Responsive image
博碩士論文 etd-0110112-183939 詳細資訊
Title page for etd-0110112-183939
論文名稱
Title
簡潔化惡意軟體行為分析
Concise Analysis of Malware Behavior
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
45
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2011-12-28
繳交日期
Date of Submission
2012-01-10
關鍵字
Keywords
虛擬機器、記憶體鑑識、惡意軟體行為、動態分析、惡意軟體
Virtual Machine, Memory Forensics, Malware Behavior, Dynamic Analysis, Malware
統計
Statistics
本論文已被瀏覽 5836 次,被下載 651
The thesis/dissertation has been browsed 5836 times, has been downloaded 651 times.
中文摘要
由於近年來網際網路的盛行,網路上除了有提供給一般使用者瀏覽資訊內容的網站之外,還有像是電子郵件、電子商務,以及目前當紅的社交網路,都是網路服務的例子。但這些方便的線上服務除了被一般用戶使用外,同時也可能遭到駭客去濫用這些服務,透過網路來散播惡意軟體。
由於惡意軟體數量正以相當快的速度在不斷地增加,為了能更了解惡意軟體的行為,本研究自行建立一個惡意軟體分析環境,在執行惡意軟體樣本之後能完整紀錄下惡意軟體的行為,並將惡意軟體行為的原始記錄進行整理,以提供使用者一份摘要式的分析結果。當中會列出和惡意軟體相關的重要行為,若使用者需要查閱更詳細的內容,再進一步點選查看。本研究利用現有分析工具加入記憶體鑑識的技術進行分析,藉由記憶體鑑識的技術,可找出部分惡意軟體試圖隱藏的行為,以提昇惡意軟體行為的可偵測性。除了能夠紀錄下惡意軟體的行為之外,本研究並將原本複雜的記錄檔加以整合及簡化,最後產生一份摘要式的分析報告。摘要報告當中列出該惡意軟體有那些主要的行為,使用者能先對該惡意軟體的影響程度及範圍有初步的掌握,若有需要也可再進一步查看較完整的記錄。期望能更容易且有效率地掌握惡意軟體的行為。
Abstract
In recent years the popularity of the internet, the network not only providing information to the general users to browse the contents of the site, but also has some network service like e-mail, e-commerce, and social networks. Although these online services are convenient for general users, also provide the possible hackers to abuse these services through the internet to spread malware.
As the number of malware is increasing very fast, in order to understand the behavior of malware better, in the research we create a malware analysis environment, after the execute of malware samples to record the behavior of malware, and the behavior of malware to aggregation the original records to provide users with a summary analysis of the behavior. Which lists the important and malware-related behavior, if users need access to more detailed content and then further click to view.
In the research, use existing analysis tools and memory forensics technology for analysis. By memory forensics technology that can identify some malware that attempts to hide the behavior in order to detectability. In addition to record the behavior of malware, the present research get the original complex to integrate and simplify log file. The last of analysis generates a summary report, which lists the malware’s main behavior. So that the user can grasp malware to the extent and scope of the impact, if necessary can further see a more complete record. Look forward to control the behavior of malware more easily and efficiently.
目次 Table of Contents
論文審定書 i
誌謝 ii
摘要 iii
Abstract iv
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機 2
第三節 問題描述 3
第四節 研究目的 5
第二章 文獻探討 6
第一節 惡意軟體分析技術 6
第二節 惡意軟體分析環境 10
第三章 系統設計 12
第一節 系統架構 12
第二節 系統行為監控 13
第三節 網路連線監控 17
第四節 記憶體鑑識 21
第四章 實驗結果與分析 23
第一節 實驗一 23
第二節 實驗二 31
第五章 結論 35
參考文獻 36
參考文獻 References
1. Malware. Available from: http://en.wikipedia.org/wiki/Malware.
2. G Data Malware Report - Half-yearly report, 2011.
3. 2011 年網路犯罪損失研究報告. 2011; Available from: http://www8.hp.com/tw/zh/m/article.do?id=1059942&title=2011+年網路犯罪損失研究報告.
4. CWSandbox. Available from: http://www.gfi.com/malware-analysis-tool.
5. Zeus. Available from: http://en.wikipedia.org/wiki/Zeus_(trojan_horse).
6. Binsalleeh, H., et al., On the Analysis of the Zeus Botnet Crimeware Toolkit, in Privacy Security and Trust2010.
7. Christodorescu, M. and S. Jha, Static Analysis of Executables to Detect Malicious Patterns, 2003.
8. Moser, A., C. Kruegel, and E. Kirda, Limits of Static Analysis for Malware Detection, in ACSAC 20072007.
9. Capture-BAT. Available from: https://honeynet.org/node/315.
10. Seiferta, C., et al., Capture – A behavioral analysis tool for applications and documents. Digital Investigation, 2007. 4.
11. Wireshark. Available from: http://www.wireshark.org.
12. Bayer, U., et al., Dynamic analysis of malicious code. COMPUTER VIROLOGY, 2006. 2.
13. QEMU. Available from: http://wiki.qemu.org/Main_Page.
14. Sober.Y. Available from: http://www.f-secure.com/v-descs/sober_y.shtml.
15. Miwa, S., et al., Design Issues of an Isolated Sandbox Used to Analyze Malwares. 2007.
16. StarBED. Available from: http://www.starbed.org/.
17. Tshark. Available from: http://www.wireshark.org/docs/man-pages/tshark.html.
18. Volatility. Available from: https://www.volatilesystems.com/default/volatility.
19. Rootkit. Available from: http://en.wikipedia.org/wiki/Rootkit.
20. Robust Process Scanner. Available from: http://moyix.blogspot.com/2010/07/plugin-post-robust-process-scanner.html.
21. Hooking. Available from: http://en.wikipedia.org/wiki/Hooking.
22. IAT Function Hooking. Available from: http://sandsprite.com/CodeStuff/IAT_Hooking.html.
23. Inline Hooking in Windows. Available from: http://www.exploit-db.com/download_pdf/17802/.
24. Malware Domain List. Available from: http://www.malwaredomainlist.com.
25. Honeypot. Available from: http://en.wikipedia.org/wiki/Honeypot_(computing).
26. TWISC@NCKU. Available from: http://www.twisc.ncku.edu.tw.
27. SpyEye Bot versus Zeus Bot. Available from: http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot.
28. Stover, S., et al., analysis of the Stormand Nugache trojans: P2P is here, in;login:2007.
29. Koobface. Available from: http://en.wikipedia.org/wiki/Koobface.
30. Malbed. Available from: http://malbed.twisc.ncku.edu.tw.
31. VirusTotal. Available from: http://www.virustotal.com.
32. Eads, J., EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination, in Computer Science2010, Missouri University.
33. W32/Koobface-AZ. Available from: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Koobface-AZ/detailed-analysis.aspx.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code