CAJ | 학술논문

网页木马是利用网页来进行破坏的恶意程序。当用户访问某些含有网页木马的网站时，木马程序就会通过网页中的内嵌链接被悄无声息地下载。这些木马程序一旦被下载、激活，就会利用系统中的某些资源进行破坏。目前针对网页木马的检测有基于特征码的静态检测方案和基于蜜罐客户端的动态检测方案，但这两种检测方案都无法很好地解决网页木马日益增多、混淆和躲避检测手段的问题。文章结合这两种网页木马检测方案的优点，提出一种基于网页内容分析和Shel code定位识别的反混淆技术，该技术能够解决内嵌链接在动态验证时由于交互条件不存在而造成的漏报。在此基础上，加入动态和静态检测机制，建立了一种网页木马检测模型。实验数据表明，该模型能够准确地检测各种加壳、加密、变形等网页木马，提高了木马检测效率。
망혈목마시이용망혈래진행파배적악의정서。당용호방문모사함유망혈목마적망참시，목마정서취회통과망혈중적내감련접피초무성식지하재。저사목마정서일단피하재、격활，취회이용계통중적모사자원진행파배。목전침대망혈목마적검측유기우특정마적정태검측방안화기우밀관객호단적동태검측방안，단저량충검측방안도무법흔호지해결망혈목마일익증다、혼효화타피검측수단적문제。문장결합저량충망혈목마검측방안적우점，제출일충기우망혈내용분석화Shel code정위식별적반혼효기술，해기술능구해결내감련접재동태험증시유우교호조건불존재이조성적루보。재차기출상，가입동태화정태검측궤제，건립료일충망혈목마검측모형。실험수거표명，해모형능구준학지검측각충가각、가밀、변형등망혈목마，제고료목마검측효솔。
Webpage trojan is a malicious program that uses the Webpage to carry out the destruction. When the user visits the Website that contains some Webpage trojans, the trojan program will be silently downloaded through the link embedded in the Webpage. Once the trojans are downloaded and activated, they will use resources in the system to destroy the computer system. Currently, Webpage trojan detection includes static detection based on feature codes and dynamic detection based on honeypot client, but the two detection schemes can’t well solved the problems of growing number of Webpage trojans, confusion and avoiding detection means. This paper combines the advantages of the two detection schemes, putting forward an anti-obfuscation technology based on Webpage content analysis and shellcode location and recognition, which can solve the omission problem caused by interaction conditions not existing while verifying dynamically embedded links. On this basis, combined with the static and dynamic detection mechanisms, the paper establishes a Webpage trojan detection model. The experimental results show that the model can accurately detect various types of shell, encryption, deformation Webpage trojans, improving the detection efifciency of trojans.