KR102673878B1 - Method, device and system for malware extraction and managing from phising website - Google Patents

Abstract

A computer program stored in a computer-readable recording medium for extracting target software from resources accessible using the Web is disclosed. A computer program stored on a computer-readable recording medium, the computer program comprising one or more steps for extracting target software, the steps comprising: generating a final resource identifier using an input resource identifier; and extracting target software based on the final resource identifier, wherein the extracting the target software may include a resource vulnerability attack step.

Description

Method, device, and system for extracting and managing malicious software from phishing sites {METHOD, DEVICE AND SYSTEM FOR MALWARE EXTRACTION AND MANAGING FROM PHISING WEBSITE}

The present invention relates to a method for extracting malicious software from phishing sites and safely managing it.

Phishing is a type of social engineering that attempts to fraudulently obtain confidential information, such as passwords and credit card information, by using e-mail or messenger to pretend to be a message from a trustworthy person or company. In many cases, these phishing techniques have users download malicious software through emails or websites included in the message, and then use the downloaded malicious software to extract the user's personal information.

In order to protect users from phishing techniques and malicious software, there has been a technique that extracts malicious software in advance from conventional phishing sites, analyzes the extracted malicious software, and allows users to be protected from such malicious software. Accordingly, phishing techniques have also evolved to help phishing sites protect against malicious software. In particular, when a phishing victim is tentatively selected, a technique was recently discovered that allows only the victim to download malicious software by obtaining the victim's personal information in advance and allowing the phishing software to be downloaded only if the personal information matches. It is becoming a trend. When using these techniques, there is a problem that malicious software cannot be secured, so it is difficult to prepare a defense plan using existing techniques.

Therefore, there is a demand in the industry for a method to extract and safely manage malicious software by bypassing personal information-based malicious software protection techniques.

The present invention seeks to build a method to extract malicious software associated with a phishing site by using the vulnerability of the phishing site and learned phishing patterns.

A computer program stored on a computer-readable recording medium according to an aspect of the disclosed invention, the computer program comprising one or more steps for extracting target software, the steps comprising: generating a final resource identifier using an input resource identifier; steps; and extracting target software based on the final resource identifier, wherein the extracting the target software may include a resource vulnerability attack step.

Additionally, the resource vulnerability attack step includes extracting one or more input forms included in the final resource corresponding to the final resource identifier; A random value attack step of extracting the target software by inputting a random value into the extracted input form; and a security vulnerability attack step of extracting the target software by performing a security vulnerability attack when the target software is not extracted in the random value attack step.

Additionally, the security vulnerability attack may be characterized by using at least one of SQL injection, cross-site scripting, CSRF cross-site request forgery, or authentication session-related vulnerabilities.

Additionally, the step of extracting the target software may include a path pattern attack step of extracting the target software using a path pattern.

Additionally, the path pattern may include one or more path layers, and the path pattern attack step may be characterized by sequentially accessing the one or more path layers.

Additionally, the path pattern may include one or more pre-stored software extraction paths.

The method may further include storing the target software in a management area, wherein the management area is a pre-designated area for storing the target software.

Additionally, the management area may be isolated from the non-management area and not have any influence on the non-management area.

In addition, the step of extracting the target software may include performing analysis on at least one of one or more submit links, scripts, or hyperlinks included in the final resource corresponding to the final resource identifier. You can.

Additionally, the step of processing the input resource identifier to generate a final resource identifier may include an identifier normalization step of performing normalization on the input resource identifier.

Additionally, the identifier normalization step may include a character normalization step of converting modified characters included in the input resource identifier into regular characters.

Additionally, the step of processing the input resource identifier to generate a final resource identifier may include a resource identifier expansion step of extracting one or more final resource identifiers connected from the input resource identifier.

According to one aspect of the disclosed invention, it is possible to provide a technique for extracting malicious software protected from existing malicious software extraction techniques, safely downloading it, analyzing and managing it.

1 is a schematic diagram showing an example of a target software management system in which the disclosed invention is implemented.
Figure 2 is a block diagram showing the configuration of a target software extraction and management device according to one aspect of the disclosed invention.
Figure 3 is a flowchart showing a method for extracting and managing target software according to one aspect of the disclosed invention.
Figure 4 is a flowchart showing a resource identifier processing method according to one aspect of the disclosed invention.
Figure 5 is a flowchart showing a method for extracting target software according to one aspect of the disclosed invention.
Figure 6 is a conceptual diagram showing resource path data according to one aspect of the disclosed invention.

Like reference numerals refer to like elements throughout the specification. This specification does not describe all elements of the embodiments, and general content or overlapping content between the embodiments in the technical field to which the disclosed invention pertains is omitted.

Additionally, when a part is said to “include” a certain component, this does not mean excluding other components, but may include other components, unless specifically stated to the contrary.

As used herein, '~unit' refers to a unit that processes at least one function or operation, and may mean, for example, software, FPGA, or hardware components. The functions provided in '~ part' may be performed separately by multiple components, or may be integrated with other additional components. The '~ part' in this specification is not necessarily limited to software or hardware, and may be configured to reside in an addressable storage medium, or may be configured to reproduce one or more processors. Depending on the embodiment, it is possible for a plurality of '~units' to be implemented as one component, or for one '~unit' to include a plurality of components.

Terms such as first and second are used to distinguish one component from another component, and the components are not limited by the above-mentioned terms.

Singular expressions include plural expressions unless the context clearly makes an exception.

The identification code for each step is used for convenience of explanation. The identification code does not explain the order of each step, and each step may be performed differently from the specified order unless a specific order is clearly stated in the context. there is.

Hereinafter, the operating principle and embodiments of the disclosed invention will be described with reference to the attached drawings.

The target software extraction and management method according to the present disclosure extracts protected malicious software by executing various vulnerability attacks, including random value attacks and SQL injection, on one or more input forms included in a phishing site. , safely download and manage it to enable analysis and response to malicious software.

Additionally, the target software extraction and management method according to the present disclosure can effectively extract target software based on the fact that phishing sites used in phishing techniques repeatedly use similar patterns without significant modification. For example, according to one aspect of the target software extraction and management method according to the present disclosure, the target software is protected against input form attacks and security vulnerability attacks by using a target software path pattern that has already successfully been extracted and downloaded. It can be extracted.

The target software extraction and management method will be described in detail with reference to the drawings below.

1 is a schematic diagram showing an example of a target software management system in which the disclosed invention is implemented.

Referring to FIG. 1, a target software management system according to some embodiments of the present disclosure may include a target software extraction and management device 10, a client 20, and a target software distribution device 30.

The target software extraction and management device 10 according to some embodiments of the present disclosure may be a computing device that extracts target software from an external source and stores and manages the target software distribution device 30 . In some embodiments, managing target software may include analyzing the target software. In one embodiment, target software extracted and managed by the target software extraction and management device 10 may include malicious software. For convenience of explanation, target software and malicious software may be used interchangeably, but malicious software is only an example of target software, and target software should not be interpreted as limited to malicious software.

Target software extraction and management device 10 may be a computing device that includes one or more processors and memory. In some embodiments, the target software extraction and management device 10 may be a general-purpose computing device, including a desktop, a mobile device including a smart phone or tablet, a server device, and the like. Alternatively, in some embodiments, the target software extraction and management device 10 may be a computing device built using an FPGA, ASIC, etc. to execute the target software extraction and management method according to the present disclosure.

In some embodiments, the target software extraction and management device 10 may have a network interface and be connected to an external device through a network. In this case, the target software extraction and management device 10 receives various information related to resources that can extract target software from the client 20, and approaches the target software distribution device 30 based on the received information. , target software can be extracted, stored and managed.

Referring again to FIG. 1, a target software management system according to some embodiments of the present disclosure may include a client 20. In some embodiments, the client 20 receives a phishing message, such as an email or text message, uses the received phishing message to access a resource containing malicious software, and downloads target software from the accessed resource. It may be a device that can be received. Additionally, the client 20 may transmit a verification request for the received phishing message to the target software extraction and management device 10 and receive the verification result from the target software extraction and management device 10 . Alternatively, in some embodiments, the client 20 may be the entity that executes the target software extraction and management method according to the present disclosure.

The client 20 according to some embodiments of the present disclosure may be a mobile device, including a smart phone and tablet, or a general-purpose computing device such as a laptop or desktop. Additionally, the client 20 may access a network, including a network interface, and be connected to the target software extraction and management device 10 or the target software distribution device 30 through this.

Referring again to FIG. 1, a target software management system according to some embodiments of the present disclosure may include a target software distribution device 30. In some embodiments, the target software distribution device 30 may store malicious software and transmit it to the target software extraction and management device 10 or the client 20 through a network.

In some embodiments, malicious software managed by the target software distribution device 30, when installed on the client 20, can extract various personal information, including financial information of users associated with the client 20, from the operation of the client 20. It may be software that extracts information and transmits it back to the target software distribution device 30 or another device linked thereto. In some embodiments, target software distribution device 30 may include mechanisms to limit access to malicious software.

For example, the target software distribution device 30 may include a mechanism that allows access to the target software only when specific personal information is entered. For example, the target software distribution device 30 allows the accessing subject to enter the mobile phone number through resources such as web pages distributed on the web, and only if the entered mobile phone number matches the preset mobile phone number, the target software distribution device 30 It can make it difficult to analyze and respond to target software such as malicious software by enabling access to and downloading.

In some embodiments, target software distribution device 30 may include one or more computing devices that include a database. In this case, the target software distribution device 30 may store and maintain the target software and information for allowing access to the target software using various database software. For example, database software such as SQL may be used to manage target software and access information.

Figure 2 is a block diagram showing the configuration of a target software extraction and management device according to one aspect of the disclosed invention.

Referring to FIG. 2, the target software extraction and management device according to the present disclosure may include a control unit 100, an input/output unit 200, and a memory unit 300. The components shown in FIG. 2 are not essential for implementing the target software extraction and management device according to the present disclosure, so the data described herein may have more or fewer components than the components listed above. You can.

The communication unit 210 according to some embodiments of the present disclosure may include one or more components that enable communication with an external device, and may include, for example, at least one of a wireless communication module and a short-range communication module. .

In addition to Wi-Fi modules and WiBro (Wireless broadband) modules, wireless communication modules include GSM (global System for Mobile Communication), CDMA (Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), and UMTS (universal mobile telecommunications system). ), TDMA (Time Division Multiple Access), LTE (Long Term Evolution), 4G, 5G, 6G, etc. may include a wireless communication module that supports various wireless communication methods.

The wireless communication module may include a wireless communication interface including an antenna and a transmitter that transmits signals. Additionally, the wireless communication module may further include a signal conversion module that modulates a digital control signal output from the control unit through a wireless communication interface into an analog wireless signal under the control of the control unit.

The wireless communication module may include a wireless communication interface including an antenna and a receiver for receiving signals. Additionally, the wireless communication module may further include a signal conversion module for demodulating an analog wireless signal received through a wireless communication interface into a digital control signal.

The short-range communication module is for short-range communication, including Bluetooth®, RFID (Radio Frequency Identification), Infrared Data Association (IrDA), UWB (Ultra Wideband), ZigBee, and NFC (Near). Short-distance communication can be supported using at least one of (Field Communication), Wi-Fi (Wireless-Fidelity), Wi-Fi Direct, and Wireless USB (Wireless Universal Serial Bus) technologies.

The input unit 220 is for receiving information and data including audio information (or signals), text, etc. from a network or a user, and may include at least one of at least one microphone and a user input unit. Voice data, text data, commands, or requests collected from the input unit can be analyzed and processed as a user's control command.

The camera processes image frames, such as still images or moving images, obtained by the image sensor in shooting mode. Processed image frames can be stored in memory. In some embodiments, the camera may identify codes, including barcodes, QR codes, etc., or URLs included within an image frame.

On the other hand, when there are a plurality of cameras, they can be arranged to form a matrix structure. In this way, a plurality of image information with various angles or focuses can be input through the cameras forming the matrix structure, and the cameras can provide three-dimensional It may be arranged in a stereo structure to obtain left and right images to implement a three-dimensional image.

The microphone processes external acoustic signals into electrical voice data. Processed voice data can be used in a variety of ways depending on the function being performed (or the application being executed) on the device. Meanwhile, various noise removal algorithms can be implemented in the microphone to remove noise generated in the process of receiving an external acoustic signal.

The user input unit is for receiving information from the user. When information is input through the user input unit, the control unit can control the operation of the device to correspond to the input information. This user input unit uses hardware-type physical keys (e.g., buttons, dome switches, jog wheels, jog switches, etc. located on at least one of the front, back, and sides of the device) and software-type touch keys. It can be included. As an example, the touch key consists of a virtual key, soft key, or visual key displayed on a touch screen-type display unit through software processing, or is displayed on the touch screen. It may be composed of touch keys placed in other parts. Meanwhile, the virtual key or visual key can be displayed on the touch screen in various forms, for example, graphics, text, icons, videos, or these. It can be made up of a combination of .

The memory unit 300 can store data supporting various functions of the device and a program for the operation of the control unit, and can store input/output data (e.g., voice files, text, etc.). A number of application programs (application programs or applications) running on the device, middleware, system software, operating system, data for operation of the device, and instructions can be stored. At least some of these applications may be downloaded from an external server via wireless communication.

The memory unit 300 includes a flash memory type, a hard disk type, a solid state disk type, an SDD type (Silicon Disk Drive type), and a multimedia card micro type. card micro type), card type memory (e.g. SD or XD memory, etc.), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), EEPROM (electrically It may include at least one type of storage medium among erasable programmable read-only memory (PROM), programmable read-only memory (PROM), magnetic memory, magnetic disk, and optical disk. Additionally, the memory may be a database that is separate from the device, but is connected wired or wirelessly.

Here, the program may include program instructions, data files, and data structures, etc., singly or in combination. Programs may be designed and produced using machine code or high-level language code. The program may be specially designed to implement the above-described target software extraction device, or may be implemented using various functions or definitions known and available to those skilled in the art in the computer software field. A program for implementing the above-described target software extraction device may be recorded on a recording medium readable by a processor.

The memory can store programs that perform the operations described above and the operations described later, and the processor can execute the programs stored in the memory. In the case where there are multiple processors and memories, it is possible for them to be integrated into one chip or to be provided in physically separate locations. The memory may include volatile memory such as SRAM (Static Random Access Memory, S-RAM) and D-Lab (Dynamic Random Access Memory) for temporarily storing data. In addition, memory is non-volatile memory such as Read Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM), and Electrically Erasable Programmable Read Only Memory (EEPROM) for long-term storage of control programs and control data. may include.

Referring again to FIG. 2 , the memory unit 300 according to some embodiments of the present disclosure may include a target software management unit 310, a target software download unit 320, and a resource identifier processing unit 330.

The target software management unit 310 according to some embodiments of the present disclosure may be a module for storing and analyzing target software. In some embodiments, the target software management unit 310 stores the target software extracted and downloaded through the target software download unit 320 in the management area, and uses a technique such as hashing the target software stored in the management area. It may be a module that extracts information about the target software and generates analysis results by analyzing it. In some embodiments, the target software management unit 310 may use a virtual machine, a sandbox, a container, etc. to protect the target software extraction and management device from target software that may be malicious software. It can be implemented using an emulator or the like. In one embodiment, the management area managed by the target software management unit 310 may be implemented as a virtual machine, sandbox, container, emulator, etc., and in this case, the management area and the non-management area outside the management area are isolated, It is possible to prevent adverse effects caused by target software from spreading to the entire target software extraction and management device.

Referring again to FIG. 2, the memory unit 300 according to some embodiments of the present disclosure may include a target software download unit 320. In some embodiments, the target software download unit 320 may be a module that extracts target software from external resources distributed by the target software distribution device 30 and downloads it to the memory unit 300 of the target software device. . In one embodiment, the target software download unit 320 may include a plurality of software or hardware modules to perform a function for extracting and downloading target software from external resources. In this case, the target software download unit 320 can utilize various analysis and attack techniques to extract target software protected by external resources, which will be described in detail later with reference to FIGS. 5 and 6.

Referring again to FIG. 2, the memory unit 300 according to some embodiments of the present disclosure may include a resource identifier processing unit 330. In some embodiments, the resource identifier processing unit 330 may be a module that generates a final resource identifier from which target software can be extracted from an input resource identifier input through a client or target software extraction and management device. In some embodiments, the resource identifier processing unit 330 may include one or more software and/or hardware modules, and the final resource identifier generated by the resource identifier processing unit 330 is the target software management unit 310 or the target. It may be delivered to the software download unit 320.

In some embodiments, the input resource identifier may include various character variants that are not used in normal resource identifiers. These modified characters can be used to bypass commonly used spam filters. These modified characters may include circular characters, special characters, etc., and in this case, the resource identifier processing unit 330 selects an alphabet or punctuation mark corresponding to the circular character or special character that can be used in the resource identifier. By replacing the corresponding modified character with , the resource identifier can be processed to generate the final resource identifier.

In another embodiment, the input resource identifier may be a resource identifier that is not directly connected to the target software, but moves the access subject to the final resource identifier associated with the target software using redirection or forwarding. Alternatively, the input resource identifier is a short URL, which may be a modification of the final resource identifier associated with the target software. The resource identifier processing unit 330 according to some embodiments of the present disclosure may be a module that generates a final resource identifier directly linked to target software from the input resource identifier.

The processor may include various logic circuits and operation circuits, process data according to a program provided from memory, and generate control signals according to the processing results.

The control unit 100 includes a memory that stores data for an algorithm for controlling the operation of components in the device or a program that reproduces the algorithm, and at least one processor that performs the above-described operations using the data stored in the memory ( (not shown) may be implemented. At this time, the memory and processor may each be implemented as separate chips. Alternatively, the memory and processor may be implemented as a single chip.

The control unit 100 according to some embodiments of the present disclosure may include one or more processors. Referring to FIG. 2 , the control unit 100 may include a first processor 110 and a second processor 120 . In this case, the first processor 110 and the second processor 120 may be the same type or different types of processors. In one embodiment, the first processor 110 may be a central processing unit (CPU), and the second processor 120 may be a graphics processing unit (GPU), a neural network processing unit (NPU), or a tensor processing unit (TPU). In another embodiment, both the first processor 110 and the second processor 120 may be graphics processing devices. The control unit 100 may include additional processors necessary for operating the target software extraction and management device 10 in addition to the first processor 110 and the second processor 120. For convenience of description below, the first processor 110 or the second processor 120 may be expressed as a 'processor'. The configuration of the control unit 100 described above is merely an example, and the configuration of the control unit 100 is not limited thereto.

In addition, the control unit may control any one or a combination of the above-described components in order to implement various embodiments according to the present disclosure described in FIGS. 2 to 6 below on the device.

At least one component may be added or deleted in response to the performance of the components shown in FIG. 2. Additionally, it will be easily understood by those skilled in the art that the mutual positions of the components may be changed in response to the performance or structure of the system.

Meanwhile, each component shown in FIG. 2 refers to software and/or hardware components such as Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC).

It may be executed by one or more processors included in the software management device. In some embodiments, the target software extraction and management method disclosed in FIGS. 3 to 6 is independently executed by one or more processors included in the client, or is independently executed by one or more processors included in the target software extraction and management device, or Alternatively, it may be executed by having one or more processors included in the client perform some steps and one or more processors included in the target software extraction and management device performing the remaining steps.

Figure 3 is a flowchart showing a method for extracting and managing target software according to one aspect of the disclosed invention.

Referring to FIG. 3, a processor according to some embodiments of the present disclosure may perform a resource identifier processing step (S100). In some embodiments, the resource identifier processing step (S100) may include generating a final resource identifier using an input resource identifier.

In some embodiments of the present disclosure, a resource may be an identifiable object that may be digital, physical, or abstract. These resources can be identified through URLs, URNs, or URIs. In some embodiments, a resource may include an identifiable resource provided by a requestor, such as a server, when accessing a website or executing an API call. In some embodiments, resources may include static resources, such as static files in a web server file system, or dynamic resources. In some embodiments, resources may include text, images, videos, HTML files, or software program files.

In some embodiments of the present disclosure, the resource identifier is an identifier that can identify a specific resource in a software module or system for storing, managing, and distributing data, such as the Internet, web, or database system, or a hardware system such as memory, disk, etc. It can mean. In a specific embodiment, the resource identifier is a Universal Resource Indicator (URI), Universal Resource Locator (URL), Universal Resource Name (URN), or an IP address, MAC address, port number, etc. corresponding thereto for identifying a web resource on the web. may include. In some embodiments, a resource identifier may be intended to point to a unique resource residing on a data system maintained for storing, managing, and distributing data. For example, a resource identifier may be an index operated on a database system. As another example, the resource identifier may include a memory address where data is stored.

The input resource identifier according to some embodiments of the present disclosure may include one or more resource identifiers included in a phishing message or phishing email. The input resource identifier according to some embodiments may include one or more modified characters that are not used in normal resource identifiers. In one embodiment, when the resource identifier is a URL, the normal resource identifier may include an alphabet, a colon, a slash, a period, and a question mark. On the other hand, the input resource identifier according to some embodiments of the present disclosure may include circular characters, spaces, tab characters, and various special characters. This input resource identifier may be used to deliver a phishing message or phishing email to the user by bypassing the spam filter built into the client the user uses.

A processor according to some embodiments of the present disclosure may identify one or more modified characters included in an input resource identifier and normalize the identified modified characters to corresponding normal characters. In the present disclosure, a regular character refers to one or more characters that can be used in a normal resource identifier, and normalization for a resource identifier may mean converting a modified character included in an input resource identifier into a corresponding regular character. In one embodiment, if the modified character is a space, the processor may remove the space. In another embodiment, if the modified character is a C prototype, the processor may convert the C prototype to C.

Resource identifier processing will be described in detail later in FIG. 4.

Referring again to FIG. 3, one or more processors according to some embodiments of the present disclosure may include a step (S200) of downloading target software based on the final resource identifier generated through processing in step (S100). In some embodiments, the step of downloading the target software (S200) may include extracting the target software from a resource accessed through a resource identifier and downloading it.

In some embodiments, the step of downloading the target software (S200) may include extracting the target software by attacking a resource vulnerability existing in a resource accessed through a resource identifier.

In the present disclosure, a vulnerability is a defect or weakness in the design, implementation, operation, and management of a system, and may refer to an element that can be used to violate the security policy of the system. In some embodiments of the present disclosure, resource vulnerability may mean a component that can be used to extract target software from among components in a resource accessed through a resource identifier. In some embodiments, a resource vulnerability may be a component within a resource that can enter information to access a data system that performs storage, management, and distribution of the target software through a client or target software extraction and management device. In one embodiment, a resource vulnerability according to some embodiments of the present disclosure may include an input form. In some embodiments, the resource vulnerability may be an input box for phishing targets to enter personal information such as social security number, date of birth, or mobile phone number. In this case, the processor can perform a vulnerability attack using the input form by entering a random value in the input box or entering a query using the SQL injection technique.

This will be described in detail later in Figure 5.

In some other embodiments, the processor may perform a path pattern attack to download target software. In some embodiments, when the target software is successfully extracted, the path pattern may mean hierarchical information of the resource identifier from which the target software was extracted. In one embodiment, the path pattern may be generated from information on a resource identifier associated with the downloaded software prior to the target software being attempted to be downloaded. For example, when the download for the first target software has already been successfully performed, the processor may generate a path pattern using the resource identifier information on which the download for the first target software was performed, and You can attempt to download the second target software using the path pattern generated in relation to .

This will be described in detail later in Figures 5 and 6.

The processor according to some embodiments of the present disclosure may download the target software in step S200 and then perform the step S300 of storing the downloaded target software in the management area.

In some embodiments, the management area may be a recording space used to store and monitor target software that may be malicious software, analyze the target software through techniques such as hashing, and generate analysis results. . This management area can be configured using a recording device such as memory or disk.

In one embodiment, the management area may be a dedicated space configured to store and monitor target software. For example, the processor may operate by isolating the management area from the non-management area. In this case, the processor can prevent the management area and non-management area from influencing each other. In some embodiments, the processor may establish a management area using technologies such as virtualization, sandbox, containers, and emulation to isolate the management area and the non-management area from each other. there is.

As described above, by isolating the management area from the non-management area, it is possible to prevent a situation where the client or the entire target software extraction and management device is unintentionally affected during the analysis of target software that may be malicious software. . Accordingly, the entire client or target software extraction and management device, including the unmanaged area, can be protected from the influence of malicious software.

Figure 4 is a flowchart showing a resource identifier processing method according to one aspect of the disclosed invention.

Referring to FIG. 4, a processor according to some embodiments of the present disclosure may perform a step (S110) of receiving a modified resource identifier to perform resource identifier processing. In some embodiments, the modified resource identifier may be an input resource identifier or a resource identifier for which normalization of the input resource identifier has not been completely performed, and some or all of the resource identifier may include modified characters. That is, the modified resource identifier may be an input resource identifier, or may be a resource identifier that has an intermediate form between the input resource identifier and the final resource identifier.

The modified resource identifier according to some embodiments of the present disclosure may be received from the outside using a text message, a message received using messenger software, or an email. In one example, such a message or email may be provided to entice the recipient to download malicious software, and a modified resource identifier included in the message or email may identify resources that allow the user to access the malicious software, e.g. You can access web pages, etc.

A processor according to some embodiments of the present disclosure may perform preprocessing (S120) on the modified resource identifier received through step (S110). In some embodiments, preprocessing the variant resource identifier may include performing an identifier normalization step, which is a step of performing normalization on the variant resource identifier.

In some embodiments, the preprocessing of the modified resource identifier performed by the processor converts the modified characters, including special characters such as newlines, tab characters, and circular characters, and parentheses characters, within the modified resource identifier, into corresponding regular characters. It may include performing a character normalization step. In one embodiment, preprocessing performed by the processor may include removing newline characters, space characters, or tab characters. In another embodiment, preprocessing performed by the processor may include converting prototypical characters to corresponding regular characters. For example, it may include converting the original C character to the regular character alphabet C. In another example, preprocessing performed by the processor may include converting special characters to similar regular characters. For example, if the special character parenthesis character ( is included in the modified resource identifier, the processor can convert the parentheses character ( to C and perform preprocessing.

In some other embodiments, preprocessing performed by the processor may include converting the case of the resource identifier. In one embodiment, the preprocessing performed by the processor may include extracting part or all of the modified resource identifier and then converting the extracted part or all to uppercase or lowercase letters. For example, when the type of modified resource identifier is URL, the processor extracts the host name, domain name, and path portions of the URL as part of the preprocessing process for the modified resource identifier, and converts all extracted portions to lowercase. can be performed.

The processor according to some embodiments of the present disclosure may perform preprocessing on the modified resource identifier in step S120 and then extract the final resource identifier in step S130. In some embodiments, the final resource identifier may refer to a resource that can perform extraction and download of the target software. In some embodiments, the input resource identifier or modified resource identifier may relate to a resource that moves the accessing subject to another resource. In a specific example, when a processor accesses a resource corresponding to an input resource identifier, it may be transferred to another resource. For example, accessing an input URL may automatically move to another URL. In a specific example, resources associated with the input resource identifier may include forwarding and redirection. In this case, the input resource identifier may be a short URL.

In order to extract the final resource identifier, the processor according to some embodiments of the present disclosure may perform a resource identifier expansion step to extract one or more final resource identifiers connected from the input resource identifier. In one embodiment, the processor may generate the final resource identifier by attempting to access all resources connected from the input resource identifier. In another embodiment, the processor may obtain type information of the resource identifier and perform a resource identifier expansion step based on the obtained type information. In one embodiment, when the resource identifier is a URL, the processor requests head information for the URL, and when the status code in the response to the request is 200, the processor can perform resource identifier expansion by obtaining a redirection address. In one embodiment, the redirection address is obtained by searching Response.headers['Location'] information included in the response message, or, if redirection is performed with script code, document.location.href, location.replace and variables in the script. URLs consisting of can be obtained through JavaScript analysis.

Phishing messages or emails generally contain various modified characters to evade spam filters. Therefore, if you simply use a resource identifier such as a URL included in the message, it may be difficult to access the resource to extract the target software. Additionally, if the resource moves the user to another resource, including redirection or forwarding, a method is needed to safely obtain the access address to the final resource. According to the above-described method, it is possible to safely obtain the final resource identifier using the type characteristics of the resource identifier, so the target software can be extracted more safely.

Figure 5 is a flowchart showing a method for extracting target software according to one aspect of the disclosed invention.

In some embodiments of the present disclosure, extracting target software may mean reaching a state in which the target software can be downloaded and performing an operation to reach that state. Additionally, in FIG. 5 , extraction and downloading of target software are described separately, but in some embodiments, extracting target software may include downloading the target software. For example, extracting target software may include connecting or accessing a resource for downloading the target software, identifying the target software to be downloaded from the accessed resource, and further, in some embodiments, the identified target software. This may include downloading software. Accordingly, the description of FIG. 5 below is only intended to aid understanding of the present invention, and should not be construed as extracting and downloading target software as necessarily being performed as separate operations.

Referring to FIG. 5, a processor according to some embodiments of the present disclosure may attempt to extract target software through a Submit link within a resource (S210). In one embodiment, the Submit link may be a link that transmits a file or input information over a network. For example, a Submit link can be implemented using a graphical interface, such as a button, within the resource. In some embodiments, if the resource is a web page, specific information may be provided through a Submit link and the target software may be extracted accordingly. If the target software is successfully extracted through the Submit link in the resource (S210, Yes), the processor can download the target software (S260).

If extraction of the target software fails through the Submit link (S210, No), the processor may attempt to extract the target software through a script in the resource (S220). In some embodiments of the present disclosure, a script may be a set of one or more actions or commands executed within a resource. A processor according to some embodiments of the present disclosure may extract a script existing in a resource, analyze one or more operations included in the script, and then use the extract to attempt to extract target software. If the processor succeeds in extracting the target software through the script in the resource (S220, Yes), the processor can download the target software (S260).

If the processor fails to extract the target software through the script in the resource (S220, No), the processor can extract the target software through the hyperlink in the resource (S230). In some embodiments, the processor may extract hyperlinks included in the resource and extract target software using the extracted hyperlink. In one embodiment, the processor may access the extracted hyperlink to extract the target software. In another embodiment, the processor may extract target software using header information about the extracted hyperlink. If the processor according to the present disclosure extracts the target software through a hyperlink in the resource (S230, Yes), the processor can download the target software (S260).

If the processor fails to extract the target software through the hyperlink in the resource (S230, No), the processor can extract the target software through a resource vulnerability attack (S240).

In the present disclosure, resource vulnerability may mean an element that can be used to extract target software from a resource accessed through a resource identifier. As a specific example, a resource vulnerability may be a component within a resource that can enter information to access a data system that performs storage, management, and distribution of the target software through a client or target software extraction and management device. Alternatively, a resource vulnerability may refer to an element within a resource that can extract target software through queries, scripts, or commands.

In one embodiment, a resource vulnerability according to some embodiments of the present disclosure may include an input form. In some embodiments, the resource vulnerability may be an input box for phishing targets to enter personal information such as social security number, date of birth, or mobile phone number.

Extracting target software through a resource vulnerability attack by a processor according to some embodiments of the present disclosure is a random value attack step in which all input forms are extracted from resources and target software is extracted by inputting random values into the extracted input forms. It may include performing. In this case, the processor can extract all input forms contained within the resource. The processor can extract target software by entering a random value for each input form and submitting it through the accessed resource. In one embodiment, the random value entered into the input form may be generated based on the type of input form. In one example, the processor may perform analysis on each extracted input form to analyze the type of data that should be entered into the individual input form. For example, the first input form included in the resource may be for entering the date of birth, the second input form may be for entering the resident registration number, and the third input form may be for entering the mobile phone number. In this case, the processor may generate a random date of birth for the first input form, a random resident registration number for the second input form, and a random mobile phone number for the third input form. In another embodiment, the processor may include previously stored success random value information to generate the random value. For example, if the first target software is successfully extracted from the first resource using the first date of birth value, the first resident registration number value, and the first mobile phone number value, the processor may extract the first date of birth value, the first resident registration number value, and the first mobile phone number value. The mobile phone number value may be stored. When attempting to extract target software from a second resource, the processor determines the previously stored first date of birth value, first resident registration number value, and first mobile phone number value as random values for performing a vulnerability attack, and performs a vulnerability attack. You can.

A processor according to some other embodiments of the present disclosure may perform a security vulnerability attack as a resource vulnerability attack. In the present disclosure, a security vulnerability is an example of a resource vulnerability, and may refer to a defect or weakness in the design, implementation, operation, and management of the system, and may mean an element that can be used to violate the security policy of the system. In some embodiments, the processor enters a specific code, command, query, or script into a component within the resource to execute a security vulnerability attack, or inserts a specific code, command, query, or script into the resource through a resource vulnerability, or If an authentication element is included within the resource, security vulnerabilities contained within the authentication element can be exploited. As a specific example, the processor may perform SQL injection, cross-site scripting vulnerability attack, CSRF cross-site request forgery, authentication session vulnerability attack, etc. to perform security vulnerability attacks. In one embodiment, the processor generates SQL processing code associated with a vulnerability in a resource (e.g., an input form) to perform a SQL injection technique, and generates a SQL injection query according to the generated processing code and preset rules. can do. In some embodiments, there may be multiple SQL processing codes and resulting SQL injection queries generated by the processor. In other words, the processor can generate a plurality of SQL processing codes corresponding to the vulnerability and generate a plurality of SQL injection queries appropriate for the vulnerability. If the processor can extract the target software through a resource vulnerability attack (S240, Yes), it can download the target software (S260).

If the processor according to some embodiments of the present disclosure cannot extract the target software through an intra-resource vulnerability attack (S240, No), it may attempt to extract the target software through a path pattern attack (S250).

If the target software is successfully extracted, the path pattern according to some embodiments of the present disclosure may mean hierarchical information of the resource identifier from which the target software was extracted. In one embodiment, the path pattern may be generated from information on a resource identifier associated with the downloaded software prior to the target software being attempted to be downloaded. For example, when the download for the first target software has already been successfully performed, the processor generates a path pattern using the resource identifier information on which the download for the first target software was performed, and extracts and manages the target software using the resource identifier information. It can be stored in a recording medium such as internal or external memory of the device. If a vulnerability attack on the second target software fails, the processor may attempt to extract and download the second target software using an already created path pattern. If the processor succeeds in extracting the target software using the path pattern (S250, Yes), the processor can download the target software (S260). This will be described in detail later in Figure 6.

Recently, techniques to analyze malicious software linked to phishing messages and sites have been developed to prevent damage from phishing. However, this analysis technique has a problem in that it is premised on securing malicious software, so there is a problem that the analysis technique cannot be used if the malicious software is hidden from an entity attempting to perform the analysis technique using the victim's personal information. The target software extraction technique according to the present disclosure described above in FIG. 5 targets all components that can be found in the resource, such as submit links, scripts, hyperlinks, vulnerabilities, and path patterns included in the resource, and extracts the target software. By doing so, attempts by malicious software distributors to hide software can be blocked and malicious software can be secured in advance. Web resources related to phishing techniques are likely to contain many security vulnerabilities due to the nature of their rapid creation and destruction, and the resource identifier paths and cookie formation patterns for distributing malicious software are also likely to be very similar, so this disclosure Target software extraction techniques using components, vulnerabilities, and path patterns within resources are likely to be successful. Accordingly, it can become easier to secure malicious software that was previously impossible to secure.

Figure 6 is a conceptual diagram showing resource path data according to one aspect of the disclosed invention.

Referring to FIG. 6, resource path data 400 according to some embodiments of the present disclosure may include target software 410, input resource identifier 420, final resource identifier 430, and path pattern 440. there is.

The target software 410 may be software or an identifier of software to be extracted, downloaded, and managed by the target software extraction and management method according to the present disclosure. In one embodiment, the target software may be malicious software associated with a phishing message or email. Target software can be various types of files. In some embodiments, the target software is an executable file for installing an application, and may be a file that executes a specific code or script within the computing device through the application to steal personal information.

The input resource identifier 420 according to some embodiments of the present disclosure may be a resource identifier associated with target software received through a phishing message or email. As described above with reference to FIGS. 3 and 4 , the input resource identifier 420 may include one or more modified characters. Alternatively, the input resource identifier 420 may be a shortened URL or a resource identifier that leads to forwarding or redirection.

The final resource identifier 430 according to some embodiments of the present disclosure is a resource identifier generated through processing an input resource identifier and may include an identifier for a resource directly connected to the target software.

Referring again to FIG. 6 , resource path data 400 according to some embodiments of the present disclosure may include a path pattern 440. In some embodiments, path pattern 440 may include a path hierarchy of one or more resource identifiers. In the present disclosure, the path layer of the resource identifier may be data representing the level or order of the access layer for the resource according to the upper and lower hierarchical relationships of the components constituting the resource identifier. In one embodiment, when the resource identifier represents the location of the resource in the file system, the resource identifier may be expressed in the following order: namespace, drive, folder name, and file name. In this case, the path hierarchy of the resource identifier may include [namespace], [namespace/drive], [namespace/drive/folder name], and [namespace/drive/folder name/file name]. In another embodiment, when the resource identifier is a URL, the resource identifier may include a domain name, port number, file path, parameter, anchor, etc. In this case, the path hierarchy of the resource identifier is [domain name], [domain name/port number], [domain name/port number/file path], [domain name/port number/file path/parameter], [domain name/ Port number/file path/parameter/anchor] may be included. In one embodiment, the path layer of the resource identifier may be ordered according to the level of the path it contains. In one embodiment, the [domain name] path hierarchy may be higher in order than the [domain name/port number] path hierarchy. In this case, if there are multiple path layers, the processor can perform a path pattern attack by accessing the resource identifier in order from the upper-order path layer to the lower-order path layer, and attempt to extract the target software accordingly. there is.

A processor according to some other embodiments of the present disclosure may generate one or more cookies in the process of performing a path pattern attack. In one embodiment, the processor may create a cookie corresponding to one or more resource identifiers accessed during a path pattern attack, or may generate information about one or more resource identifiers accessed within the cookie. In a specific embodiment, when performing a path pattern attack, the processor may record access information about the accessed resource identifier in a cookie file while performing sequential access to the resource identifier from the upper path layer to the lower path layer. there is. If access information on the previous path layer is required to extract the target software in the path pattern attack stage, the processor can extract the target software using the generated cookie.

In the case of malicious software distribution, the characteristic is that phishing sites are created and destroyed within a short period of time. The creation and destruction time of a typical phishing site is within 24 hours, and therefore, phishing sites that distribute malicious software often show similar patterns in their distribution mechanisms and distribution routes. Therefore, by using the target software extraction technique according to the present disclosure, malicious software can be extracted, managed, and analyzed by bypassing a malicious software distribution mechanism that uses a similar path pattern.

Additionally, various techniques have recently been developed to protect malicious software from malicious software analysis techniques. One of these techniques is to check whether the subject downloading the malicious software downloaded the malicious software through a sequential approach according to the design arranged by the malicious software distributor. In this case, if a person trying to analyze malicious software directly accesses the final resource identifier for downloading malicious software, the distribution is rejected because it is recognized that the access was not made according to the path designed by the distributor. The target software extraction technique according to the present disclosure utilizes cookies for the access path to bypass this protection mechanism, thereby enabling extraction, download, and analysis of malicious software.

As described above, the disclosed embodiments have been described with reference to the attached drawings. A person skilled in the art to which the present invention pertains will understand that the present invention can be practiced in forms different from the disclosed embodiments without changing the technical idea or essential features of the present invention. The disclosed embodiments are illustrative and should not be construed as limiting.

Claims (15)

A computer program stored on a computer-readable recording medium, the computer program comprising one or more steps for extracting target software, the steps comprising:
generating a final resource identifier using an input resource identifier; and
Comprising: extracting target software from the final resource corresponding to the final resource identifier,
The step of generating a final resource identifier using the input resource identifier is,
Includes an identifier normalization step of performing normalization on the input resource identifier,
The step of extracting the target software is,
Characterized in that it includes a security vulnerability attack step of extracting target software by performing a security vulnerability attack on the final resource.
A computer program stored on a computer-readable recording medium.
According to claim 1,
The security vulnerability attack step is,
extracting one or more input forms included in a final resource corresponding to the final resource identifier; and
Including a random value attack step of extracting the target software by inputting a random value into the extracted input form.
A computer program stored on a computer-readable recording medium.
delete According to claim 1,
The security vulnerability attack is,
Characterized by exploiting at least one of the following vulnerabilities: SQL injection, cross-site scripting, CSRF cross-site request forgery, or authentication session-related vulnerabilities,
A computer program stored on a computer-readable recording medium.
According to claim 1,
The step of extracting the target software is,
Including a path pattern attack step of extracting the target software using a path pattern,
A computer program stored on a computer-readable recording medium.
According to clause 5,
The path pattern is,
Contains one or more path hierarchies,
The path pattern attack step is,
Characterized in sequentially accessing the one or more path layers,
A computer program stored on a computer-readable recording medium.
According to clause 5,
The path pattern is,
Contains at least one resource identifier associated with the first target software,
The first target software is,
Characterized in that it is already extracted software,
A computer program stored on a computer-readable recording medium.
According to claim 1,
Further comprising: storing the target software in a management area,
The management area is,
Characterized in that it is a pre-designated area to store the target software,
A computer program stored on a computer-readable recording medium.
According to clause 8,
The management area is,
Characterized in that it is isolated from the unmanaged area and does not affect the unmanaged area,
A computer program stored on a computer-readable recording medium.
According to claim 1,
The step of extracting the target software is,
Comprising: performing analysis on at least one of one or more submit links, scripts, or hyperlinks included in the final resource corresponding to the final resource identifier.
A computer program stored on a computer-readable recording medium.
delete According to claim 1,
The identifier normalization step is,
Including a character normalization step of converting modified characters included in the input resource identifier into regular characters,
A computer program stored on a computer-readable recording medium.
According to claim 1,
The step of processing the input resource identifier to generate a final resource identifier is,
A resource identifier expansion step of extracting one or more final resource identifiers connected from the input resource identifier; including,
A computer program stored on a computer-readable recording medium.
A target software extraction device, comprising:
processor; and
Contains memory;
When the memory is executed by the processor,
Create a final resource identifier using the input resource identifier,
Extract target software from the final resource corresponding to the final resource identifier,
Generating a final resource identifier using the input resource identifier includes performing normalization on the input resource identifier,
When the processor extracts the target software,
Containing a program characterized in that it performs a security vulnerability attack to extract target software by performing a security vulnerability attack on the final resource,
Targeted software extraction device.
1. A target software extraction method performed by one or more processors, comprising:
generating a final resource identifier using an input resource identifier; and
Comprising: extracting target software from the final resource corresponding to the final resource identifier,
The step of generating a final resource identifier from the input resource identifier is,
Includes an identifier normalization step of performing normalization on the input resource identifier,
The step of the processor extracting the target software includes:
Characterized in that it includes a security vulnerability attack step of extracting target software by performing a security vulnerability attack on the final resource.
Target software extraction method.

Images