed when the determination condition is not satisfied. The software determination apparatus according to claim 1, wherein when the plurality of pieces of determination information having different execution processes are given with respect to the target software, the determination unit determines each piece of determination information included in the plurality of pieces of determination information. . When the software information, the determination information, and a setting information set including a plurality of types of setting information are given, the setting information in the setting information set, the software information, and the determination Information providing means for providing information to the configuration setting means;
The software determination apparatus according to claim 1, further comprising: a display unit configured to display the setting information determined by the determination unit to satisfy the determination condition for each provided setting information. A software determination device according to claim 3;
Software information setting means, and
In the software information, an identifier capable of identifying the target software, the file, and the procedure are associated with each other,
In the determination information, the identifier, the execution process, the timing, and the determination condition are associated,
The software information setting means includes a file associated with the specific identifier from a software information set including a plurality of types of the software information in response to the specific identifier, and the specific identifier. And the execution process associated with the specific identifier from the determination information set including a plurality of types of the determination information, and the process associated with the specific identifier. The timing and the determination condition associated with the specific identifier are obtained, the obtained file, the obtained procedure, the obtained execution process, the obtained timing, and the obtained determination condition. A software analysis device for supplying to the software determination device. A user interface capable of designating the specific identifier and a process related to the target software represented by the specific identifier;
The software analysis apparatus according to claim 4, wherein the software information setting unit obtains the file and the procedure based on the specific identifier designated via the user interface. A software determination device according to claim 3;
When the determination result determined by the determination unit in the software determination device is different for one target software, the one target software is determined to be malware, and the determination result matches, the one target A malware diagnosis device comprising: malware determination means for determining that software is not malware. A software determination device according to claim 2;
Malware judging means for judging whether or not the target software is malware,
The plurality of pieces of determination information include a case where the execution process represents a process of starting software different from the target software and a case where the execution process represents a process of not starting the different software,
The malware determination unit determines that the target software is malware when the determination results in the software determination device are different with respect to the two execution processes, and when the target software is the same with respect to the two execution processes, Malware diagnostic device that determines that software is not malware. The malware diagnosis apparatus according to claim 7, wherein the different software is software capable of analyzing an object program related to the target software. The malware diagnosis apparatus according to claim 7, wherein the different software is software capable of analyzing communication information transmitted and received in communication executed by the target software. Setting information representing the configuration of the virtual machine, software information in which at least one or more files required for executing the target software and a procedure for setting the file in the virtual machine are associated, and the target software executes Determination processing in which execution processing executed outside the virtual machine, processing timing to execute the execution processing, and determination conditions representing the determination conditions are associated with each other is determined. In this case, the virtual machine having the configuration is set based on the setting information,
According to the procedure included in the software information, the file is set in the storage means configuring the virtual machine,
Start the virtual machine that has been set,
Based on the determination information, the execution process is executed at the timing, it is determined whether or not the determination condition is satisfied with respect to the execution result, and the target software is executed when the determination condition is satisfied A software determination method that determines that the target software is not being executed when it is determined that the target software is not satisfied. Setting information representing the configuration of the virtual machine, software information in which at least one or more files required for executing the target software and a procedure for setting the file in the virtual machine are associated, and the target software executes Determination processing in which execution processing executed outside the virtual machine, processing timing to execute the execution processing, and determination conditions representing the determination conditions are associated with each other is determined. A configuration setting function for setting the virtual machine having the configuration based on the setting information;
In accordance with the procedure included in the software information, a software setting function for setting the file in a storage unit configuring the virtual machine;
A start function for starting the set virtual machine;
Based on the determination information, the execution process is executed at the timing, it is determined whether or not the determination condition is satisfied with respect to the execution result, and the target software is executed when the determination condition is satisfied. A recording medium storing a software determination program that causes a computer to realize a determination function that determines that the target software is not executed when the determination condition is not satisfied.

Images