RU2523114C2 - Method of analysing malicious activity on internet, detecting malicious network nodes and neighbouring intermediate nodes - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: present invention relates to antiviruses and specifically to methods of detecting malicious infrastructure. A method of detecting intermediate nodes in a computer network through which malware is distributed, wherein the intermediate nodes are connected to the Internet, to which malicious nodes are also connected. The present method employs a system of computer tools, services for detecting a traffic route in a network, a WHOIS service for accessing login information about an owner of a domain or IP address, followed by constructing flow chart of distribution of malware from a malicious site over data link channels, evaluating the usage rate of the link channel for distributing malware, detecting and blocking an intermediate node used illegally; the method further allows the unblocking of the intermediate node if the intensity of distribution of malware considerably drops over time or ceases to pose a threat to the site which directly contained the malware.

EFFECT: detecting malicious infrastructure by analysing links between network nodes, constructing a flow chart of communication between network nodes and automatic analysis of the strength of the link between nodes.

17 cl, 9 dwg, 3 tbl

Description

Technical field

The present invention relates to the antivirus field, and in particular to methods for detecting malicious nodes in the network and intermediary nodes through which the distribution of suspicious programs occurs.

State of the art

The modern antivirus industry is constantly confronted by cybercriminals at the technical level. Any methods, methods and systems for detecting malicious objects are analyzed by cybercriminals in order to make it difficult to detect or block protection systems. Thus, the distribution paths of malware (software) are constantly changing, and new vulnerabilities are used to secure them in a compromised system.

There are examples of unlawful use of a useful network resource, for example, a popular media site (mass media) in order to spread malware. Let’s say the account information (login, password) of the media site editor fell into the hands of an attacker. An attacker periodically makes malicious changes to the site materials. At the same time, the visitor to the media site is redirected to another resource from which the malware is downloaded to the visitor’s computer and the computer is infected. After a couple of hours, the attacker restores the original state of the materials of the media site. After which it becomes impossible to reproduce the attack vector on site visitors. In addition, the situation is aggravated by the fact that the antivirus tools of the computers of visitors during the location of the malicious link on the media site automatically categorize the media site as a phishing resource and add the corresponding address to the list of prohibited ones. However, there are no automatic means for excluding a site address from the list of prohibited resources. Therefore, the manually excluded resource from the prohibited list the next day will again be placed in the list as a phishing resource due to changes in the site’s materials by the attacker.

In the published application US 20080244744 A1 describes a method of collecting additional information about the nodes of the computer network, followed by the detection of malicious network nodes. The method involves checking network traffic from network nodes to a website. Scanning traffic reveals a malicious node connected to the network. Perform additional research on a malicious host by collecting additional information, such as hardware information from a malicious host. The collected information is stored in a database. Subsequently, they block another host that has a different IP address and accesses a different website if such another host has the same hardware settings as the malicious host from the database.

The proposed option is an effective tool in the fight against botnets, according to the authors on the description pages. However, the disadvantage of the system for combating botnets is that they should resist attempts to build a botnet. Therefore, it is preferable to resist the source of malware infection.

The application materials disclose a method that is not subject to the disadvantages of previously known solutions.

Disclosure of invention

The present invention implements a method for identifying intermediary nodes in a computer network through which malware is distributed. The technical result, which consists in identifying computer systems controlled by an attacker, is achieved by examining the connections between network nodes, constructing a communication graph between network nodes and automatically analyzing the number of uses of a communication channel between nodes to transmit information.

Computer systems controlled by an attacker - a system of computer networks, computers, subsystems, objects and tools controlled by an attacker, ensuring the functioning and development of the information space controlled by an attacker. In the context of the invention, this concept primarily includes the set of servers and nodes that have a network interface with a network address, participate in solving illegal tasks and other illegal actions carried out by an attacker using these objects and tools. Identification of the infrastructure of the attacker involves determining the address of the network interface of the object of the infrastructure of the attacker. After that, the specified address, which is used to access the network and perform the tasks of the attacker, is blocked for access, which makes it impossible to spread malware.

For the method to work, it is necessary to collect the initial data for the analysis of network nodes. The objectivity of the study is achieved through the use of various sources of information having an access point to the network through various providers in different countries, physically or logically isolated parts of the computer network. Since the routing information in the network is dynamic, i.e. constantly changing, you need to strive to have sources of information in all networks connected to the Internet. Such sources of initial information for analysis can be virtual machines, specialized agents on users' computers (performing preliminary verification of network nodes at the user's request), firewalls (devices protecting networks from illegal actions, unwanted traffic, etc.). These tools represent a controlled execution environment and are able to detect malware, have access to the addresses of the sender and recipient of network packets, which allows you to collect additional information about the source of the distribution of unwanted or malicious software, for example, record the route of traffic to a malicious node or find out information in the domain registry host address of the host. The controlled execution environment receives a URL for analysis, which consists in requesting an information object by URL through a network interface, followed by downloading an information object from a network node at a URL address. Actions to load an information object from the network are recorded in the event log. In addition, they examine the URL by obtaining information from services available on the network. The received answers to service requests are stored in the table of URL address research results, and the URL address research results table is filled in using the event log. If necessary, repeat the analysis of the information object by the URL and the study of the same URL or the next in the queue URL.

Mentioned data is collected for analysis in a central server in the form of a table containing at least the domain name of the node; IP addresses corresponding to the domain name; e-mail addresses to which the domain is registered according to the domain registry; route traffic. If, after examining the site at the specified URL, in a controlled environment, no malicious files and registry changes were found, then the site is considered safe. Otherwise, the site distributes malware at the specified URL and is a malicious network node. Build a graph of the spread of malicious data from the malicious node to a controlled execution environment. The graphs are analyzed using heuristic algorithms and the used communication channels between network nodes are identified. Detection of an intermediary node consists in automatically blocking those of the nodes that are associated with malicious network nodes, i.e. are intermediary nodes. If necessary, the discovery of the next intermediary node in the chain is repeated recursively, so if the intermediary node detected at the previous iteration were malicious and distributed unwanted malware. If over time, a blocked intermediary node is no longer used to distribute unwanted or malicious software, then the node that is no longer associated with the malicious node is automatically unblocked.

Brief Description of the Drawings

Figure 1 depicts an exemplary user computer system.

FIG. 2 is a block diagram of a general purpose computing system that implements basic functional modules in accordance with a preferred embodiment of the invention.

Figure 3 shows an example of constructing data routes from two different Internet access points (Figure 3a - Australia: telstra.net; Figure 3b - Italy: sysnet.it) to the site www.kaspersky.com.

Figure 4 shows an example of combining routes into graphs to analyze the number of detected facts of malware distribution.

Figure 5 shows the sequence of the method when checking the ownership of a network node by an attacker using registration information, i.e. Email used by an attacker to manage a domain record.

FIG. 6 is a block diagram of an implementation of an analysis module, which is summarized in FIG. 2.

Fig. 7 shows an example of a graph constructed from routes where arcs represent communication channels having weight in accordance with the number of detected malware distribution facts.

Fig. 8 shows an exemplary graph of a survey of clickthroughs and automatic redirects from www.kaspersky.com.

FIG. 9 depicts a recursive blocking algorithm for proxy nodes.

The implementation of the invention

The system is implemented on the basis of client computers and a server system, interconnected by a computer network. At the same time, the server system ensures the functioning of the cloud.

The preferred implementation of the invention is the organization of controlled means of program execution. A controlled execution environment is a virtual machine with an installed operating system (OS), a sandbox (sandbox), an emulator or any other execution environment that collects information about the actions performed by the application on a computer.

Let's look at an example of how the system works with a controlled execution environment in the form of virtual machines, while critical security updates are not installed in the OS and software (software) of the virtual machine. In one implementation variant, those critical updates are installed on virtual machines that are known to complicate penetration into the system, but leave the possibility of penetration into the computer system to similar or other attack vectors. In one embodiment, all available security updates are installed on virtual machines. A list of URLs for research is sent to the input of the virtual machine. The list of research URLs is obtained from the most frequently visited Internet pages according to the statistics of any working web search system. An alternative way to get lists of URLs for research is to receive from the main registrars (reg.ru, verisigninc.com, etc.) differential updates to the changes in the lists of registered domain addresses or to receive data about suspicious visited pages from the anti-virus protection component »(Web Tool Bar) antivirus product. Using a web browser in a virtual machine, all the sites that are in the list of URLs for research are downloaded sequentially. In addition, it is possible to recursively download links specified on a loaded web page at a given URL with a given nesting depth, for example, up to 5 click links. All actions taken to download data from the network are recorded in the event log for each individual virtual machine. In this mode, the virtual machine works for some time, 5-10 minutes, after which they take a snapshot of the status of the virtual system disk, system registry and RAM. The virtual machine is restored to its initial state and restarted with the following resource URL on the network submitted for input for research. The taken snapshots of the state of the virtual system disk, the system registry, and RAM are compared with their initial state. If the studied site at the specified URL contains malware, then on the virtual machine without the critical security updates installed, you can detect new executable files, program modules, or a change in the registry branches. A site is considered safe if, after examining the site at the specified URL, no malicious files or system registry changes were found in the virtual machine.

Based on the results of researching the list of URLs, a table of results of researching the URL is compiled, which contains, in addition to the studied URLs, URLs from the links in the materials of the source site (see table No. 1). Each entry contains at least: the domain name of a node on the network; an indication of the content of the malware (i.e., the detected fact that unwanted files or changes in the system registry appear in the virtual machine); IP addresses corresponding to the specified domain name obtained using the search on the name server; information about the e-mail of the domain owner according to the registration record in the domain registry; and IP addresses of intermediate nodes along the route of data on the network to the site at the specified URL. The specified information is collected either directly by the virtual machine, or by individual research modules using public services. Name server information is accessed using the nslookup utility (name server lookup search on the name server is a utility that provides the user with a command line interface for accessing the DNS system). The domain owner’s e-mail is obtained by using the WHOIS service, an application-level network protocol based on the TCP protocol (port 43), which is used to obtain registration information about the owners of domain names, IP addresses and autonomous systems. The IP addresses of intermediate nodes along the route of data on the network to the site at the specified URL are obtained using the tracert or traceroute utilities.

Table number 1 URL Research Results No. Domain name IP addresses Email address
the owner Route
traceroute one Kaspersky.com 91.103.64.139, ripencc@kaspersky.com 212.102.36.3, 91.103.64.90, 151.11.91.1, 91.103.64.138, 151.5.150.5, 91.103.64.6, 151.6.65.194, 91.103.64.140 151.6.7.233, 151.6.1.118, 151.6.1.210, 149.6.152.205, 130.117.3.17, 130.117.0.193, 130.117.2.41, 154.54.37.82, 154.54.28.93, 154.54.7.213, 38.104.159.226, 38.117.98.208 2 ... ... ... ...

Traceroute is a utility computer utility designed to determine data paths on TCP / IP networks. Traceroute is based on the ICMP protocol. The traceroute program sends data to the specified network node, while displaying information about all intermediate routers through which data passed on the way to the target node. In the event of problems in delivering data to any node, the program allows you to determine which particular section of the network there are problems (see Tables No. 2, 3, Fig. 1a, b). Table 2 shows the result of determining the route from Australia (Telstra.net website) to www.kaspersky.com [91.103.64.6].

Table number 2 The result of determining the route from Australia (Telstra.net website) to www.kaspersky.com [91.103.64.6] No. http7 / http: //www.telstra net / cqi-bin / trace? 91.103 64.6 Tracing route to kaspersky.com [91.103.64.6] over a maximum of 30 hops: one http://TenGigabitEthernetO-12-0-2.exi-corel.Melbourne.telstra.net (203.50.80.1) 4 msec 0 msec 4 msec 2 Bundle-Pos3.chw-core2.Sydney.telstra.net (203.50.11.14) 16 msec 16 msec 16 msec 3 Bundle-Ether1.oxf-gw2.Sydney.telstra.net (203.50.6.90) 16 msec 16 msec 16 msec four 203.50.13.130 16 msec 16 msec 16 msec 5 i-0-3-2-0.tlot-core01.bx.reach.com (202.84.140.225) [AS 4637] 244 msec 248 msec 248 msec 6 i-1-1.eqla01.bi.reach.com (202.84.251.194) [AS 4637] 308 msec 312 msec 308 msec 7 cogent-peer.eqla01.pr.reach.com (134.159.63.198) [AS 4637] 204 msec 204 msec 216 msec 8 te0-3-0-5.mpd22.lax01.atlas.cogentco.com (154.54.44.141) 248 msec 9 te0-1-0-6.mpd21.iah01.atlas.cogentco.com (154.54.5.101) 240 msec 10 te9-3.mpd01.dfw01.atlas.cogentco.com (154.54.25.97) 344 msec eleven te0-3-0-0.mpd21.mci01.atlas.cogentco.com (154.54.3.18) 256 msec 12 te0-0-0-3.mpd21.ord01.atlas.cogentco.com (154.54.2.234) 376 msec 13 te0-2-0-2.mpd21.yyz02.atlas.cogentco.com (154.54.27.250) 376 msec fourteen 38.104.159.226 396 msec 392 msec 384 msec fifteen 91.103.64.6 128 msec 133 msec 130 msec

According to Table 3, all intermediate nodes from sysnet.it to www.kaspersky.com successfully answered the request. At the 16th iteration, a response was received from the host with the IP address 38.117.98.208, which ensures the operation of the site for the European direction.

Table number 3 The result of determining the route from sysnet.it to kaspersky.com [38.117.98.208] http://www.svsnet.it/cqi-bin/traceroute. cgi? dominio = kaspersky.com Traceroute per http://kaspersky.com: trcsys to http://kasperskv.com (38.117.98.208), 30 hops max; 40 byte packets one bgp2 (212.102.36.3) 0.207 ms 0.176 ms 0.238 ms 2 151.11.91.1 (151.11.91.1) 0.904 ms 0.933 ms 0.917 ms 3 151.5.150.5 (151.5.150.5) 9.177 ms 9.161 ms 9.172 ms four FICI-B01-Ge2-0.71.wind.it (151.6.65.194) 10.429 ms 9.262 ms 13.041 ms 5 151.6.7.233 (151.6.7.233) 18.927 ms 18.922 ms 20.231 ms 6 151.6.1.118 (151.6.1.118) 32.155 ms 24.905 ms 28.050 ms 7 151.6.1.210 (151.6.1.210) 45.889 ms 28.482 ms 43.160 ms 8 gi9-6.ccr01.mil01.atlas.cogentco.com (149.6.152.205) 40.991 ms 42.597 ms 45.717 ms 9 te2-2.ccr01.str01.atlas.cogentco.com (130.117.3.17) 33.623 ms 34.743 ms 31.874 ms 10 te0-0-0-2.mpd21.fra03.atlas.cogentco.com (130.117.0.193) 36.494 ms 36.307 ms 36.742 ms eleven te0-3-0-2.mpd21.ams03.atlas.cogentco.com (130.117.2.41) 47.372 ms 69.952 ms 83.358 ms 12 te0-1-0-7.ccr21.lpl01.atlas.cogentco.com (154.54.37.82) 141.664 ms 56.299 ms 56.711 ms 13 te0-0-0-4.ccr21.ymq02.atlas.cogentco.com (154.54.28.93) 124.991 ms 123.853 ms 123.844 ms fourteen te0-2-0-7.mpd21.yyz02.atlas.cogentco.com (154.54.7.213) 132.376 ms 129.581 ms 131.348 ms fifteen 38.104.159.226 (38.104.159.226) 148.488 ms 147.103 ms 147.491 ms 16 38.117.98.208 (38.117.98.208) 132.555 ms 130.087 ms 130.849 ms

Figure 2 shows a block diagram of the functional modules of the network analysis system 200, which protects the distribution of malicious content through a computer network. The information collection system uses a controlled execution environment of 202 programs to collect information about the network topology and the sources of malware distribution.

Runtime environment 202 is a device consisting of components or a series of components implemented in real devices. An example of such devices may be special purpose integrated circuits or programmable logic integrated circuits in combination with software. Thus, each module can be implemented in several versions, for example, using different processor architectures. The given examples of implementation are not limiting, and the functionality conceived for execution by the system can be executed on various elemental bases.

It should be understood that the controlled execution environments 202 are installed in various computing systems and it is possible to install in different computing networks and subnets of different geographical locations. Each controlled execution environment 202 is able to operate autonomously. At the same time, the controlled execution environment 202 receives a list of 206 URLs for research. The list of 206 research URLs consists of addresses suspected of spreading malware.

In a controlled environment 202, the download module 204 sequentially downloads or browses data from hosts that are listed in the list 206 of URLs for research. In addition, it is possible to recursively download all the links indicated on the loaded web page to the specified URL with the specified nesting depth, for example, up to 5 click links. All actions taken to download data from the network are recorded in a table 212 of the results of the study for each individual controlled execution environment.

In one embodiment, the security configuration module 218 uses the data of the anti-phishing database 216 to configure the security system 220. An example of the implementation of protective measures is security systems 220 such as: filters for the path to network objects (which block access to resources specified in the anti-phishing database data mask) and address filters of network resources (which block access to the network node when the formalized address of the network resource matches the entry in the anti-phishing database 216).

In an alternative embodiment of generating a table of URL research results, specialized agents on user computers are used as a controlled execution environment, which carry out preliminary checks of network nodes at the user's request. At the same time, data on malicious pages, domain name and host IP address containing malware are sent to the URL research results table, which is stored on the central server. The missing information needed to populate the URL exploration result table 212 is collected by a central server or cloud 200 in the same manner as described above.

Information about traffic routes from one of the network nodes to different users is combined, and a graph with weighted arcs is formed. Arc weight means the number of times that a given communication channel between network nodes was used to transfer malware or to access a known malicious resource (see Figure 4).

A variant is possible in which data on detected malicious pages is collected using a firewall. At the same time, data on malicious pages, domain name and host IP address containing malware are sent to the URL research results table, which is stored on the central server. The missing information needed to populate the URL exploration result table 212 is collected by a central server or cloud 200 in the same manner as described above. If necessary, the system administrator of the network can increase the degree of protection if he turns on the firewall mode of the node 210, i.e. collecting all information, including the use of WHOIS services, nslookup, traceroute. The information gathered in this way for the URL exploration results table will more closely match the actual network architecture.

Below is an example form of registration information of the domain name owner www.kaspersky.com according to the WHOIS database

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91,103.64.6&do_search=Search

The example shows the registration information of the owner of the domain name www.kaspersky.com. The corresponding field contains the e-mail: ripencc@kaspersky.com. Initially, the goal of the advent of the WHOIS system was to enable system administrators to search for contact information of other administrators of IP addresses or domain names. Databases with a WHOIS interface are centralized and distributed.

The resulting table 212 of the results of the study URL is used by the analysis module 214 to generate graphs of communication nodes in the network. The circuit of the analysis module is shown in Fig.6. At the next stage, according to the information from the URL research table 212, the graph module 602 builds a graph according to one of the following principles for determining the strength of communication between nodes.

The first version of the graph construction reflects the actual structure of information channels between network nodes and is constructed in accordance with the routes of data routes in the network. In the nodes of the graph, IP addresses of intermediate nodes are placed along the route of data on the network to the site at the specified URL, obtained by using the tracert or traceroute utilities. Arcs between nodes indicate the presence of a communication channel between the respective nodes, and the weight of the arc indicates the frequency of use of this communication channel to transmit information. The frequency of use of the communication channel reflects how often this communication channel is used to access a malicious site. The weight of the arc can be represented by a relative value in percentage terms, or by the absolute value of the number of uses of this communication channel to access a malicious site. An example of such a graph is shown in Fig. 7 (the weight of the arc corresponds to the number of recorded facts of using this communication channel to access the malicious node of Fig. 7).

6, a node communication evaluation module 604 analyzes the connection between the nodes, and the communication reflects the degree of use of the communication channel between the nodes for transmitting malware. The graphing module 602 accumulates information on the actual communication channels between the nodes of the Internet. If, according to the history of 606 access to the intermediary node, it turns out that access to a known malicious site is regularly carried out through the same intermediary node, then such an intermediary node is blocked. When blocking, the address of the intermediary node is placed in the anti-phishing database 608, therefore, all users of computer protection solutions receive information about such a node. All traffic sent to host addresses from the anti-phishing database is blocked by all working protection subsystems: an intrusion prevention system, a filter for the path to network objects (blocks access to resources by the mask specified in the anti-phishing database) and a filter for network resource addresses (blocks access to the host network when the formalized address of the network resource matches the entry in the anti-phishing database 216).

At this stage, graph construction does not stop; statistics on the intensity of use of intermediary nodes continues to be collected. If according to the results of the collected statistics it is clear that the level of intensity of the use of the communication channel for the distribution of malware falls below a predetermined threshold, or the site ceases to pose a threat, then the blocking is removed from the intermediary node through which the malware was distributed. The statistics that are taken into account to assess the intensity of use of the communication channel are selected according to the principle of a sliding window, limiting the time interval when the communication channel was used to distribute malware or access a malicious site.

In an alternative embodiment, it is possible to evaluate the entire history of statistics on observations of a communication channel using a relative criterion for assessing intensity (the number of malware transfers or accesses to a malicious node, divided by the total number of all attempts to establish a connection through this communication channel). Thus, the entry in the anti-phishing database corresponding to the intermediary node is deleted, and the security subsystems open access to the corresponding network node.

Similarly, several intermediate intermediary nodes are unblocked if the intensity of malware distribution through blocked intermediary nodes has dropped below a predetermined threshold or the website from which the malware was distributed is no longer a threat.

The next principle for creating graphs of communication between nodes is to use links and redirections that are found on websites. It often happens that a loaded page of a site on the Internet contains many links. Some of these links lead to the same resource on the same server. Another part of the links may lead to partner sites or sites of other organizations, for example, through a banner exchange network. It was previously mentioned that when examining a list of URL addresses using virtual machines, the nesting depth of clicks from links from the starting URL can be limited, for example, not exceed 5 (see Fig. 8).

According to Fig. 8, around each site from the list of URL addresses, a graph of clicks on links and automatic redirects between nodes is formed. A graph node is a site, and the transition from one site to another is reflected on the graph by an arc between the nodes of the graph corresponding to these sites. As can be seen in Fig. 8, the number of nodes for research on a modern site can grow quite quickly. Even more cross-references to other sites can be observed if the resource participates in the banner exchange network.

If crawling a certain amount from the list of URLs has led to malware infection from the same malicious website on one or more virtual machines, then all the link graphs and automatic redirects that contain the malicious node are examined together . One graph is superimposed on another by applying grafted union of graphs of the corresponding section of the theory of graphs of discrete mathematics and revealing the coincidence of nodes and relationships (see Figure 4). If redirection from the same intermediary site is regularly redirected to the malicious website, then the intermediary node is blocked by adding the address of the intermediary node to the anti-phishing database 608. An additional necessary condition for blocking the node is a detailed study of the intermediary node, for example, visiting it for at least ten times and in 90% of cases, an attempted infection or successful infection with malware from a virtual machine. Further, the intermediary node is blocked by all working protection subsystems for users of anti-virus products: an intrusion prevention system, a filter for the path to network objects and a filter for addresses of network resources.

At this stage, the graph construction does not stop, statistics on the intensity of use of intermediary nodes continues to collect the module 604 evaluation of the connection nodes. If, based on the results of the statistics collected, it is clear that the use of the communication channel for the distribution of malware falls below a predetermined threshold, or the site ceases to pose a threat, then the lock is removed from the intermediary node through which the malware was distributed. Thus, the entry in the anti-phishing database 608 corresponding to the intermediary node is deleted, and the security subsystems open access to the corresponding network node.

In addition, it should be noted that intermediary nodes can be arranged in a chain sequentially, transferring malware one to another. In this case, the intermediary node closest to the malicious node will be blocked first (see Fig. 9, positions 901, 903). Next, the next intermediary node will be blocked (see Fig. 9, position 905), provided that the next intermediary node is also regularly used to access an already blocked intermediary node (see Fig. 9, position 907). Thus, all intermediate intermediary nodes are blocked recursively, through which malware is intensively distributed (see Figure 9).

All addresses in the anti-phishing database are blocked using the path filter. The path filter checks the addresses of the nodes to which the request is sent via the network or from which the response came from the network, i.e. compares the host address with the data in the anti-phishing database. If the addresses match, the information exchange with each of the addresses specified in the anti-phishing database is blocked.

One of the options for adding host addresses to the anti-phishing database with subsequent blocking of access to the host by the path filter is the analysis of registration information about all hosts (see Figure 5, position 501). Registration information that was obtained using the WHOIS service and stored in the URL research results table contains an e-mail address of the domain owner (see Figure 5, position 503). Since the e-mail address is used by the owner to correspond with the provider and manage a node in the network or a complex of nodes in the network, such an e-mail address can serve as a sign of an attacker and can be used to identify domains controlled by an attacker. It is advisable at the initial stage of the study after compiling a graph of referrals and automatic redirects to check the owner’s e-mail address for presence in the anti-phishing database (see Figure 5, position 505) and, if the e-mail addresses match, add the address to the anti-phishing database host, which also belongs to the attacker (see Figure 5, position 507).

Figure 1 represents an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22 and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented like any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating system using ROM 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which, in turn, is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 1. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

The present description sets forth the main inventive concept of the author, which cannot be limited to those hardware devices that were mentioned earlier. It should be noted that hardware devices are primarily designed to solve a narrow problem. Over time and with the development of technological progress, such a task becomes more complicated or evolves. New tools are emerging that are able to fulfill new requirements. In this sense, these hardware devices should be considered from the point of view of the class of technical problems they solve, and not purely technical implementation on a certain elemental base.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (17)

1. A method for detecting intermediary nodes in a computer network through which malware is distributed, while the intermediary nodes are connected to the Internet, to which malicious nodes are also connected, the method consists of the steps:
a) in a controlled execution environment receive a URL for analysis;
b) in a controlled execution environment, analyze the URL by querying the information object at the URL address through the network interface, followed by downloading the information object from the network node to the received URL;
c) actions for loading an information object from the network are recorded in the event log;
d) examine the URL address by obtaining information from services available on the network, the received responses to service requests are stored in the table of URL address research results, fill in the table of URL address research results using the event log;
e) repeat steps a) to d) at least once;
f) if in a controlled environment after examining the site at the specified URL no malicious files and registry changes were found, then the site is considered safe;
g) otherwise, the site distributes malware at the specified URL and is a malicious network node, build a malicious data distribution graph from the malicious node to the controlled execution environment, according to the information from the URL research results table, while the nodes of the graph are addresses of intermediate network nodes, and arcs - a communication channel between nodes having a weight corresponding to the frequency of using the channel to transmit malicious traffic from a network node that is known as malicious;
h) detect the intermediary node through which the malware is distributed, if the frequency of using the communication channel from a known malicious network node to the intermediary node exceeds the corresponding frequency of using the communication channel to transmit malicious traffic, enter the address of the detected intermediary node connected to the anti-phishing database with a communication channel used to transmit malicious traffic from a network node that is known as malicious;
i) recursively repeat step h) of detecting intermediary nodes in the network and enter into the anti-phishing database the address of the intermediary node associated with the communication channel used to transmit malicious traffic from the previously detected intermediary node. 2. The method according to claim 1 of the formula in which the controlled execution environment is implemented in a virtual machine, or in a sandbox on a user's computer, or a gateway device — a router or a firewall. 3. The method according to claim 1 of the formula, in which at step d) use at least one of the services traceroute, WHOIS, nslookup. 4. The method according to claim 1, in which, at step d), the entry in the results table of the research URL contains the fields "Domain Name", "IP Address", "E-mail Address of the Owner", "Route traceroute". 5. The method according to claim 1 of the formula in which the controlled execution environment is a virtual machine. 6. The method according to claim 5 of the formula, in which, after step g), the steps are additionally performed:
take a snapshot of the resulting state of the virtual machine and identify differences from the initial state of the virtual machine;
if the malware-specific differences in the resulting state of the virtual machine are detected, the host is marked as malicious. 7. The method according to claim 1 of the formula, in which steps h), i) additionally use a criterion for estimating the frequency of use of the channel for transmitting malicious traffic, which consists of a minimum of ten times visiting the studied URL address and fixing at least 90% of cases of transmission through the communication channel malicious traffic. 8. The method according to claim 1 of the formula, in which a snapshot of the state of the virtual machine reflects all changes to the system disk, system registry and RAM at that time when the snapshot of the state of the virtual machine was taken. 9. The method according to claim 1 of the formula, in which if in the virtual machine after examining the site at the specified URL no malicious files and registry changes were found, then the site is considered safe. 10. The method according to claim 4 of the formula, in which after the step of loading the page from the host in the virtual machine, they wait some time for the malware to manifest itself by writing new files, or changing the registry keys, or changing the RAM. 11. The method according to claim 3 of the formula, wherein, in step g), a malicious data distribution graph from a malicious site to a controlled execution environment is constructed by connecting routes from the “Traceroute route” field of the URL research results table to the same malicious site. 12. The method according to claim 1 of the formula, in which, after downloading an object from a network node, download all the links specified in the loaded object. 13. The method according to p. 12 of the formula in which all the links indicated in the loaded object are loaded recursively with a nesting depth of 5 clicks on the links. 14. The method according to claim 12, in which, in step g), a malicious data distribution graph from a malicious network node to a controlled execution environment is constructed by connecting transition routes and redirects leading to a visit to a network node known as malicious. 15. The method according to claim 3 of the formula, in which, additionally, after step i), from the results table of the URL study, E-mail addresses of the owners of the addresses of all identified intermediary nodes are entered into the anti-phishing database, after which they are additionally equated with intermediary nodes all other nodes that have the same E-mail address of the owner enter the address of the intermediary node into the anti-phishing database. 16. The method according to any one of claims 1 to 15 of the formula, wherein the additional clients of the anti-phishing database block all network traffic directed to any of the addresses of intermediary nodes. 17. The method according to clause 16 of the formula, which further provides for unlocking the addresses of intermediary nodes and deleting the corresponding entry in the anti-phishing database, if the frequency of use of the communication channel for the distribution of malware has decreased, falls below a predetermined threshold, or the site ceases to pose a threat, which spread malware.

Images