信息网络安全
信息網絡安全
신식망락안전
Netinfo Security
2015年
10期
1-7
,共7页
杜春来%孙汇中%王景中%王宝成
杜春來%孫彙中%王景中%王寶成
두춘래%손회중%왕경중%왕보성
网页木马%内容分析%Shellcode定位%反混淆%加密
網頁木馬%內容分析%Shellcode定位%反混淆%加密
망혈목마%내용분석%Shellcode정위%반혼효%가밀
Webpage trojan%content analysis%Shellcode orientation%anti-obfuscation%encryption
网页木马是利用网页来进行破坏的恶意程序。当用户访问某些含有网页木马的网站时,木马程序就会通过网页中的内嵌链接被悄无声息地下载。这些木马程序一旦被下载、激活,就会利用系统中的某些资源进行破坏。目前针对网页木马的检测有基于特征码的静态检测方案和基于蜜罐客户端的动态检测方案,但这两种检测方案都无法很好地解决网页木马日益增多、混淆和躲避检测手段的问题。文章结合这两种网页木马检测方案的优点,提出一种基于网页内容分析和Shel code定位识别的反混淆技术,该技术能够解决内嵌链接在动态验证时由于交互条件不存在而造成的漏报。在此基础上,加入动态和静态检测机制,建立了一种网页木马检测模型。实验数据表明,该模型能够准确地检测各种加壳、加密、变形等网页木马,提高了木马检测效率。
網頁木馬是利用網頁來進行破壞的噁意程序。噹用戶訪問某些含有網頁木馬的網站時,木馬程序就會通過網頁中的內嵌鏈接被悄無聲息地下載。這些木馬程序一旦被下載、激活,就會利用繫統中的某些資源進行破壞。目前針對網頁木馬的檢測有基于特徵碼的靜態檢測方案和基于蜜罐客戶耑的動態檢測方案,但這兩種檢測方案都無法很好地解決網頁木馬日益增多、混淆和躲避檢測手段的問題。文章結閤這兩種網頁木馬檢測方案的優點,提齣一種基于網頁內容分析和Shel code定位識彆的反混淆技術,該技術能夠解決內嵌鏈接在動態驗證時由于交互條件不存在而造成的漏報。在此基礎上,加入動態和靜態檢測機製,建立瞭一種網頁木馬檢測模型。實驗數據錶明,該模型能夠準確地檢測各種加殼、加密、變形等網頁木馬,提高瞭木馬檢測效率。
망혈목마시이용망혈래진행파배적악의정서。당용호방문모사함유망혈목마적망참시,목마정서취회통과망혈중적내감련접피초무성식지하재。저사목마정서일단피하재、격활,취회이용계통중적모사자원진행파배。목전침대망혈목마적검측유기우특정마적정태검측방안화기우밀관객호단적동태검측방안,단저량충검측방안도무법흔호지해결망혈목마일익증다、혼효화타피검측수단적문제。문장결합저량충망혈목마검측방안적우점,제출일충기우망혈내용분석화Shel code정위식별적반혼효기술,해기술능구해결내감련접재동태험증시유우교호조건불존재이조성적루보。재차기출상,가입동태화정태검측궤제,건립료일충망혈목마검측모형。실험수거표명,해모형능구준학지검측각충가각、가밀、변형등망혈목마,제고료목마검측효솔。
Webpage trojan is a malicious program that uses the Webpage to carry out the destruction. When the user visits the Website that contains some Webpage trojans, the trojan program will be silently downloaded through the link embedded in the Webpage. Once the trojans are downloaded and activated, they will use resources in the system to destroy the computer system. Currently, Webpage trojan detection includes static detection based on feature codes and dynamic detection based on honeypot client, but the two detection schemes can’t well solved the problems of growing number of Webpage trojans, confusion and avoiding detection means. This paper combines the advantages of the two detection schemes, putting forward an anti-obfuscation technology based on Webpage content analysis and shellcode location and recognition, which can solve the omission problem caused by interaction conditions not existing while verifying dynamically embedded links. On this basis, combined with the static and dynamic detection mechanisms, the paper establishes a Webpage trojan detection model. The experimental results show that the model can accurately detect various types of shell, encryption, deformation Webpage trojans, improving the detection efifciency of trojans.