反变形病毒技术研究及策略分析
|
摘要
随着人们对计算机安全要求的不断提高,计算机病毒作为计算机安全的主要威胁,正在受到人们广泛的关注。同时,目前的计算机病毒技术与十几年前的计算机病毒技术已经有了很大变化,其中一个主要区别就是计算机病毒变形技术的出现,而且更为严重的是,在过去的几年里,病毒变形技术已经越来越走向成熟,几乎每天都有新的变形病毒出现,而且其复杂程度也是同益增加。本课题正是针对这种情况,致力于全面剖析变形病毒的特征,确定反病毒策略,并编制相应的病毒检测软件。
本课题首先对变形病毒的概念进行了深入的研究,在和其它分类方法进行比较的基础上提出了代码演化式的分类方法。对典型的变形病毒Win98.BlackBat进行了深入剖析,特别是其病毒体的自我保护技术,并总结出了病毒的基本特征。考虑到传统的反病毒手段对于变形病毒已经基本失效,因此确定了利用PE格式文件头信息通过行为检测技术来对病毒进行检测的动态的反病毒策略。同时,本课题还总结了十条与PE格式文件文件头信息相关的病毒特征。为了提高检测的精度,提出了扫描引擎的准确性校正方案,设计了总体校正与局部校正相结合的算法。根据所确定的反病毒策略及所设计的算法,实现了一个病毒检测软件,并在实际应用中取得了良好的效果。
本课题主要解决的难点问题包括:分析变形病毒的自我保护机制及其实现;总结用于病毒检测的检测规则,提出针对变形病毒的基于行为检测的动态的病毒检测技术;解决病毒检测软件在病毒扫描过程中系统的安全性问题;提出一个动态的扫描引擎的校正方案。
Nowadays, computer system's security is becoming more and more significant in people's daily lives. As a result, people pay more attention to computer viruses because of their threaten to the computer system. Especially, virus's polymorphism technology is almost pervasive in every comer of the PE file virus technology. By analyzing some typical virus samples, this dissertation mainly deals with the analysis on the polymorphic virus technology and antivirus strategy design. As a main difference between today's computer virus and the ones of ten more years ago, polymorphism is becoming not only more and more popular and serious but also more and more advanced. The polymorphic viruses are changing their codes every minute. As a result, new virus can be discovered every day in our life. The purpose of this dissertation is to tackle this problem by designing a strategy and developing a scanner to detect the polymorphic virus.
In the first place, this dissertation takes an overall look on the polymorphic virus technology and gives a complete concept of polymorphic virus which bases on the evolution of code. In the second place, this dissertation analyzes Win98.BlackBat computer virus that is a most typical polymorphic virus, especially the self-protection mechanism of the virus, and tries to make an access to the gate of tackling the problem of polymorphic virus. In the third place, even though the polymorphic viruses are extremely hard to detect, this dissertation tries best to find a way to deal with them. By concluding ten rules of virus detect based on the analysis of virus and PE files' information, this dissertation designs a strategy of virus detect. In the fourth place, this dissertation develops an arithmetic combined by overall correct and part correct which can amend the virus detect engine. Most important, every rule has its own unique revised system that can help the scanner to be more and more accurate. The last but
not the least, based
on the above strategy and arithmetic, this dissertation develops a virus detection scanner that is usable and effective.
In this dissertation, it tackles the following problems. Firstly, analyze the virus' self-protect ion mechanism and its methods. Secondly, make a strategy of virus detect based on ten detect rules which calls heuristic analysis. Thirdly, tackle the security problem when detecting the virus. Fourthly, develop a arithmetic of correcting the detect scanner engine.
本课题首先对变形病毒的概念进行了深入的研究,在和其它分类方法进行比较的基础上提出了代码演化式的分类方法。对典型的变形病毒Win98.BlackBat进行了深入剖析,特别是其病毒体的自我保护技术,并总结出了病毒的基本特征。考虑到传统的反病毒手段对于变形病毒已经基本失效,因此确定了利用PE格式文件头信息通过行为检测技术来对病毒进行检测的动态的反病毒策略。同时,本课题还总结了十条与PE格式文件文件头信息相关的病毒特征。为了提高检测的精度,提出了扫描引擎的准确性校正方案,设计了总体校正与局部校正相结合的算法。根据所确定的反病毒策略及所设计的算法,实现了一个病毒检测软件,并在实际应用中取得了良好的效果。
本课题主要解决的难点问题包括:分析变形病毒的自我保护机制及其实现;总结用于病毒检测的检测规则,提出针对变形病毒的基于行为检测的动态的病毒检测技术;解决病毒检测软件在病毒扫描过程中系统的安全性问题;提出一个动态的扫描引擎的校正方案。
Nowadays, computer system's security is becoming more and more significant in people's daily lives. As a result, people pay more attention to computer viruses because of their threaten to the computer system. Especially, virus's polymorphism technology is almost pervasive in every comer of the PE file virus technology. By analyzing some typical virus samples, this dissertation mainly deals with the analysis on the polymorphic virus technology and antivirus strategy design. As a main difference between today's computer virus and the ones of ten more years ago, polymorphism is becoming not only more and more popular and serious but also more and more advanced. The polymorphic viruses are changing their codes every minute. As a result, new virus can be discovered every day in our life. The purpose of this dissertation is to tackle this problem by designing a strategy and developing a scanner to detect the polymorphic virus.
In the first place, this dissertation takes an overall look on the polymorphic virus technology and gives a complete concept of polymorphic virus which bases on the evolution of code. In the second place, this dissertation analyzes Win98.BlackBat computer virus that is a most typical polymorphic virus, especially the self-protection mechanism of the virus, and tries to make an access to the gate of tackling the problem of polymorphic virus. In the third place, even though the polymorphic viruses are extremely hard to detect, this dissertation tries best to find a way to deal with them. By concluding ten rules of virus detect based on the analysis of virus and PE files' information, this dissertation designs a strategy of virus detect. In the fourth place, this dissertation develops an arithmetic combined by overall correct and part correct which can amend the virus detect engine. Most important, every rule has its own unique revised system that can help the scanner to be more and more accurate. The last but
not the least, based
on the above strategy and arithmetic, this dissertation develops a virus detection scanner that is usable and effective.
In this dissertation, it tackles the following problems. Firstly, analyze the virus' self-protect ion mechanism and its methods. Secondly, make a strategy of virus detect based on ten detect rules which calls heuristic analysis. Thirdly, tackle the security problem when detecting the virus. Fourthly, develop a arithmetic of correcting the detect scanner engine.
引文
[1] 王江民.计算机病毒的发展趋势.金山反病毒资讯网www.duba.net,2002,2
[2] Ronald B. Standle. Computer Virus Hoaxes. http://www.rbs2.com/hoax.htm, 2002(2)
[3] 谈文明.杀毒将向何处去.计算机世界周报,2002(8),29~31
[4] 金晶,何昆,张世永.基于智能扫描的病毒监视器研究.计算机工程,1999(12),86~88
[5] Chambers. Anita R.,Zachary W.. Peters Protecting Against Virus Attacks. Computers, 1998(5), 56~62
[6] Steve R.. White Open Problems in Computer Virus Research. Virus Bulletin Conference, 2001(10.22), 101~105
[7] J. Lyman. In Search of the World's Costliest Computer Virus. Factor Network., 2002.(2), 78~81
[8] 郭继宾,任熠,肖军模.计算机病毒及其防护.军事通信技术,2000(6),49~51
[9] Jeffrey Richter. Advanced Windows NT. Microsoft Press, 2003, 112~08p
[10] Matt Pietrek. Windows 95 System Programming SECRETS. IDG Books, 1995, 23~26
[11] 罗云彬.Windows环境下32位汇编语言程序设计.电子工业出版社,2002,279~290,305~321,456~460
[12] Vijayan. Jaikumar. Making the program a safer place. Computer World, 1996(4), 120~129
[13] 李柳柏.引导型计算机病毒剖析.重庆工学院学报,2001(10),39~41
[14] John F. Morar and David M. Chess. Program-Threat or Menace, Proceedings of the Virus Bulletin International Conference; Munich, Germany; October 1998, Preprint, 122
[15] 杨大全.YANKEE DOODLE病毒的剖析与诊治.沈阳工业大学学报,1991(4),55~58
[16] 徐殿军,王秀敏.PE文件简析.锦州师范学院学报(自然版),2002(12),45~46
[17] [美]Microsoft Corporation著,陈永基,张陆平译.Microsoft Windows 95程序员指南.清华大学出版社,1996,150~178
[18] 武安河,谭彦彬.用VxD实现Win95/98下的DMA操作.微计算机信息,2000(4),35~37
[19] 李劲.用VxD实现Windows95/98下的硬件中断.电信技术,2000(5),62~65
[20] 马林欣,方芸.VxD技术及其在实时反病毒技术中的应用.微型机与应用,2001(11).79~82
[21] 杨大全.2708病毒的剖析与诊治.微处理机,1991(3),66~68
[22] F.Cohen Computer Virus. PhD dissertation, Department of Computer Science, University of Southern California, 1985, 27~34
[23] Behar. Richard Who's Reading Your Data. Fortune, 2003(2), 33~36
[24] 杨大全.计算机病毒检测主流的策略及检测.中日国际会议论文集,1994,201~205
[25] 杨大全.计算机病毒及其防治.东北工学院出版社,1991,40~56
[26] Jeffrey O. Kephart, Gregory B. Sorkin, Morton Swimmer, Steve R.. White Blueprint for a Computer Immune System. Proceedings of the Virus Bulletin International Conference, 2002(10.1-10.3), 25~37
[27] 马安光.病毒问题.程序员,2003(11),66~68
[28] 李冰.关于主动防治计算机病毒的几点探讨.中央民族大学学报(自然科学版),2002(10),170~173
[29] 王素华.一个智能微机病毒检测实验系统.北京工业大学学报,1996(9),93~98
[30] Anderson. Heidi. Firewalls: Your First Defense. PC Today,2000(5), 121~125
[31] 刘涛,张连霞.怎样判断计算机病毒.内蒙古气象,2001(1),43~44
[32] D. Moore. The Spread of the Code-Red Worm (CRv2) .CAIDA, http://www.caida.org,2001,231~239
[33] Morton Swimmer. Virus Intrusion Detcdtion Expert System(VIDES). Diplom thesis, University of Hamburg, 2003, 21~45
[34] 田畅,郑少仁.计算机病毒的计算模型的研究.计算机学报,2002(2),159~163
[35] 杨大全.Windows95启动过程剖析-IO.SYS中BIO初始化的实现.沈阳工业大学学报,1998年(5),33~36
[36] Peter Sz(?)r. High Anxiety. Virus Bulletin, 2003(10), 121~145
[37] Peter Sz(?)r. Bad IDEA. Vires Bulletin, 2003(7), 102~124
[38] 侯俊杰.深入浅出MFC 第二版.华中科技大学出版社,1998,519~549
[39] 甄成,张跃,张衍胜,梁金千.一种基于结构的自动压缩/解压缩文件系统的实现方案.计算机工程与应用,2003(8),122~125
[40] 杨大全.大麻病毒彻底剖析.微处理机,1990(4),62~64
[41] 杨大全.“米开朗琪罗病毒”的剖析与诊治.沈阳工业大学学报,1993(1),23~26
[42] 孙卓然,逢丽敏.构建安全的统计信息网的策略思考.信息技术,2003(3),90~93
[43] 申利民.应用于病毒的逆分析.微机发展,2003(1),8~10
[44] 杜长征.一种Y2K智能扫描系统.中国金融电脑,1999(2),58~62
[45] 刘艳.智能扫描.个人电脑,2001(9),28~30
[2] Ronald B. Standle. Computer Virus Hoaxes. http://www.rbs2.com/hoax.htm, 2002(2)
[3] 谈文明.杀毒将向何处去.计算机世界周报,2002(8),29~31
[4] 金晶,何昆,张世永.基于智能扫描的病毒监视器研究.计算机工程,1999(12),86~88
[5] Chambers. Anita R.,Zachary W.. Peters Protecting Against Virus Attacks. Computers, 1998(5), 56~62
[6] Steve R.. White Open Problems in Computer Virus Research. Virus Bulletin Conference, 2001(10.22), 101~105
[7] J. Lyman. In Search of the World's Costliest Computer Virus. Factor Network., 2002.(2), 78~81
[8] 郭继宾,任熠,肖军模.计算机病毒及其防护.军事通信技术,2000(6),49~51
[9] Jeffrey Richter. Advanced Windows NT. Microsoft Press, 2003, 112~08p
[10] Matt Pietrek. Windows 95 System Programming SECRETS. IDG Books, 1995, 23~26
[11] 罗云彬.Windows环境下32位汇编语言程序设计.电子工业出版社,2002,279~290,305~321,456~460
[12] Vijayan. Jaikumar. Making the program a safer place. Computer World, 1996(4), 120~129
[13] 李柳柏.引导型计算机病毒剖析.重庆工学院学报,2001(10),39~41
[14] John F. Morar and David M. Chess. Program-Threat or Menace, Proceedings of the Virus Bulletin International Conference; Munich, Germany; October 1998, Preprint, 122
[15] 杨大全.YANKEE DOODLE病毒的剖析与诊治.沈阳工业大学学报,1991(4),55~58
[16] 徐殿军,王秀敏.PE文件简析.锦州师范学院学报(自然版),2002(12),45~46
[17] [美]Microsoft Corporation著,陈永基,张陆平译.Microsoft Windows 95程序员指南.清华大学出版社,1996,150~178
[18] 武安河,谭彦彬.用VxD实现Win95/98下的DMA操作.微计算机信息,2000(4),35~37
[19] 李劲.用VxD实现Windows95/98下的硬件中断.电信技术,2000(5),62~65
[20] 马林欣,方芸.VxD技术及其在实时反病毒技术中的应用.微型机与应用,2001(11).79~82
[21] 杨大全.2708病毒的剖析与诊治.微处理机,1991(3),66~68
[22] F.Cohen Computer Virus. PhD dissertation, Department of Computer Science, University of Southern California, 1985, 27~34
[23] Behar. Richard Who's Reading Your Data. Fortune, 2003(2), 33~36
[24] 杨大全.计算机病毒检测主流的策略及检测.中日国际会议论文集,1994,201~205
[25] 杨大全.计算机病毒及其防治.东北工学院出版社,1991,40~56
[26] Jeffrey O. Kephart, Gregory B. Sorkin, Morton Swimmer, Steve R.. White Blueprint for a Computer Immune System. Proceedings of the Virus Bulletin International Conference, 2002(10.1-10.3), 25~37
[27] 马安光.病毒问题.程序员,2003(11),66~68
[28] 李冰.关于主动防治计算机病毒的几点探讨.中央民族大学学报(自然科学版),2002(10),170~173
[29] 王素华.一个智能微机病毒检测实验系统.北京工业大学学报,1996(9),93~98
[30] Anderson. Heidi. Firewalls: Your First Defense. PC Today,2000(5), 121~125
[31] 刘涛,张连霞.怎样判断计算机病毒.内蒙古气象,2001(1),43~44
[32] D. Moore. The Spread of the Code-Red Worm (CRv2) .CAIDA, http://www.caida.org,2001,231~239
[33] Morton Swimmer. Virus Intrusion Detcdtion Expert System(VIDES). Diplom thesis, University of Hamburg, 2003, 21~45
[34] 田畅,郑少仁.计算机病毒的计算模型的研究.计算机学报,2002(2),159~163
[35] 杨大全.Windows95启动过程剖析-IO.SYS中BIO初始化的实现.沈阳工业大学学报,1998年(5),33~36
[36] Peter Sz(?)r. High Anxiety. Virus Bulletin, 2003(10), 121~145
[37] Peter Sz(?)r. Bad IDEA. Vires Bulletin, 2003(7), 102~124
[38] 侯俊杰.深入浅出MFC 第二版.华中科技大学出版社,1998,519~549
[39] 甄成,张跃,张衍胜,梁金千.一种基于结构的自动压缩/解压缩文件系统的实现方案.计算机工程与应用,2003(8),122~125
[40] 杨大全.大麻病毒彻底剖析.微处理机,1990(4),62~64
[41] 杨大全.“米开朗琪罗病毒”的剖析与诊治.沈阳工业大学学报,1993(1),23~26
[42] 孙卓然,逢丽敏.构建安全的统计信息网的策略思考.信息技术,2003(3),90~93
[43] 申利民.应用于病毒的逆分析.微机发展,2003(1),8~10
[44] 杜长征.一种Y2K智能扫描系统.中国金融电脑,1999(2),58~62
[45] 刘艳.智能扫描.个人电脑,2001(9),28~30