恶意代码自动分析系统的研究

doi:10.3969/j.issn.1000-436x.2014.z1.011

Abstract

Abstract:

The analysis of malicious code’s network behavior is an important research field of network security.This function of existed systems is incomplete and not deep.The functions of malicious code are summarized and a comprehensive content is presented.Moreover the network behavior analysis function of existed analysis systems is introduced and CUCKOO which is able to satisfy the requirements of involved study is found.Finally the advantage and points of this application platform were summarized,and an expansion of the system was proposed.

Key words: network security, malware, automated analysis

Yi ZHAO,Jian GONG,Wang YANG. Study on modern malware analysis system[J]. Journal on Communications, 2014, 35(Z1): 52-57.

Figures/Tables 13

References 23

[1]	BAYER U , MOSER A , KRUEGEL C ,et al. Dynamic analysis of malicious code[J]. Journal in Computer Virology, 2006,2(1): 66-77.
[2]	BAYER U , HABIBI I , BALZAROTTI D ,et al. A view on current malware behaviors[A]. Proceedings of the 2nd Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET'09)[C]. Boston,MA, 2009.
[3]	诸葛建伟, 韩心慧, 叶志远 ,等. 僵尸网络的发现与跟踪[A]. 全国网络与信息安全技术研讨会[C]. 2005. 183-189. ZHUGE J W , HAN X H , YE Z Y ,et al. Discover and track Botnets[A]. NetSec2004[C]. 2005. 183-189.
[4]	NIVARGI V , BHAOWAL M , LEE T . Machine learning based botnet detection[EB/OL]. .
[5]	KONDO S , SATO N . Botnet traffic detection techniques by C&C session classification using SVM[A]. Proc of the 2nd International Workshop on Security[C]. Berlin: Springer, 2007. 91-104.
[6]	KUGISAKI Y , KASAHARA Y , HORI Y . Bot detection based on traffic analysis[A]. Proc of 2007 International Conference on Intelligent Pervasive Computing (IPC2007)[C]. Washington,DC, 2007. 303-306.
[7]	LEE J S , JEONG H C , PARK J H ,et al. The activity analysis of malicious http-based botnets using degree of periodic repeatability[A]. Proc of 2008 International Conference on Security Technology (SecTech2008)[C]. Washington,DC, 2008. 83-86.
[8]	王威, 方滨兴, 崔翔 . 基于终端行为特征的IRC僵尸网络检测[J]. 计算机学报, 2009,32(10): 1980-1988. WANG W , FANG B X , CUI X . IRC Botnet detection based on host behavior[J]. Chinese Journal of Computers, 2009,32(10): 1980-1988.
[9]	GU G , PORRAS P , YEGNESWARAN V . BotHunter:detecting malware infection through ida-driven dialog correlation[A]. Proc of the 16th USENIX Security Symp(Security 2007)[C]. 2007.
[10]	GU G , ZHANG J , LEE W . BotSniffer:detecting Bomet command and control channels in network traffic[A]. Proc of the 15th Annual Network and Distribut System Security Symp(NDSS’08)[C]. SanDiego,CA, 2008. 209-221.
[11]	RAMACHANDRAN A , FEAMSTER N , DAGON D . Revealing Botnet membership using DNSBL counter-intelligence[A]. Proc of the Conference on Botnet Detection:Countering the Largest Security Threat[C]. Berlin: Springer, 2008. 131-142.
[12]	TU H , LI Z T , LIU B . Detecting botnets by analyzing DNS traffic[A]. Proc of the Pacific Asia Workshop on Intelligence and Security Informatics[C]. Berlin: Springer, 2007. 323-324.
[13]	VILLAMARIN-SALOMON R , BRUSTOLONI J C . Identifying botnets using anomaly detection techniques applied to DNS traffic[A]. Proc of the 5th IEEE Consumer Communications and Networking Conference[C]. Washington,DC, 2008. 476-481.
[14]	CHOI H , LEE H . Botnet detection by monitoring group activities in DNS traffic[A]. Proc of the 7th IEEE International Conference on Computer and Information Technology[C]. Washington,DC, 2007. 715-720.
[15]	[EB/OL].
[16]	HUANG H D , LEE C S , KAO H Y ,et al. Malware behavioral analysis system:TWMAN[A]. Intelligent Agent (IA),2011 IEEE Symposium on[C]. 2011. 11-15.
[17]	SONG D , BRUMLEY D , YIN H ,et al. Bitblaze:a new approach to computer security via binary analysis[A]. Proceedings of the 4th International Conference on Information Systems Security (ICISS'08,keynote invited paper)[C]. Hyderabad,India, 2008.
[18]	BELLARD F . A fast and portable dynamic translator[A]. Proceedings of USENIX Annual Technical Conference[C]. USA, 2005. 41-46.
[19]	QEMU:the open source processor emulator[EB/OL]. .
[20]	YIN H , SONG D , EGELE M ,et al. Panorama:capturing systemwide information flow for malware detection and analysis[A]. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07)[C]. New York,NY,USA, 2007. 116-127.
[21]	AMIT V . Wildcat:an Integrated Stealth Environment for Dynamic Malware Analysis[D]. University of Texas, 2007.
[22]	DINABURG A , ROYAL P , SHARIF M ,et al. Ether:malware analysis via hardware virtualization extensions[A]. Proceedings of the ACM Conference on Computer and Communications Security (CCS'08)[C]. Alexandria,Virginia,USA, 2008. 27-31.
[23]	WILLEM S, , CARSTEN H , THORSTE N ,et al. Toward automated dynamic malware analysis using cwsandbox[A]. Proceedings of the IEEE Symposium on Security and Privacy (SSP'07)[C]. 2007.

Metrics

Recommended 0

No Suggested Reading articles found!

功能模块		模块分类
		注册	●
	僵尸主机管理模块	管理	●
		删除	●
		DDoS攻击	●
主体功能模块		架设服务
	僵尸主机控制模块	PC控制
		发送垃圾邮件	●
		代理	●
		命令执行
		漏洞攻击	●
	网络传播模块	现有后门	●
		蠕虫木马	●
		下载	●
	下载与更新模块	更新	●
		访问	●
		变形多态
辅助功能模块	躲避检测与分析模块	代码混淆反虚拟
		防杀毒
		反调试
		系统信息	●
		网络环境	●
	息窃取模块	邮件列表	●
		密码	●
		软件密钥	●

协议	内容
IP	IP地址
IP	URL
ICMP	TYPE
ICMP	CODE
IGMP	TYPE
	源端口
TCP	目的端口
	报文长度(length)
	源端口
UDP	目的端口
	报文长度(length)
	域名(name)
	请求类型(query type)
DNS	请求结果(query result)
	是否成功
	传输层协议(protocol)
	昵称
IRC	频道
	IRC命令
	url
	目的IP+被叫端口
	状态（status）
HTTP	实体类型（content-type）
	shellcode
	additonal-malware
	超链接url
	控制命令
	邮件账户
SMTP	邮件模板

/Gallery/IMAG0081,GIF	/kartos/kartos,bin
/btn001/config,bin	/ribbn,tar
/bugzy/i,cfg	/test/config,bin
/cnf/trl,jpg	/sell,jpg
/dzen/misc,inc,php	/ukk/cfg,bin
/film/video,bin	/z_bot/what,bin
/ftr/vosmoipont,bin	/zeus/config,bin
/ii1IGh,aeL8uf	/inmake/lds/cfg,bin
/index_files/4jpg,bin	/zs/cfg,bin

/40,exe	/load,exe
/fshit/d,exe	/money-s2,exe
/good/tlz/server32,exe	/money,exe
/gus/windir,exe	/rhueirh4furh74,exe
/inmake/lds/server32,exe	/ser,exe
/kartos/krt,exe	/t,exe
/ldr/ldr,exe	/trhr7y4urjhe83,exe

源端口	发送字节	接收字节
1028	840	2 127
1029	697	446
1030	697	446
1031	697	150

Study on modern malware analysis system

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 23

Related Articles 15

Metrics

Recommended 0

系统名称	研发单位	分析平台	是否开源	版本	更新情况
TWMAN	台湾高速网路与计算中心	物理主机	是	版本2,0	2013,6
CUCKOO	谷歌编程夏令营	Vbox/vmware	是	版本1,1	2014,4
BitBlaze	加州大学伯克利分校	QEMU	是	版本1,0	2010,6

基本信息	签名信息	截屏信息	静态分析	文件信息	网络分析	系统行为
文件名、大小、MD5、PEiD、Yara、VirusTotal	本文件未匹配	系统截屏	Sections、Imports、Strings	文件名、大小及其他详细信息	相关主机信息、DNS信息	Files、Registry Keys、Mutexes

VirusShare_0b680e7bd5c0501d5dd73164122a7faf	www.rbaparts.com	205.178.189.129
VirusShare_0b680e7bd5c0501d5dd73164122a7faf	www.rbaparts.com	205.178.189.131
VirusShare_0c5e9f564115bfcbee66377a829de55f	Johnford985.com	74.125.137.141
VirusShare_0c5e9f564115bfcbee66377a829de55f	Johnford985.com	74.125.136.141
VirusShare_0ca6e2ad69826c8e3287fc8576112814	www.fbrshop.com	216.65.11.111
VirusShare_0ca6e2ad69826c8e3287fc8576112814	www.fbrshop.com	173.254.62.161

[1]	Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism [J]. Journal on Communications, 2023, 44(6): 47-56.
[2]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[3]	Hongbin ZHANG, Yan YIN, Dongmei ZHAO, Bin LIU. Network security situational awareness model based on threat intelligence [J]. Journal on Communications, 2021, 42(6): 182-194.
[4]	Tengfei ZHANG, Shunzheng YU. Research prospects of user information detection from encrypted traffic of mobile devices [J]. Journal on Communications, 2021, 42(2): 154-167.
[5]	Xu CHENG, Yingying WANG, Nianjie ZHANG, Zhangjie FU, Beijing CHEN, Guoying ZHAO. Multi-level loss object tracking adversarial attack method based on spatial perception [J]. Journal on Communications, 2021, 42(11): 242-254.
[6]	Tao HUANG, Jiang LIU, Shuo WANG, Chen ZHANG, Yunjie LIU. Survey of the future network technology and trend [J]. Journal on Communications, 2021, 42(1): 130-150.
[7]	Zhiyong LUO,Xu YANG,Jiahui LIU,Rui XU. Network intrusion intention analysis model based on Bayesian attack graph [J]. Journal on Communications, 2020, 41(9): 160-169.
[8]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[9]	JIANG Lyu,ZHANG Hengwei,WANG Jindong. Optimal strategy selection method for moving target defense based on signaling game [J]. Journal on Communications, 2019, 40(6): 128-137.
[10]	HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family [J]. Journal on Communications, 2019, 40(6): 148-159.
[11]	Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance [J]. Journal on Communications, 2019, 40(2): 174-187.
[12]	Zhiyong LUO, Xu YANG, Guanglu SUN, Zhiqiang XIE, Jiahui LIU. Finite automaton intrusion tolerance system model based on Markov [J]. Journal on Communications, 2019, 40(10): 79-89.
[13]	Shirui HUANG,Hengwei ZHANG,Jindong WANG,Ruiyu DOU. Network security threat warning method based on qualitative differential game [J]. Journal on Communications, 2018, 39(8): 29-36.
[14]	Xiaodong ZANG,Jian GONG,Xiaoyan HU. Detecting malicious domain names based on AGD [J]. Journal on Communications, 2018, 39(7): 15-25.
[15]	Yashu LIU,Zhihai WANG,Hanbing YAN,Yueran HOU,Yukun LAI. Method of anti-confusion texture feature descriptor for malware images [J]. Journal on Communications, 2018, 39(11): 44-53.

Windows下可执行文件
DLL文件
PDF文件
OFFICE文件
URL和HTML文件
PHP脚本文件
CPL文件
VB脚本文件
ZIP文件
JAR文件
其他文件