由於近年來網際網路的盛行，網路上除了有提供給一般使用者瀏覽資訊內容的網站之外，還有像是電子郵件、電子商務，以及目前當紅的社交網路，都是網路服務的例子。但這些方便的線上服務除了被一般用戶使用外，同時也可能遭到駭客去濫用這些服務，透過網路來散播惡意軟體。
由於惡意軟體數量正以相當快的速度在不斷地增加，為了能更了解惡意軟體的行為，本研究自行建立一個惡意軟體分析環境，在執行惡意軟體樣本之後能完整紀錄下惡意軟體的行為，並將惡意軟體行為的原始記錄進行整理，以提供使用者一份摘要式的分析結果。當中會列出和惡意軟體相關的重要行為，若使用者需要查閱更詳細的內容，再進一步點選查看。本研究利用現有分析工具加入記憶體鑑識的技術進行分析，藉由記憶體鑑識的技術，可找出部分惡意軟體試圖隱藏的行為，以提昇惡意軟體行為的可偵測性。除了能夠紀錄下惡意軟體的行為之外，本研究並將原本複雜的記錄檔加以整合及簡化，最後產生一份摘要式的分析報告。摘要報告當中列出該惡意軟體有那些主要的行為，使用者能先對該惡意軟體的影響程度及範圍有初步的掌握，若有需要也可再進一步查看較完整的記錄。期望能更容易且有效率地掌握惡意軟體的行為。

In recent years the popularity of the internet, the network not only providing information to the general users to browse the contents of the site, but also has some network service like e-mail, e-commerce, and social networks. Although these online services are convenient for general users, also provide the possible hackers to abuse these services through the internet to spread malware.
As the number of malware is increasing very fast, in order to understand the behavior of malware better, in the research we create a malware analysis environment, after the execute of malware samples to record the behavior of malware, and the behavior of malware to aggregation the original records to provide users with a summary analysis of the behavior. Which lists the important and malware-related behavior, if users need access to more detailed content and then further click to view.
In the research, use existing analysis tools and memory forensics technology for analysis. By memory forensics technology that can identify some malware that attempts to hide the behavior in order to detectability. In addition to record the behavior of malware, the present research get the original complex to integrate and simplify log file. The last of analysis generates a summary report, which lists the malware’s main behavior. So that the user can grasp malware to the extent and scope of the impact, if necessary can further see a more complete record. Look forward to control the behavior of malware more easily and efficiently.

論文審定書 i
誌謝 ii
摘要 iii
Abstract iv
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機 2
第三節 問題描述 3
第四節 研究目的 5
第二章 文獻探討 6
第一節 惡意軟體分析技術 6
第二節 惡意軟體分析環境 10
第三章 系統設計 12
第一節 系統架構 12
第二節 系統行為監控 13
第三節 網路連線監控 17
第四節 記憶體鑑識 21
第四章 實驗結果與分析 23
第一節 實驗一 23
第二節 實驗二 31
第五章 結論 35
參考文獻 36

1. Malware. Available from: http://en.wikipedia.org/wiki/Malware.
2. G Data Malware Report - Half-yearly report, 2011.
3. 2011 年網路犯罪損失研究報告. 2011; Available from: http://www8.hp.com/tw/zh/m/article.do?id=1059942&title=2011+年網路犯罪損失研究報告.
4. CWSandbox. Available from: http://www.gfi.com/malware-analysis-tool.
5. Zeus. Available from: http://en.wikipedia.org/wiki/Zeus_(trojan_horse).
6. Binsalleeh, H., et al., On the Analysis of the Zeus Botnet Crimeware Toolkit, in Privacy Security and Trust2010.
7. Christodorescu, M. and S. Jha, Static Analysis of Executables to Detect Malicious Patterns, 2003.
8. Moser, A., C. Kruegel, and E. Kirda, Limits of Static Analysis for Malware Detection, in ACSAC 20072007.
9. Capture-BAT. Available from: https://honeynet.org/node/315.
10. Seiferta, C., et al., Capture – A behavioral analysis tool for applications and documents. Digital Investigation, 2007. 4.
11. Wireshark. Available from: http://www.wireshark.org.
12. Bayer, U., et al., Dynamic analysis of malicious code. COMPUTER VIROLOGY, 2006. 2.
13. QEMU. Available from: http://wiki.qemu.org/Main_Page.
14. Sober.Y. Available from: http://www.f-secure.com/v-descs/sober_y.shtml.
15. Miwa, S., et al., Design Issues of an Isolated Sandbox Used to Analyze Malwares. 2007.
16. StarBED. Available from: http://www.starbed.org/.
17. Tshark. Available from: http://www.wireshark.org/docs/man-pages/tshark.html.
18. Volatility. Available from: https://www.volatilesystems.com/default/volatility.
19. Rootkit. Available from: http://en.wikipedia.org/wiki/Rootkit.
20. Robust Process Scanner. Available from: http://moyix.blogspot.com/2010/07/plugin-post-robust-process-scanner.html.
21. Hooking. Available from: http://en.wikipedia.org/wiki/Hooking.
22. IAT Function Hooking. Available from: http://sandsprite.com/CodeStuff/IAT_Hooking.html.
23. Inline Hooking in Windows. Available from: http://www.exploit-db.com/download_pdf/17802/.
24. Malware Domain List. Available from: http://www.malwaredomainlist.com.
25. Honeypot. Available from: http://en.wikipedia.org/wiki/Honeypot_(computing).
26. TWISC@NCKU. Available from: http://www.twisc.ncku.edu.tw.
27. SpyEye Bot versus Zeus Bot. Available from: http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot.
28. Stover, S., et al., analysis of the Stormand Nugache trojans: P2P is here, in;login:2007.
29. Koobface. Available from: http://en.wikipedia.org/wiki/Koobface.
30. Malbed. Available from: http://malbed.twisc.ncku.edu.tw.
31. VirusTotal. Available from: http://www.virustotal.com.
32. Eads, J., EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination, in Computer Science2010, Missouri University.
33. W32/Koobface-AZ. Available from: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Koobface-AZ/detailed-analysis.aspx.