KR20170090645A - System and method for preventing from ransome virus - Google Patents

System and method for preventing from ransome virus Download PDF

Info

Publication number
KR20170090645A
KR20170090645A KR1020160011248A KR20160011248A KR20170090645A KR 20170090645 A KR20170090645 A KR 20170090645A KR 1020160011248 A KR1020160011248 A KR 1020160011248A KR 20160011248 A KR20160011248 A KR 20160011248A KR 20170090645 A KR20170090645 A KR 20170090645A
Authority
KR
South Korea
Prior art keywords
file
program
user
virus
blocking module
Prior art date
Application number
KR1020160011248A
Other languages
Korean (ko)
Inventor
조성욱
주보문
Original Assignee
조성욱
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 조성욱 filed Critical 조성욱
Priority to KR1020160011248A priority Critical patent/KR20170090645A/en
Publication of KR20170090645A publication Critical patent/KR20170090645A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The present invention relates to a system and a method for preventing ransomware virus infection. The system comprises: a list management module managing black lists and white lists of programs accessing a users file; a first blocking module determining returning of a file handle with respect to a target file based on the black lists and the white lists when an application program of a computer system or an unknown program calls a CreateFile function and requests the file handle to access the users file; and a second blocking module performing scanning on whether viruses exist on a file executing a program which does not exist in the white lists and the black lists and then determining whether to allow encryption with respect to the target file by giving a question to a user. Therefore, the ransomware virus infection can be effectively blocked and a huge loss cased thereby can be prevented.

Description

TECHNICAL FIELD [0001] The present invention relates to a system and a method for preventing an infection caused by a Ransomware virus,

The present invention relates to a system and method for preventing a Ransomware virus infection, and more particularly, to a system and method for preventing a Ransomware virus infection by detecting a specific function calling process of an access process for a user file, such as an executable file, To a system and method for preventing infection by Ransomware virus.

If you are a necessity for modern people, you can say that it is a computer. Most companies use computers as well as personal computers, and so are public institutions. If such a computer is infected with Ransomware, it will cause enormous damage.

Ransomware is a combination of ransom, which means ransom, and ware, which means product. It is illegally installed without user's consent and encrypts the user's documents with complicated algorithms to hold the user's file as 'hostage' It is a type of malicious code attached. Ransomware is installed via email, web site, instant message, etc. Once infected, it encrypts files such as xls, doc, .pdf, jpg, cd, rar, zip, mp4, .png, psd and hwp. Due to these characteristics, Ransomware has no way to prevent it except backup. Also, unless the decryption key is given by a cracker, the computer can be reused entirely only through formatting.

There are many cases in which the Ransomware has suffered not only personal loss of property but also damage to companies and public institutions and huge financial loss. It can also damage the company and the public sector because it can not recover encrypted documents. Therefore, there is a need for an anti-ransomware program that can effectively prevent such Ransomware.

Korean Patent Publication No. 10-2004-0089386 (October 21, 2004) Korean Patent Publication No. 10-2005-0107651 (November 15, 2005)

SUMMARY OF THE INVENTION Accordingly, the present invention has been made to solve the above-mentioned problems of the prior art, and it is an object of the present invention to provide a file management system, The present invention provides a system and method for preventing an infection caused by a Ransomware virus by prohibiting or informing a user when an executable file or the like by a program not specified by the user requests a CreateFile function call using characteristics of a Windows operating system .

According to another aspect of the present invention, there is provided a Ransomware virus infection prevention system comprising: a list management module for managing a black list and a white list of programs accessing a user file; A first blocking module for determining whether to return a file handle to a target file based on the blacklist and the whitelist when a file handle is requested by calling a CreateFile function to access the file, And a second blocking module for scanning the file for executing a program that does not exist in the blacklist, whether or not a virus exists, and determining whether encryption of the target file is allowed by querying the user.

Preferably, the blacklist indicates programs for which the virus is detected by the second blocking module or the process is not allowed to be executed by the user, and the user file is denied access, and the whitelist is blocked by the second blocking module The first blocking module indicates that the program for calling the CreateFile function exists in the whitelist, and the first blocking module indicates that the CreateFile function call request is not allowed if the program calling the CreateFile function exists in the whitelist Blocks the request to call the CreateFile function if it exists in the black list, and if the black list does not exist in the white list and the black list, Whether encryption is allowed for the file The second blocking module blocks the execution of the ReadFile or WriteFile function for the target file of the program if the user does not permit the program even if the virus is detected or not detected in the executable file, If the program is not detected and the user allows the program, the execution of the ReadFile or WriteFile function of the program is allowed.

Meanwhile, the Ransomware virus infection prevention method of the present invention includes the steps of: creating a black list and a white list of programs accessing a user file by a list management module; Determining whether to return the file handle to a target file based on the blacklist and the whitelist if the program of the first file list requests a file handle by calling the CreateFile function to access the user file, By the module, whether the virus is present in the whitelist and in the file that executes the program that does not exist in the blacklist, and determining whether encryption of the target file is allowed by querying the user do.

Preferably, the step of determining whether to return the file handle may include: checking whether the program making the CreateFile function call request exists in the whitelist; if the program is in the whitelist, If the program is in the black list, the CreateFile function request is blocked; otherwise, the CreateFile function request is blocked; if not, the CreateFile function request is blocked; Determining whether or not to permit encryption of the target file after allowing a CreateFile function request, wherein the step of determining whether to allow encryption of the target file comprises: scanning a file that executes the program; If the executable file is a Ransomware virus If the executable file includes the Rangemeware virus, the execution of the ReadFile or WriteFile function for the target file is blocked and the corresponding program is added to the black list, and if not, And if the user allows the process, the execution of the ReadFile or WriteFile function is permitted and the corresponding program is added to the whitelist, and if not, the execution of the ReadFile or WriteFile function is terminated And adding the program to the blacklist.

As described above, the system and method for preventing infection by the Ransomware virus according to the present invention provide the following effects.

In order to change a user file or the like by an executable file or the like executed by a portable software program, the present invention uses a characteristic of a Windows operating system, in which a CreateFile function is first called to obtain a file handle, When an unspecified program calls for a CreateFile function call, it is prohibited or notified to the user, thereby effectively blocking Ransomware infection and preventing a huge loss thereof.

1 is a block diagram schematically illustrating the positional relationship of the Ransomware virus infection prevention system of the present invention in a general computer system.
2 is a block diagram schematically illustrating a Ransomware virus infection prevention system of the present invention.
FIG. 3 is a flowchart illustrating an operation procedure of the Ransomware virus infection prevention method of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention, and how to accomplish them, will become apparent by reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the invention to those skilled in the art. To fully disclose the scope of the invention to a person skilled in the art, and the invention is only defined by the scope of the claims.

A program related to the virus infection prevention method and system according to the present invention, which will be described below, is located in a file system of a computer operating system (O / S) and operates when the O / S is activated. Therefore, when there is a precreate function calling process for a file or the like during the operation of the computer system, the process detects the virus infection prevention method according to the present invention, thereby preventing infection by the Ransomware virus.

Hereinafter, the Ransomware virus infection prevention system of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram schematically illustrating the positional relationship of the Ransomware virus infection prevention system of the present invention in a general computer system.

Generally, a computer system includes a system program 100 for operating a computer system, various application programs 200, an application program interface 300 for connecting them, a file system 400, a storage device 500, and the like A program related to the virus infection prevention method and system 600 according to the present invention may be located in the file system 400 and the virus program impersonating the application program may be introduced through the application program interface 300 .

FIG. 2 shows a schematic configuration of a Ransomware virus infection prevention system 600 of the present invention.

2, the Ransomware virus infection prevention system 600 includes a list management module 610 for managing a black list and a whitelist of programs accessing a user's file, an application program or an unknown program A first blocking module 620 for determining whether to return the file handle to a target file based on the black list and the whitelist when a CreateFile function is called to access the user file, A second blocking module 630 for scanning the program for a virus that is not present in the whitelist and in the blacklist and for determining whether to allow encryption of the target file by querying the user, List, the above white list, and the day that stores the virus signature And a base (640).

The list management module 610 creates a black list and a white list of the programs, including one or more parameters that are useful for identifying whether or not the programs accessing the user's file are allowed to access the files, and stores them in the database 640 do. Here, the blacklist is filled with processes in which the virus is detected by the second blocking module 630 or the process is not allowed to be executed by the user and the user file is not allowed to access, and the whitelist is blocked by the second blocking module 630 Is filled with processes for which no virus is detected and process execution is allowed by the user and access to user files is allowed.

The first blocking module 620 registers the precreate function in the callback routine of the computer operating system to call the registered precreate function whenever an arbitrary program accesses an arbitrary file on the operating system, If a file or the like requests a file handle by calling the CreateFile function to access any user file, whether to return the handle to the target file based on the whitelist and the blacklist (that is, whether to allow the target file to be opened) . More specifically, the first blocking module 620 is a program that waits until a PreCreate function call is requested from an application program or other unknown program of the computer system, and calls the function when the function call is requested Is present in the whitelist. The list management module 610 examines a program that calls the function according to the list stored in the database 640. If the program exists in the whitelist, the CreateFile function call request is permitted for the target file of the program, If it is found in the list, the CreateFile function call request is blocked. If it is not present in the whitelist and does not exist in the black list, the second blocking module 630 first requests the CreateFile function call request, To be able to determine whether to allow encryption.

The second blocking module 630 scans the file for executing a program that does not exist in the whitelist and the blacklist, and inquires the user whether encryption is permitted for the target file (i.e., Whether to allow the change). More specifically, the second blocking module 630 checks whether the specific syntax is matched with the virus signature (unique bit string or pattern of the virus) registered in the database 640, , It is determined that the corresponding executable file includes a virus such as a random software and the execution of the ReadFile or WriteFile function for the target file of the program is blocked and the corresponding program is added to the black list. Or not. The second blocking module 630 allows the user to execute a ReadFile or WriteFile function for the target file if the user's instruction permits or denies the change request to the target file of the program, White list, and if not, blocks the execution of the ReadFile or WriteFile function and adds the program to the black list.

Finally, the database 640 includes a black list, which is a list of processes for which a virus is detected by the second blocking module 630 or the process is not allowed to be executed by the user and the user file is denied access, A whitelist, which is a list of processes for which a virus is not detected by the user 630 and the process is allowed to be executed by the user and access to the user file is permitted, and a virus signature known so far are registered.

Hereinafter, a method for preventing a Ransomware virus infection according to the present invention using the system configured as described above will be described.

FIG. 3 is a flowchart illustrating an operation procedure of the Ransomware virus infection prevention method of the present invention. This will be described in detail as follows.

When the O / S is activated by booting the computer, the operation of the Ransomware virus infection prevention system of the present invention starts. That is, while the computer is running, the infection prevention system of the present invention is always in operation. The infecting prevention system of the present invention may also include, by the list management module 610, one or more parameters that are useful for identifying whether the programs accessing the user's file are allowed to access that file, And these are stored in the database 640. [

Then, the first blocking module 620 waits until the application program of the computer system or another unknown program requests the CreateFile function call to access the user file (S610), and the CreateFile function call from the system requests (S620) whether the program calling the function exists in the whitelist.

If it is determined in step S620 that the program is in the whitelist, a precreate function request for the target file of the program is permitted in step S622. If not, the program is checked in step S630.

If it is determined in step S630 that the program is in the black list, the CreateFile function call request is blocked (S632). Otherwise, the CreateFile function call request is allowed (S634) (Step S640). If the virus exists in the file, it is determined whether the virus exists in the file. That is, if the program does not exist in the whitelist and does not exist in the black list, it is checked whether or not the specific syntax matches the predetermined virus signature to determine whether the program is safe (S650).

If it is determined in step S650 that the virus signature (unique bit string or pattern unique to the virus) registered in the database 640 matches a specific syntax in the executable file, it is determined that the executable file includes a virus such as Ransomware The execution of the ReadFile or WriteFile function for the target file of the program is blocked and the corresponding program is added to the blacklist (S652). Otherwise, the user is asked whether to allow the process of the program (S660).

If the user's instruction permits or denies the access request of the process in step S660, if the permission is 'allow', the execution of the ReadFile or WriteFile function on the target file is allowed and the corresponding program is added to the whitelist (S662) , The execution of the ReadFile or WriteFile function is blocked and the corresponding program is added to the black list (S664).

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the present invention is not limited to the disclosed exemplary embodiments, but various changes and modifications may be made without departing from the scope of the present invention.

100: System program 200: Application program
300: Application Program Interface 400: File System
500: storage device 600: virus infection prevention system
610: list management module 620: first blocking module
630 second blocking module 640 database

Claims (4)

A list management module for managing black lists and white lists of programs accessing user files,
When an application program or an unknown program of the computer system calls the CreateFile function to access the user file to request a file handle, it is determined whether or not the file handle is returned to the target file based on the black list and the whitelist A first blocking module
And a second blocking module for scanning the file for executing a program that is not present in the whitelist and in the blacklist and for determining whether the virus is present and whether the encryption of the target file is allowed by querying the user Ransomware virus infection prevention system. In claim 1,
Wherein the blacklist indicates that the virus is detected by the second blocking module or that the process is not allowed to be executed by the user and the access to the user file is not permitted and the white list indicates that the virus is not detected by the second blocking module Which are allowed to be executed by the user and are allowed to access the user file,
The first blocking module allows the CreateFile function call request if the program calling the CreateFile function exists in the whitelist, blocks the CreateFile function call request if it exists in the black list, The second blocking module allows the second blocking module to determine whether encryption of the target file is permitted after the CreateFile function call request is permitted,
The second blocking module blocks the execution of the ReadFile or WriteFile function for the target file of the program if the user does not allow the program even if the virus is detected or not detected in the executable file, Allowing the program to execute the ReadFile or WriteFile function of the corresponding program. Creating a black list and a white list of programs accessing the user file by the list management module,
When the application program of the computer system or the unknown program requests the file handle by calling the CreateFile function to access the user file by the first blocking module, Determining whether to return the file handle; and
The second blocking module scans the file for executing a program that is not present in the whitelist and in the blacklist to determine whether a virus is present and whether to allow encryption of the target file by querying the user RTI ID = 0.0 > 1, < / RTI > In claim 3,
Wherein the step of determining whether to return the file handle comprises:
Checking whether a program making the CreateFile function call request exists in the whitelist,
If the program is in the whitelist, accepting the CreateFile function request for the target file of the program; if not, checking whether the program exists in the blacklist; and
Blocking the CreateFile function request when the program is in the black list, and determining whether to allow encryption of the target file after allowing the CreateFile function request if not,
Wherein the step of determining whether to permit encryption of the target file comprises:
Scanning a file for executing the program to check whether the corresponding executable file includes a Ransomware virus,
If the executable file includes the Ransomware virus, the execution of the ReadFile or WriteFile function for the target file is blocked and the corresponding program is added to the black list. Otherwise, the user is inquired of whether to allow the process of the program Step and
If the user permits the process, the execution of the ReadFile or WriteFile function is allowed and the corresponding program is added to the whitelist. Otherwise, the execution of the ReadFile or WriteFile function is prohibited and the program is added to the blacklist The method comprising the steps of:
KR1020160011248A 2016-01-29 2016-01-29 System and method for preventing from ransome virus KR20170090645A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160011248A KR20170090645A (en) 2016-01-29 2016-01-29 System and method for preventing from ransome virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160011248A KR20170090645A (en) 2016-01-29 2016-01-29 System and method for preventing from ransome virus

Publications (1)

Publication Number Publication Date
KR20170090645A true KR20170090645A (en) 2017-08-08

Family

ID=59653135

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160011248A KR20170090645A (en) 2016-01-29 2016-01-29 System and method for preventing from ransome virus

Country Status (1)

Country Link
KR (1) KR20170090645A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101889841B1 (en) 2018-02-20 2018-08-21 (주)지란지교시큐리티 Content firewall for security of multimedia file, security system of content and recording medium
KR101956725B1 (en) * 2018-12-06 2019-03-11 주식회사 아신아이 A system for server access control using permitted execution files and dynamic library files
KR20210027730A (en) 2019-09-03 2021-03-11 (주)지란지교시큐리티 System and method for security of multimedia file and computer-readable recording medium
KR102262688B1 (en) 2020-10-29 2021-06-09 (주)지란지교시큐리티 Recording medium
KR102262680B1 (en) 2020-10-29 2021-06-09 (주)지란지교시큐리티 Multimedia file security method and recording medium
KR102303930B1 (en) 2020-11-26 2021-09-24 (주)지란지교시큐리티 System for multimedia file security, multimedia file security method and recording medium
KR102320387B1 (en) 2020-11-16 2021-11-03 (주)지란지교시큐리티 Computing apparatus for multimedia file security, multimedia file security method and recording medium
KR102412298B1 (en) 2021-12-28 2022-06-23 (주)지란지교시큐리티 System for multimedia file security, operating method thereof and recording medium
US11809550B2 (en) 2018-11-19 2023-11-07 Samsung Electronics Co., Ltd. Electronic device and control method therefor

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101889841B1 (en) 2018-02-20 2018-08-21 (주)지란지교시큐리티 Content firewall for security of multimedia file, security system of content and recording medium
US11809550B2 (en) 2018-11-19 2023-11-07 Samsung Electronics Co., Ltd. Electronic device and control method therefor
KR101956725B1 (en) * 2018-12-06 2019-03-11 주식회사 아신아이 A system for server access control using permitted execution files and dynamic library files
KR20210027730A (en) 2019-09-03 2021-03-11 (주)지란지교시큐리티 System and method for security of multimedia file and computer-readable recording medium
KR102262688B1 (en) 2020-10-29 2021-06-09 (주)지란지교시큐리티 Recording medium
KR102262680B1 (en) 2020-10-29 2021-06-09 (주)지란지교시큐리티 Multimedia file security method and recording medium
KR102320387B1 (en) 2020-11-16 2021-11-03 (주)지란지교시큐리티 Computing apparatus for multimedia file security, multimedia file security method and recording medium
KR102303930B1 (en) 2020-11-26 2021-09-24 (주)지란지교시큐리티 System for multimedia file security, multimedia file security method and recording medium
KR102412298B1 (en) 2021-12-28 2022-06-23 (주)지란지교시큐리티 System for multimedia file security, operating method thereof and recording medium

Similar Documents

Publication Publication Date Title
KR20170090645A (en) System and method for preventing from ransome virus
US9075984B2 (en) Secure system for allowing the execution of authorized computer program code
CN102855274B (en) The method and apparatus that a kind of suspicious process detects
US8561192B2 (en) Method and apparatus for automatically protecting a computer against a harmful program
US20080022093A1 (en) Integrating security protection tools with computer device integrity and privacy policy
US20070079373A1 (en) Preventing the installation of rootkits using a master computer
US20100306851A1 (en) Method and apparatus for preventing a vulnerability of a web browser from being exploited
US20070118646A1 (en) Preventing the installation of rootkits on a standalone computer
US8473753B2 (en) Real-time secure self-acquiring root authority
US11100242B2 (en) Restricted resource classes of an operating system
CN110188547B (en) Trusted encryption system and method
Ami et al. Ransomware prevention using application authentication-based file access control
US20230297676A1 (en) Systems and methods for code injection detection
JP2023534502A (en) Advanced ransomware detection
KR20060050768A (en) Access authorization api
KR101967663B1 (en) A system for access control based on the role of process in the white list
US20100325426A1 (en) Protected software identifiers for improving security in a computing device
JP2007072969A (en) Operation history protection device and operation history protection program
US8640242B2 (en) Preventing and detecting print-provider startup malware
GB2555569B (en) Enhanced computer objects security
JP4444604B2 (en) Access control device and program thereof
WO2017114341A1 (en) Root virus removal method and apparatus, and electronic device
RU2750628C2 (en) System and method for determining the file trust level
JP6279348B2 (en) Web relay server device and web page browsing system
KR101844534B1 (en) Method for securing electronic file

Legal Events

Date Code Title Description
A201 Request for examination
N231 Notification of change of applicant
E902 Notification of reason for refusal
E601 Decision to refuse application