簡易檢索 / 詳目顯示
| 研究生: |
謝銘晏 Hsieh, Ming-Yen |
|---|---|
| 論文名稱: |
以靜態分析實現惡意程式行為分析器 Improved Malware Behavior Detection Using Static Analysis |
| 指導教授: |
林輝堂
Lin, Hui-Tang |
| 共同指導教授: |
賴溪松
Laih, Chi-Sung |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering |
| 論文出版年: | 2010 |
| 畢業學年度: | 98 |
| 語文別: | 英文 |
| 論文頁數: | 78 |
| 中文關鍵詞: | 資訊安全 、惡意程式 、惡意程式分析 |
| 外文關鍵詞: | Security, Malware, Malware Analysis |
| 相關次數: | 點閱:80 下載:2 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年來由於惡意程式成為有利可圖之地下產業,越來越多的惡意程式被開發出來,也出現客製化的惡意程式自動產生器。為了應付越來越多的惡意程式種類與變形,自動化的分析技術已成為不可或缺。
為了防止研究者對惡意程式進行分析,惡意程式也發展出兩類防止研究者分析的方法:代碼混淆與限制執行環境。對於使用除錯工具進行的分析,代碼混淆可讓研究者無法有效解讀程式的內容。為瞭解決代碼混淆問題,研究者可以使用動態分析作為替代方案。動態分析將惡意程式於分析環境中執行後,觀察該程式的行為並加以分析。但動態分析同樣會遇到惡意程式限制執行環境的問題,若惡意程式發現自己處在分析環境中,便可以使用不同的行為模式(如:不做任何行為),進而逃避研究者的分析。
為瞭解決代碼混淆與限制執行環境問題,我們設計了一個基於Testbed@TWISC平台,並滿足自動化、仿真性與安全性的分析環境。此環境將能自動化的對惡意程式進行分析並且產出報告。由於安全性的因素,我們將實驗環境與真實網路環境進行隔離,再以仿真的主機與網路環境使惡意程式無法發現自己處於檢測環境中而正常動作。並且我們提出利用靜態分析得到惡意程式的相關資訊,並利用其設計出適合該惡意程式的環境與驅動條件,藉以增加報告的精確度與豐富度的方法。以四個案例證明我們設計的系統可以用以分析具有反虛擬機能力的惡意程式、提出的方法也能有效增加報告的精確度與詳細度。
Malware is the main current threat of computer security. To deal with increasing amount of malware, researchers use methodologies to analyze malware. In this thesis, we focus on building a dynamic analysis system on Testbed@TWISC based on the Emulab system.
Because the Testbed@TWISC system is built on real machines, the anti-VM malware can still function properly in our dynamic analysis system. A mimetic network is provided in the analysis environment to allow malware samples the illusion of Internet accessibility
We also propose an approach which improves dynamic malware analysis by first using static analysis to create a custom malware environment to retrieve trigger conditions. Using this approach, we generate a more accurate and in-depth report for various malware, including details such as IRC bot commands and responses, clues to determine the propagation model of worms and processes termination ability of the malware.
We evaluate our approach using four case studies and prove that our approach can analyze real world malware and produce a precise and detailed report.
[1] Anubis, http://anubis.iseclab.org/
[2] U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Tool for Analyzing Malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, April 2006.
[3] U. Bayer, P. Milani Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In Symposium on Network and Distributed System Security (NDSS), 2009.
[4] BitBlaze, http://bitblaze.cs.berkeley.edu/
[5] CWSandbox, http://www.sunbeltsoftware.com/Malware-Research-Analysis-Tools/Sunbelt-CWSandbox/
[6] Dependency walker, http://www.dependencywalker.com/
[7] Deter, http://www.isi.deterlab.net/
[8] Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis. In: WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 58–66 (2008)
[9] Emulab network testbed, http://www.emulab.net/
[10] GENI (Global Environment for Network Innovations), http://www.geni.net/
[11] Hack Forums / Marketplace / Sellers Section Retrieved Jun 29, 2010, from the World Wide Web: http://www.hackforums.net/forumdisplay.php?fid=107
[12] http://en.wikipedia.org/wiki/Executable_compression#List_of_packers
[13] IDA Pro, http://www.hex-rays.com/idapro/
[14] Min Gyung Kang, Pongsin Poosankam, and Heng Yin, "Renovo: A Hidden Code Extractor for Packed Executables".In Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM), October 2007.
[15] Mao-Jie Lin and Chi-Sung Laih, "Detecting Virtualization Resistant Behavior in Modern Malware", Thesis for Master of Science, July 2009
[16] S. Miwa, T. Miyachi, M. Eto, M. Yoshizumi, and Y. Shinoda, "Design Issues of an Isolated Sandbox Used to Analyze Malwares," in Lecture Notes in Computer Science: Advances in Information and Computer Security, Heidelberg, 2007.
[17] Norman Sandbox, http://www.norman.com/technology/norman_sandbox/
[18] Objdump, http://www.gnu.org/software/binutils/
[19] OWASP, http://www.owasp.org/
[20] OWASP O2 Platform, http://www.owasp.org/index.php/OWASP_O2_Platform
[21] PEview, http://sourceforge.net/projects/peview/
[22] QEMU, http://wiki.qemu.org
[23] RDG Tejon crypter, http://rdgsoft.8k.com/Tejon.html
[24] Rudder: The BitBlaze Mixed Execution Component, http://bitblaze.cs.berkeley.edu/rudder.html
[25] SEER (Security Experimentation EnviRonment), http://seer.isi.deterlab.net/trac
[26] Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. "BitBlaze: A New Approach to Computer Security via Binary Analysis", Keynote Invited Paper, In Proceedings of the 4th International Conference on Information Systems Security, December 2008
[27] StarBED, http://www.starbed.org/
[28] Stephen Schwab, Brett Wilson, Calvin Ko, and Alefiya Hussain, SPARTA, "SEER: A Security Experimentation EnviRonment for DETER", in DETER Community Workshop on Cyber Security Experimentation and Test, August, 2007
[29] Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010
[30] TEMU, http://bitblaze.cs.berkeley.edu/temu.html
[31] Testbed@TWISC, http://testbed.ncku.edu.tw/
[32] TWISC@NCKU, http://www.twisc.ncku.edu.tw/
[33] VirusTotal, http://www.virustotal.com/
[34] VirtualBox, http://www.virtualbox.org/
[35] Vine: The BitBlaze Static Analysis Component, http://bitblaze.cs.berkeley.edu/vine.html
[36] VMWare, http://www.vmware.com/
[37] Wikipedia: Malware, http://en.wikipedia.org/wiki/Malware
[38] Xen, http://www.xen.org/
[39] Yasca, http://sourceforge.net/projects/yasca/
校內:2011-07-30公開校外:2011-07-30公開