通信学报
通信學報
통신학보
JOURNAL OF CHINA INSTITUTE OF COMMUNICATIONS
2014年
1期
156-166
,共11页
王志%蔡亚运%刘露%贾春福
王誌%蔡亞運%劉露%賈春福
왕지%채아운%류로%가춘복
恶意代码分析%僵尸网络%命令与控制协议%基本块%覆盖率
噁意代碼分析%僵尸網絡%命令與控製協議%基本塊%覆蓋率
악의대마분석%강시망락%명령여공제협의%기본괴%복개솔
malware analysis%Botnet%command-and-control protocol%code block%code coverage
从僵尸程序执行轨迹对二进制代码块的覆盖规律出发,提出了一种僵尸网络控制命令发掘方法。通过分析执行轨迹对代码块的覆盖率特征实现对僵尸网络控制命令空间的发掘,根据代码空间是否被全覆盖来验证发现的僵尸网络命令空间的全面性。对僵尸网络Zeus、SdBot、AgoBot的执行轨迹进行了代码块覆盖率分析,结果表明,该方法能够快速准确地发掘出僵尸网络的控制命令集合,时间和空间开销小,且该命令集合所对应的执行轨迹可以覆盖僵尸程序95%以上的代码空间。
從僵尸程序執行軌跡對二進製代碼塊的覆蓋規律齣髮,提齣瞭一種僵尸網絡控製命令髮掘方法。通過分析執行軌跡對代碼塊的覆蓋率特徵實現對僵尸網絡控製命令空間的髮掘,根據代碼空間是否被全覆蓋來驗證髮現的僵尸網絡命令空間的全麵性。對僵尸網絡Zeus、SdBot、AgoBot的執行軌跡進行瞭代碼塊覆蓋率分析,結果錶明,該方法能夠快速準確地髮掘齣僵尸網絡的控製命令集閤,時間和空間開銷小,且該命令集閤所對應的執行軌跡可以覆蓋僵尸程序95%以上的代碼空間。
종강시정서집행궤적대이진제대마괴적복개규률출발,제출료일충강시망락공제명령발굴방법。통과분석집행궤적대대마괴적복개솔특정실현대강시망락공제명령공간적발굴,근거대마공간시부피전복개래험증발현적강시망락명령공간적전면성。대강시망락Zeus、SdBot、AgoBot적집행궤적진행료대마괴복개솔분석,결과표명,해방법능구쾌속준학지발굴출강시망락적공제명령집합,시간화공간개소소,차해명령집합소대응적집행궤적가이복개강시정서95%이상적대마공간。
There are some inherent patterns in the bot execution trace coverage of basic blocks. Using these patterns, an approach was proposed to infer Botnet command-and-control protocol (C&C protocol). Without intermediate representa-tion of binary code and constraints solving, this approach has a lower time and space overhead. This coverage analysis approach was evaluated on 3 famous Botnet:Zeus, Sdbot and Agobot. The result shows that this approach can accurately and efficiently extract the Botnet control commands. And the completeness of the extracted control commands could be veri-fied by checking whether all available basic blocks in bot are covered by the traces triggered by the control commands.
