【作者】 杨兆；

【导师】 曾庆凯；

【作者基本信息】 南京大学 ， 计算机软件与理论， 2012， 硕士

【摘要】 恶意软件是威胁信息安全的重要因素。为了抽取和分析恶意软件运行时的行为,安全产品厂商和分析人员开发出自动化的分析工具。然而,恶意程序会检测出分析工具的存在,逃避分析,即检测出虚拟或模拟的分析环境后,恶意程序会表现出和在真实环境下不一样的行为,比如减少攻击行为,或者立即结束运行等。为了使恶意程序的反分析能力失效,现有的方法分为两类：第一类方法是构建透明的分析工具,但是由于性能开销太大,不适应当今大规模恶意软件样本分析的需求；第二类方法通过比较不同分析环境中恶意程序行为的差异,检测出恶意程序的反分析行为,但是有准确度低,及需要人工干预等不足之处。本文采用第二类方法,在已有工作的基础上,提出一种改进的恶意程序反分析行为检测方法,有效地提高了检测的准确度。本文的主要研究工作如下：1)总结了恶意程序反分析使用的不同类型的技术,以及现有反分析行为检测方法的优势和不足。2)研究了二进制代码分析技术在恶意软件分析领域的应用,重点描述了本文方法用到的动态二进制切片技术。3)改进了现有的检测方法。本文的方法能消除外界环境中无关因素的影响,检测出恶意程序真正的反分析行为。采用灵活的比较算法对恶意程序在不同分析环境中执行的行为进行比较,如果行为有差异,利用高效的算法对恶意程序执行的指令序列比较,并自动分析出行为的差异是否由反分析导致。4)基于上述方法,实现了一个恶意程序反分析行为检测的原型系统。实验结果表明,本文的检测方法能检测出不同类型的反分析技术,如通过检测硬件特征、应用程序和时间开销等方法发现虚拟环境进而逃避分析。并且对于不具有反分析能力的恶意程序,本文的方法具有较好的鲁棒性。更多还原

【Abstract】 Malware is the root cause of many information security threats. Security companies and researchers develop automated tools to extract and analysis the runtime behaviors of malware samples. Unfortunately, malware is aware of these tools, and looks for evidence of emulated or virtualized analysis environments. If such evidence is found, malware samples reduce their malicious behaviors or simply crash, showing a different "personality" than when executed on real system.To solve the problem of anti-analysis malware, two kinds of approaches are proposed. One approach is to try to build transparent analysis platforms that are more difficult to detect by malware. But due to the performance overhead, these platforms are not suitable for the analysis of current high-volume malware feeds. Another approach runs malware samples in multiple analysis environments, and detect deviations in behaviors that may indicate anti-analysis. This approach also has some drawbacks, such as low accuracy, manual intervention and so on.The method used in this thesis falls into the second class. In addition, we made some modifications on existing approaches to improve accuracy of the detection. The main work in this thesis is as follows:1) We summarized varies of evasion techniques used by malicious programs. We discussed advantages and disadvantages of recent approaches to detect anti-analysis malware.2) We launched a deep research on applications of binary program analysis in the field of malware analysis, in particularly on dynamic binary slicing technology used in this thesis.3) We made some modifications on recent approaches to detecting anti-analysis behavior in malware. The approach proposed in this thesis can identify real anti-analysis behavior in malware, through eliminating unrelated differences between multiple analysis environments. A flexible algorithm is employed to compare the traces of system calls executed by malware across different analysis platforms. If a deviation exists, instruction traces are further compared using an efficient algorithm to determine whether the root cause of behavior deviation is anti-analysis or not.4) Based on the improved detection method, we designed and implemented a prototype system to detect anti-analysis behavior in malware. Experimental results have demonstrated that the approach can detect varies of evasion techniques, include detecting hardware characteristics, applications, time overhead and so on. When detecting malware without anti-analysis capability, our approach has better robustness.更多还原