KR101639675B1 - Polymorphic virus analysis system and method therof - Google Patents

Polymorphic virus analysis system and method therof Download PDF

Info

Publication number
KR101639675B1
KR101639675B1 KR1020150076576A KR20150076576A KR101639675B1 KR 101639675 B1 KR101639675 B1 KR 101639675B1 KR 1020150076576 A KR1020150076576 A KR 1020150076576A KR 20150076576 A KR20150076576 A KR 20150076576A KR 101639675 B1 KR101639675 B1 KR 101639675B1
Authority
KR
South Korea
Prior art keywords
virus
file
operand
decryption
stop condition
Prior art date
Application number
KR1020150076576A
Other languages
Korean (ko)
Inventor
김의탁
한관석
김지훈
박대성
송재훈
전대일
지현준
Original Assignee
주식회사 하우리
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 하우리 filed Critical 주식회사 하우리
Priority to KR1020150076576A priority Critical patent/KR101639675B1/en
Application granted granted Critical
Publication of KR101639675B1 publication Critical patent/KR101639675B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Abstract

The present invention relates to a device for diagnosing whether a file is infected with a polymorphic virus, comprising: a parsing and classifying unit 110 for parsing a binary code of a diagnosis target file by an instruction and classifying the file by item; A first stop condition database 160 for storing a first stop condition, which is a condition for obtaining decryption information for decrypting an encrypted part by searching for information about the first stop condition, A decryption unit 140 for decrypting the encrypted section of the virus section using the decryption information to obtain a decryption file, and a decryption unit 140 for decrypting the decrypted file in advance to the polymorphic virus diagnosis apparatus Compared to the registered virus pattern, if the decoded file matches the virus pattern, the file to be diagnosed is subjected to polymorphic virus And a control unit 150 diagnosing the malfunctioning.

Description

[0001] POLYMORPHIC VIRUS ANALYSIS SYSTEM AND METHOD THEROF [0002]

The present invention relates to a polymorphic virus diagnosing apparatus and method, and more particularly, to a polymorphic virus diagnosing apparatus and method for diagnosing whether a computer program or a file is infected with a polymorphic virus by emulation, .

A polymorphic virus, also called a fourth generation virus, is a kind of encryption virus, but unlike a simple form of encryption virus, it has a complicated form that can generate a myriad of variations. In addition, Since many of them encode their own code in triple, the diagnosis process of such a polymorphic virus must be traced back to various forms in order to diagnose the infection, and the diagnosis process is very complicated and time consuming.

Patent Document 1, which is an application filed and registered by the present applicant with such a polymorphic virus diagnosis technology, is known.

Patent Document 1 proposes a method of detecting a polymorphic virus infection by executing a step of stepping a file to be diagnosed and measuring the number of repetitions of the first execution code and whether or not the first execution code exists in the address in the executed step , And whether or not the second execution code is present and the number of repetitions of the second execution code is measured and this operation is repeated until the expected number of steps based on the empirical statistics until the first execution code or the second execution code appears To diagnose polymorphic virus infection.

In the patent document 1, the first execution code is a command that must be used when the virus tries to decrypt the encryption. For example, the first execution code may be a move storage instruction such as MOVE or STORE, an arithmetic operation instruction such as ADD or SUB, , A logical operation instruction such as XOR, and the second execution code is a conditional branch instruction that branches according to the result of the immediately preceding operation, for example.

In the technique of Patent Document 1, the polymorphic virus must execute the first execution code repeatedly in order to release its own password, and the password must be released by the size of the virus. Therefore, in this execution, Attention is paid to the fact that the second execution code for executing the command must be used, so that the polymorphic virus infection is diagnosed.

However, the polymorphic virus is composed of a valid code in addition to a valid code necessary for decryption, and a garbage code not related to decryption is formed by combining with an effective code. There is a problem that it is difficult to trace a characteristic pattern or command code of such a polymorphic virus according to Patent Document 1 and a long time is required for diagnosis.

In addition, Patent Document 1 does not mention any method for treating a virus.

Patent Document 1: Registration No. 10-0367129 (published on January 9, 2003)

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a polymorphic virus diagnosing apparatus and method capable of diagnosing the infection of a polymorphic virus in a relatively short period of time, treating a file infected with the polymorphic virus, And a method thereof.

The polymorphic virus diagnosing apparatus according to the present invention for diagnosing whether or not a file is infected with a polymorphic virus is provided. The polymorphic virus diagnosing apparatus comprises: A first stop condition database storing a first stop condition, which is a condition for obtaining decryption information for decrypting an encrypted part of a virus section by searching for information on a virus section made by the polymorphic virus; A comparison section for comparing the item with the first stop condition to obtain decoding information from the first stop condition that matches the item; and a decoding section for decoding the encrypted section of the virus section using the decoding information, And a control unit for controlling each unit The controller is diagnosed as compared to the pre-registered the virus pattern file to the decryption polymorphic virus diagnostic apparatus, when a file of the decryption with the virus pattern match is the diagnostic target files infected by a polymorphic virus.

Preferably, the information processing apparatus further includes a second stop condition database storing a second stop condition, which is a condition for obtaining restoration data for restoring the original data transferred to the virus section to the original position, And the comparison unit compares the command item of the decoded file with the second stop condition to parse the decoded file with the second stop condition that coincides with the command item of the decoded file, And the control unit heats the diagnosis target file by the recovery data.

According to another aspect of the present invention, there is provided a polymorphic virus diagnosis method for diagnosing whether a file is infected with a polymorphic virus, the method comprising the steps of: And comparing the item with a first stop condition that is a condition for obtaining decryption information for decrypting an encrypted portion of the virus section by searching for information on the virus section made by the polymorphic virus, The method comprising the steps of: obtaining decryption information from the first stop condition; decrypting the encrypted portion of the virus section using the decryption information to obtain a decryption file; and transmitting the decryption file to the polymorphic virus diagnosis device Pattern, the decryption file and the bar And diagnosing that the diagnosis target file is infected with the polymorphic virus if the iris patterns match.

Preferably, the information processing apparatus further includes a second stop condition database storing a second stop condition, which is a condition for obtaining restoration data for restoring the original data transferred to the virus section to the original position, Comparing the command item of the decrypted file with a second stop condition that is a condition for obtaining restoration data for restoring the original data transferred to the virus section to the original position; , Obtaining restoration data from the second stop condition that matches the command item of the decryption file, and treating the diagnosis object file with the restoration data.

According to the present invention, it is possible to diagnose a polymorphic virus infection by a simple method in a relatively short period of time, and to provide a polymorphic virus diagnosing device and a diagnostic method that can repair a file infected with a polymorphic virus and restore it to a normal file.

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a diagram exemplarily showing the structure of a file,
2 is a block diagram showing a schematic configuration of a polymorphic virus diagnosing apparatus according to a preferred embodiment of the present invention;
3 is a flowchart showing a flow of a polymorphic virus diagnosis method according to a preferred embodiment of the present invention;
4 is a flow chart showing a flow of a polymorphic virus treatment method according to a preferred embodiment of the present invention;
5 is a diagram showing an example of a first stop condition,
6 is a diagram showing an example of a file before decryption and a file after decryption,
FIG. 7 is a diagram showing an example of a decryption file obtained by decrypting an encrypted section of a file infected with a specific polymorphic virus, according to a regular expression.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, a polymorphic virus diagnosis device and a diagnosis method according to a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.

First, the structure of a file infected with a polymorphic virus is described. Fig. 1 is a diagram exemplifying the structure of a file. Fig. 1 (a) shows a structure of a normal file not infected with a polymorphic virus, and Fig. 2 (b) shows a structure of a file infected with a polymorphic virus.

As shown in FIG. 1 (a), a normal file not infected with a polymorphic virus is composed of a PE header (Portable Executable Header), a code section, and other sections. In a file infected with a polymorphic virus, The virus creates a separate virus section in the normal file and moves the original code that should be located in the code section to a certain position in the newly created virus section in the normal file and embeds the malicious code in that portion, The infected file will infect system memory or other files when it is executed.

Therefore, in the present invention, the file to be diagnosed as a polymorphic virus infection is all files loaded from the outside of the computer into the computer through various paths such as a download process of a file or an e-mail, Is obtained by obtaining the decryption information for decrypting the encrypted file of the virus section newly created by the polymorphic virus, decrypting the encrypted section of the file infected with the polymorphic virus by using the decryption information, And restoring the original data transferred to the virus section to the original position by using the recovery data and deleting the virus section.

Next, a polymorphic virus diagnosis apparatus according to a preferred embodiment of the present invention will be described. 2 is a block diagram showing a schematic configuration of a polymorphic virus diagnosing apparatus according to a preferred embodiment of the present invention.

The polymorphic virus diagnosing apparatus 100 of the present embodiment includes a parsing and classifying unit 110, a comparing unit 120, a calculating unit 130, a decoding unit 140, a controller 150, a first stop condition DB 160, A second stop condition DB 170, and a memory 180. [

When a file to be diagnosed is input to the polymorphic virus diagnosing apparatus 100, the control unit 150 first sets a section in which the diagnosis is to be executed (hereinafter, also referred to as "emulation section"). Although not particularly limited, the emulation interval is usually set in the range from the entry point (EP) of the file to about 10,000 bytes.

The parsing and classifying unit 110 parses the binary input of the set emulation interval in steps of one step and classifies the parsed instruction word by item.

Here, parsing the binary input with an instruction means to convert a binary input of one step unit having a structure such as " 81 C3 FD 25 17 00 " to " ADD EBX 0x1275fd " Is to classify the converted command by OP Code Type, Operand Type, Operand Size, Operand Value of each Operand.

For example, "ADD EBX 0x1275fd" is classified into OP Code, Operand 1, and Operand 2 as "OP (operation) Code = ADD", "Operand 1 = EBX", "Operand 2 = 0x1275fd" "Type = Register" and "Value = 1" for Operand 1, Operand 1, and Operand 2, respectively. EBX " and " Size = 4 ", and Operand 2 is also classified into items such as " Type = Immediate ", " Value = 0x1725fd ", and " Size = 4 ".

The parsing and classifying unit 110 parses the decrypted file obtained by decoding the encrypted portion of the virus section by the decrypting unit 140, which will be described later, in units of one step, and classifies the parsed command word by item. Here, the method of classifying the parsed commands by items is the same as the classification method for the emulation section described above.

The arithmetic operation unit 130 sequentially executes the arithmetic operation corresponding to each OP Code for each predetermined emulation period by one step. The arithmetic unit 130 also sequentially executes the arithmetic operation corresponding to each OP Code, one step at a time, for the file decoded by the decoding unit 140, which will be described later.

The comparing unit 120 compares the instruction of each step classified by the parsing and classifying unit 110 with the stop point stored in the first stop condition DB 160 to determine whether the polymorphic virus infection determination target file It is checked whether or not each item of the instruction in one step unit coincides with any one of the first stop conditions stored in the first stop condition DB 160. If the items match, the decryption information is obtained from the first stop condition .

Here, the fact that each item of the command in the unit of one step of the polymorphic virus infection judgment object file coincides with any one of the first stopping conditions stored in the first stopping condition DB 160 means that the specific step of the polymorphous virus infection judgment object file Means that each item of the instruction in the first stop condition DB 160 completely matches each item of the first stop condition stored in the first stop condition DB 160. [ That is, it becomes "true" if the OP Code Type, the Operand Type, the Operand Size, and the Operand Value of each Operand match, and becomes "false" if none of them match.

For example, when the first stop condition is " DWORD PTR DS: [EBX + EDI], EAX ", the decryption key is the right operand " EAX ", decryption start The address is the value of the base register "EBX", and the decryption size is the value of the index register "EDI". For example, when the first stop condition is "WORD PTR DS: [EDX + 432000], 4AE9", the decryption key is the right operand "0x4AE9", the decryption start address is the left operand value "0x432000" Quot; EDX ".

The comparing unit 120 also compares the instruction of each step with the second stop condition stored in the second stop condition DB 170 with respect to the entire section of the decoded file decoded by the decoding unit 140 to be described later, It is checked whether or not each item of the command in one step unit of the file completely matches any one of the second stop conditions stored in the second stop condition DB 170. If the items are identical to each other, Data is obtained.

Here, the recovery data includes size information of the data to be recovered, position information of the data to be recovered, and position information of the recovery target. For example, if the second stop condition is "REP MOVS BYTE PTR ES: [EDI] : [ESI] ", the size of the data to be recovered is" ECX ", the position of the data to be recovered is" ESI ", and the position of the recovery object is" EDI " It means to overwrite data located in EDI.

The decryption unit 140 decrypts the encrypted section of the virus section (see FIG. 1) of the input file using the decryption information obtained by the comparison unit 120 to obtain the decryption file. 6 (a) and 6 (b), the polymorphic viruses are encrypted with different types of files each time they are decrypted, as shown in FIGS. 6 (a) and 6 It can be seen that the decrypted decrypted files are all the same. However, some of the decrypted files after decryption may be different from those of the decrypted files obtained by decryption, such as portions hatched in dark gray.

The first stop condition DB 160 is a database for storing the first stop condition, and the first stop condition is a condition obtained for each polymorphic virus by analysis by the supplier of the polymorphic virus diagnosis apparatus, Is a condition for obtaining information about the virus section and obtaining decryption information for decrypting the encrypted portion of the virus section. Therefore, the first stopping condition may be different for each polymorphic virus, and the supplier of the polymorphic virus diagnosing apparatus analyzes the newly emerging polymorphic virus every time a new polymorphic virus appears, 160). ≪ / RTI >

An example of the first stop condition stored in the first stop condition DB 160 is shown in Fig. FIG. 1 to 3, and each first stop condition is divided into at least an OP Code Type, Operand Type, Operand Size, and Operand Value of each Operand for each command. In Fig. 1, the Register Number of Operand 2 is indicated as " Ignore ", but in this case, it means that the Type of Operand 2 can be ignored at the time of the comparison by the comparison unit 120, that is, .

The second stop condition DB 170 is a database for storing the second stop condition, and the second stop condition is a condition obtained for each polymorphic virus by analysis by the supplier of the polymorphic virus diagnosis apparatus, This is the condition for obtaining recovery data to restore the original data transferred to the virus section to its original location. Therefore, the second stopping condition may be different for each polymorphic virus, and the supplier of the polymorphic virus diagnosing apparatus analyzes the newly emerging polymorphic virus every time a new polymorphic virus appears, 170). The second stop condition DB 170 also has the same basic structure as the first stop condition DB 160, and reference is made to Fig.

Fig. 7 is a diagram showing a virus pattern, which is an example of a decryption file obtained by decoding an encryption section of a file infected with a specific polymorphic virus, according to a regular expression. As with the first stop condition and the second stop condition described above, Type polymorphism virus, and the provider of the polymorphic virus diagnosis apparatus analyzes the newly emerging polymorphic virus every time a new polymorphic virus appears, and obtains a virus pattern and updates the polymorphic virus diagnosis apparatus 100 .

The portion indicated by " ?? " in Fig. 7 indicates a portion where some of the decrypted files may differ from one decrypted file as described above using Fig. 6, and this portion is excluded . In FIG. 7, the portion indicated by "??" in the above-described virus pattern, that is, the portion different from each decryption file is assumed to be 4 bytes, but it may be 4 bytes or more or less than 4 bytes, Therefore, there may be a perfect match without any discrepancy. In addition,

The memory 180 stores a result of data or arithmetic operations required by the arithmetic operation unit 130 and includes a register area 180a and a stack area 180b.

Although not shown in FIG. 2, a virus pattern as shown in FIG. 7 is also stored in a certain area of the memory 180 of the polymorphic virus diagnosing apparatus 100.

The control unit 150 controls the operations of the respective units and also compares the decrypted file obtained by the decrypting unit 140 with the virus pattern (see FIG. 7) stored in the memory 180, If a match is found, the diagnosis target file is determined to be a file infected with the polymorphic virus, and the file infected with the polymorphic virus is treated by the recovery data obtained by the comparison unit 120. Details of the file treatment will be described later.

Next, a method of diagnosing a polymorphic virus infection of a file by the polymorphic virus diagnosing apparatus 100 of the present embodiment and treating the infected file will be described. FIG. 3 is a flowchart showing a flow of a polymorphic virus diagnosis method according to a preferred embodiment of the present invention, and FIG. 4 is a flowchart showing a flow of a polymorphic virus treatment method according to a preferred embodiment of the present invention.

First, a polymorphic virus diagnosis method according to a preferred embodiment of the present invention will be described with reference to FIG. 3 is a flowchart showing a flow of a polymorphic virus diagnosis method according to a preferred embodiment of the present invention.

In step S11, the control unit 150 inputs a diagnosis object file for diagnosing whether or not a polymorphic virus is infected to the polymorphic virus diagnosis apparatus 100, and emulates the polymorphic virus infection apparatus 100 by executing the emulation for any period of the files input in step S12 The emulation section to be executed is set. As described above, the emulation interval is usually set to an interval of about 10,000 bytes from the entry point (EP), but the present invention is not limited to this.

Subsequently, the processing proceeds to step S13, where the parsing and classifying unit 110 parses the binary code of the diagnostic object file in steps of one step, starting from the entry point of the emulation interval set in step S12, . Here, the classification of the command by item means to classify the converted command into OP Code Type, Operand Type, Operand Size, Operand Value of each Operand, and the details of the parsing and classification method are as described above.

Subsequently, in step S14, the arithmetic unit 130 executes one step according to the instruction word parsed by the parsing and classifying unit 110, and proceeds to step S15. The comparator 120 compares the instruction executed in step S14 with the instruction 1 stop condition stored in the stop condition DB 160 and determines whether or not they coincide with each other.

The determination as to whether or not the command and the first stop condition in step S15 coincide with each other can be made by comparing the OP code type of the command, the Operand Type, Operand Size, Operand Value is a judgment of whether or not the OP Code Type of the first stop condition among the plurality of first stop conditions stored in the first stop condition DB 160 and the Operand Type, Operand Size, and Operand Value of each Operand are completely equal. If any item is different, it is judged that they do not match.

If it is determined in step S15 that the instruction for one step does not match any one of the plurality of first stop conditions stored in the first stop condition DB 160 (step S15 = NO), the process proceeds to step S19 (Step S19 = YES), it is determined that the file is not infected with the polymorphic virus, and the emulation is terminated. If it is determined in step S19 that the emulation for all of the emulation sections is not finished (step S19 = NO), the process returns to step S13, and steps S13 and thereafter are repeated until all the emulation sections are completed.

As a result of the determination in step S15, if it is determined that the instruction of one step corresponds to any of the plurality of first stop conditions stored in the first stop condition DB 160 (step S15 = YES), the process proceeds to step S16 And proceeds to obtain decryption information from the first stop condition that matches. The method for obtaining the decryption information and the decryption information are the same as those described above for the configuration of the polymorphic virus diagnosis apparatus 100, and the detailed description thereof will be omitted here.

Subsequently, the process proceeds to step S17, where the decryption unit 140 decrypts the encrypted part of the virus section (see FIG. 1) generated by the polymorphic virus using the decryption information obtained in step S16. An example of the decrypted file before decryption and the decrypted file after decryption is as shown in Fig. 6A or 6B, respectively. In step S18, the stop condition 150 is set to a decrypted file after decryption in a predetermined area of the memory 180 (See FIG. 7), it is judged whether or not the decrypted decrypted file matches the virus pattern. If the decrypted file does not coincide with the virus pattern (step S18 = NO) It is judged that the polymorphic virus has not been infected or the diagnosis of infection has failed and the diagnosis is terminated.

If it is determined in step S18 that the decrypted file matches the virus pattern (step S18 = YES), it is determined that the file to be diagnosed is infected with the polymorphic virus, and the process proceeds to the treatment step. If necessary, a message indicating that "this file is infected with the polymorphic virus" may be displayed on the display device (not shown) of the computer at the same time as the transition to the treatment step.

Next, a polymorphic virus treatment method according to a preferred embodiment of the present invention will be described with reference to FIG. 4 is a flowchart showing a flow of a polymorphic virus treatment method according to a preferred embodiment of the present invention.

First, in step S31, the parsing and classifying unit 110 of the polymorphic virus diagnosing apparatus 100 decrypts the decrypted file (FIG. 3) decrypted by the decryption unit 140 in step S17 of the polymorphic virus infection diagnosis process described with reference to FIG. 6) is parsed as an instruction, and the parsed instruction is classified into items.

The method of parsing the binary code of the decoded file by command and classifying the binary code by item is the same as that described in the description of the polymorphic virus diagnosing apparatus 100, so that detailed description is omitted here.

Subsequently, the operation unit 130 executes one step of the operation according to the instruction of the decryption file (step S32). In step S33, the comparison unit 120 stores the instruction executed in step S32 in the second stop condition DB 170 And determines whether or not any of the plurality of second stop conditions is coincident with the plurality of second stop conditions.

If it is determined as a result of the determination in step S33 (step S33 = NO), the control unit 150 proceeds to step S36 to determine whether or not the entire emulation for the decrypted file has been completed, If the emulation is completed (step S36 = YES), it is determined that the recovery of the infected file has failed and the process ends. If necessary, a message indicating that "treatment of the polymorphic virus has failed" may be displayed on a display device (not shown) of the computer, and a user of the computer confirming the message may be infected with a polymorphic virus, Such as permanently deleting the failed file from the computer.

If it is determined in step S36 that the emulation for the entire decryption file has not been completed (step S36 = NO), the process returns to step S31 and the emulation for the decryption file is repeated.

If it is determined in step S33 that the command matches any of the plurality of second stop conditions stored in the second stop condition DB 170 (step S33 = YES), the process proceeds to step S34, After the recovery data is obtained from the second stop condition, the process proceeds to step S35 to treat the file infected with the polymorphic virus. The method of obtaining the recovery data and the method of treating the file infected with the polymorphic virus using the restoration data are the same as those described in the description of the polymorphic virus diagnosis apparatus 100, and therefore, detailed description thereof will be omitted here.

The treatment of the file is the process of restoring the original data transferred to the virus section by the polymorphic virus to the original position and deleting the virus section, as described above. If necessary, a message indicating that the treatment of the polymorphic virus has been completed, for example, may be displayed on a display device (not shown) of the computer.

As described above, the present invention provides a polymorphic virus diagnosing apparatus and method capable of diagnosing the infection of a polymorphic virus in a relatively short time in a relatively short time, treating a file infected with the polymorphic virus and recovering the polymorphic virus into a normal file .

Although the preferred embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and various modifications and variations are possible within the scope of the present invention.

Although the embodiments have been described with respect to a personal computer or a desktop computer and a general purpose computer in the above embodiments, the present invention can be applied not only to a general purpose computer but also to a device having an input / output device and a logical operation device, It can also be used for diagnosis and treatment.

100 Polymorphic Virus Diagnostic Device
110 Parsing and classification section
120 comparator
130 operation unit
140 decoding section
150 control unit
160 1st stop condition DB
170 2nd stop condition DB

Claims (7)

A polymorphic virus diagnostic device that diagnoses whether a file is infected with a polymorphic virus,
A parsing and classifying unit for parsing the binary code of the file to be diagnosed as an instruction and classifying the binary code into items;
A first stop condition database storing a first stop condition, which is a condition for obtaining decryption information for decrypting an encrypted part of the virus section by searching for information on the virus section made by the polymorphic virus,
A comparison unit for comparing the item with the first stop condition and obtaining decoding information from the first stop condition corresponding to the item;
A decryption unit for decrypting the encrypted portion of the virus section using the decryption information to obtain a decryption file;
And a control unit for controlling each unit,
Wherein the control unit compares the decryption file with a virus pattern registered in advance in the polymorphic virus diagnosing apparatus and diagnoses that the diagnosis target file is infected with the polymorphic virus when the decrypted file matches the virus pattern. The method according to claim 1,
Further comprising a second stop condition database storing a second stop condition that is a condition for obtaining restoration data for restoring the original data transferred to the virus section to the original position,
Wherein the parsing and classifying unit parses and classifies the decryption file as an instruction word to obtain a command item of the decryption file,
Wherein the comparison unit compares the command item of the decryption file with the second stop condition to obtain restoration data from the second stop condition that matches the command item of the decryption file,
Wherein the control unit treats the diagnosis target file by the recovery data. The method according to claim 1,
The item is a polymorphic virus diagnosis device which is an OP Code Type of the instruction, a Type of a first Operand, a Size of a first Operand, a Value of a first Operand, a Type of a Second Operand, a Size of a Second Operand, . The method of claim 3,
The match is made based on the OP Code Type of the command, the type of the first operand, the size of the first operand, the value of the first operand, the type of the second operand, the size of the second operand, The OP code type of the above instruction, the type of the first operand, the size of the first operand, the value of the first operand, the type of the second operand, the size of the second operand, and the value of the second operand are perfectly matched A polymorphic virus diagnostic device. The method of claim 2,
The command item of the decryption file includes the OP Code Type of the command, the Type of the first Operand, the Size of the first Operand, the Value of the first Operand, the Type of the Second Operand, the Size of the Second Operand, and the Value of the Second Operand Polymorphic virus diagnostics device. A polymorphic virus diagnostic method for diagnosing whether a file is infected with a polymorphic virus,
Parsing the binary code of the diagnostic object file with an instruction word and classifying the binary code into items;
The item is compared with a first stop condition, which is a condition for obtaining decryption information for decrypting an encrypted part of the virus section by searching for information on the virus section made by the polymorphic virus, Obtaining decoding information from the stop condition,
Decrypting the encrypted section of the virus section using the decryption information to obtain a decryption file;
Comparing the decrypted file with a virus pattern registered in advance in the polymorphic virus diagnosing device and diagnosing that the diagnosed file is infected with the polymorphic virus if the decrypted file matches the virus pattern. The method of claim 6,
Further comprising a second stop condition database storing a second stop condition that is a condition for obtaining restoration data for restoring the original data transferred to the virus section to the original position,
Parsing and classifying the decoded file with an instruction word to obtain a command item of the decoded file;
Comparing the command item of the decryption file with a second stop condition that is a condition for obtaining restoration data for restoring the original data transferred to the virus section to the original position, Obtaining recovery data from the condition;
The method of claim 1, further comprising the step of treating the diagnosis target file with the recovery data.
KR1020150076576A 2015-05-29 2015-05-29 Polymorphic virus analysis system and method therof KR101639675B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150076576A KR101639675B1 (en) 2015-05-29 2015-05-29 Polymorphic virus analysis system and method therof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150076576A KR101639675B1 (en) 2015-05-29 2015-05-29 Polymorphic virus analysis system and method therof

Publications (1)

Publication Number Publication Date
KR101639675B1 true KR101639675B1 (en) 2016-07-14

Family

ID=56499351

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150076576A KR101639675B1 (en) 2015-05-29 2015-05-29 Polymorphic virus analysis system and method therof

Country Status (1)

Country Link
KR (1) KR101639675B1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20000000410A (en) * 1999-10-20 2000-01-15 남궁종 System and method for security management on distributed PC
KR100367129B1 (en) 2000-03-21 2003-01-09 주식회사 하우리 A polymorphic virus analysis system and a method thereof
JP2003186687A (en) * 2001-12-17 2003-07-04 Kanazawa Inst Of Technology Method and apparatus for virus detection
KR20070118589A (en) * 2005-02-11 2007-12-17 유니버셜 데이터 프로텍션 코퍼레이션 Method and system for microprocessor data security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20000000410A (en) * 1999-10-20 2000-01-15 남궁종 System and method for security management on distributed PC
KR100367129B1 (en) 2000-03-21 2003-01-09 주식회사 하우리 A polymorphic virus analysis system and a method thereof
JP2003186687A (en) * 2001-12-17 2003-07-04 Kanazawa Inst Of Technology Method and apparatus for virus detection
KR20070118589A (en) * 2005-02-11 2007-12-17 유니버셜 데이터 프로텍션 코퍼레이션 Method and system for microprocessor data security

Similar Documents

Publication Publication Date Title
Luo et al. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software and algorithm plagiarism detection
Calvet et al. Aligot: Cryptographic function identification in obfuscated binary programs
CN103761475B (en) Method and device for detecting malicious code in intelligent terminal
CN100594509C (en) Software protection method
US20160012225A1 (en) System and method for the detection of malware
US20120317421A1 (en) Fingerprinting Executable Code
US7409718B1 (en) Method of decrypting and analyzing encrypted malicious scripts
WO2015101096A1 (en) Method and device for detecting malicious code in smart terminal
JP2009116847A (en) Device and method for inspecting software for vulnerabilities
US20200380125A1 (en) Method for Detecting Libraries in Program Binaries
US9607160B2 (en) Method and apparatus for providing string encryption and decryption in program files
US11475133B2 (en) Method for machine learning of malicious code detecting model and method for detecting malicious code using the same
WO2015101043A1 (en) Method and device for detecting malicious code in smart terminal
JP2022009556A (en) Method for securing software codes
CN110825363A (en) Intelligent contract obtaining method and device, electronic equipment and storage medium
CN107291485B (en) Dynamic link library reinforcing method, operation method, reinforcing device and safety system
EP4211581A1 (en) Scalable source code vulnerability remediation
US8539598B2 (en) Detection of customizations of application elements
KR101639675B1 (en) Polymorphic virus analysis system and method therof
US20200012581A1 (en) Method for Semantic Preserving Transform Mutation Discovery and Vetting
KR102167767B1 (en) Automatic build apparatus and method of application for generating training data set of machine learning
CN110147238B (en) Program compiling method, device and system
CN115408675B (en) Method, device, equipment and storage medium for generating eFuse Key
Ahn et al. Data Embedding Scheme for Efficient Program Behavior Modeling With Neural Networks
KR101711092B1 (en) Apparatus and method for restoring execution file

Legal Events

Date Code Title Description
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190708

Year of fee payment: 4