CN107016285A - One kind propagates malicious code Activity recognition method and system using move media - Google Patents

One kind propagates malicious code Activity recognition method and system using move media Download PDF

Info

Publication number
CN107016285A
CN107016285A CN201610906367.9A CN201610906367A CN107016285A CN 107016285 A CN107016285 A CN 107016285A CN 201610906367 A CN201610906367 A CN 201610906367A CN 107016285 A CN107016285 A CN 107016285A
Authority
CN
China
Prior art keywords
behavior
mock
less
newly
built
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610906367.9A
Other languages
Chinese (zh)
Other versions
CN107016285B (en
Inventor
康学斌
徐艺航
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Antan Network Security Technology Co.,Ltd.
Original Assignee
Shenzhen Anzhitian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Anzhitian Information Technology Co Ltd filed Critical Shenzhen Anzhitian Information Technology Co Ltd
Priority to CN201610906367.9A priority Critical patent/CN107016285B/en
Publication of CN107016285A publication Critical patent/CN107016285A/en
Application granted granted Critical
Publication of CN107016285B publication Critical patent/CN107016285B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

Malicious code Activity recognition method and system are propagated using move media the invention discloses one kind, including:Create no less than three mock discs;No less than two mock disc type of drivers of modification are moveable magnetic disc type;Monitor the behavior for whether having newly-built executable file under the mock disc drive created;If finding there is the behavior no less than two mock discs in preset time, can determine whether the behavior is malicious act.Technical scheme of the present invention is solved in the prior art can not distinguish malicious virus to the operation of move media with the artificial behavior to the operation of move media, easily produce wrong report, inaccurate technical problem is recognized to the behavior.

Description

One kind propagates malicious code Activity recognition method and system using move media
Technical field
The present invention relates to computer security technique field, relate more specifically to one kind and propagate malicious code using move media Activity recognition method and system.
Background technology
With the development of Internet technology, the increase of resource-sharing demand, wherein propagating shared resource by move media Become the conventional propagation data method of masses with its convenience and ease for use, move media user is while enjoying convenient Also certain potential safety hazard is being there is, may met with during data are transmitted using move medias such as USB flash disk or mobile hard disks Infected by malicious code, the main frame sense that the main frame not being poisoned and move media are poisoned is infected including move media Dye, then continues to propagate, such malicious code is referred to as the malicious code propagated by move media by this way.
The malicious code species propagated by move media is more, and spread speed is very fast, and antivirus software is to such maliciously generation The Activity recognition method of code is usually real move media monitoring, that is, recognizes the true move media drive of operating system, The executable file or script that are write into drive are judged again, and then identify that it is the evil propagated by move media Meaning behavior, so as to carry out killing, such a recognition methods has some limitations, it is impossible to by behaviour of the malicious virus to move media Make to distinguish with the artificial behavior to the operation of move media, i.e., easily produce report by mistake, it is inaccurate to behavior identification, also can be because This improves the rate of false alarm of antivirus software.
The content of the invention
In order to solve the above-mentioned technical problem there is provided utilize move media propagation malicious code row according to a kind of of the present invention For recognition methods and system.
According to the first aspect of the invention malicious code Activity recognition method is propagated there is provided one kind using move media. This method includes:Create no less than three mock discs;No less than two mock disc type of drivers of modification are removable magnetic Disc-type;Monitor the behavior for whether having newly-built executable file under the mock disc drive created;If being found in preset time No less than two mock discs have the behavior, then can determine whether the behavior is malicious act.
In certain embodiments, methods described includes:If not finding the behavior, the simulation magnetic created is destroyed Disk.
In certain embodiments, no less than one mock disc is not modified, and keeps disk drive types.
In certain embodiments, it is described it is newly-built including new script behavior, newly-built hiding type file behavior, establishment file The behavior of shortcut.
According to the second aspect of the invention malicious code Activity recognition system, bag are propagated there is provided one kind using move media Include:Creation module, for creating no less than three mock discs;Modified module, drives for changing no less than two mock discs Dynamic device type is moveable magnetic disc type;Monitoring module, for monitoring under the mock disc drive created whether have newly-built hold The behavior of style of writing part;Determination module, for finding there is the behavior no less than two mock discs in preset time, Then can determine whether the behavior is malicious act.
In certain embodiments, the system includes:Removing module, if for not finding the behavior, destroying and creating The mock disc.
In certain embodiments, no less than one mock disc is not modified, and keeps disk drive types.
In certain embodiments, it is described it is newly-built including new script behavior, newly-built hiding type file behavior, establishment file The behavior of shortcut.
By using the method and system of the present invention, it is possible to use create mock disc and pass through hook technology modification mock discs Whether type of driver, monitoring under the mock disc drive created has the behavior of newly-built executable file to find multiple mobile Jie Matter is transmitted malicious code.Move media malicious dissemination behavior can be effectively recognized, and then move media is monitored by the behavior Class wooden horse the method increase the detection degree of accuracy of move media class malicious act with traveling through the malicious acts such as disk sort wooden horse, Reduce wrong report.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to the required accompanying drawing used in embodiment below Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow that malicious code Activity recognition method is propagated according to a kind of utilization move media of the embodiment of the present invention Figure;
Fig. 2 is the block diagram that malicious code Activity recognition system is propagated according to a kind of utilization move media of the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, eliminate in the course of the description for this It is unnecessary details and function for invention, to prevent the understanding of the present invention from causing to obscure.Show although being shown in accompanying drawing Example property embodiment, it being understood, however, that may be realized in various forms the present invention without that should be limited by embodiments set forth here System.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be complete by the scope of the present invention Convey to those skilled in the art.
Fig. 1 shows that a kind of utilization move media according to embodiments of the present invention propagates malicious code Activity recognition method Flow chart.As shown in figure 1, method comprises the following steps:
S110, creates no less than three mock discs.
Wherein, folder content is mapped as to the function of local hard drive according to Subst orders, it is possible to use Subst orders Any catalogue is invented into a disc driver, three simulation drives are created by Subst orders, command format is very simple: SubstDrive1Drive2Path, wherein " Drive1 " is to specify the virtual new driver symbol for substituting disk path, “Drive2Path " is to specify the file to be substituted and its path.If user needs to delete virtual drive, it can hold Row SubstDrive1/ D orders.
S120, no less than two mock disc type of drivers of modification are moveable magnetic disc type.
Wherein, if what is created is three mock discs, any two of which disk drive is changed by way of hook Device type simulates USB flash disk for " DRIVE_REMOVABLE ", and another keeps disk drive types to be " DRIVE_FIXED ", comes Simulate mobile hard disk.
If creating the mock disc of more than three, modification is removable no less than two mock disc type of drivers Disk type, no less than one mock disc is not modified, and keeps disk drive types.
S130, monitors the behavior for whether having newly-built executable file under the mock disc drive created.
Wherein, it is newly-built also to include new script behavior, newly-built hiding type file behavior, the row of establishment file shortcut For.
S140, if finding to have the behavior no less than two mock discs in preset time, can determine whether institute Behavior is stated for malicious act.
If close to preset time t(Such as 5 minutes, this time can be set)It is interior discovery two or more drives have with Upper behavior, then can determine whether it is move media malicious dissemination behavior, and regulation time to approach is to prevent artificial incorrect operation, it is to avoid Possible wrong report.
In certain embodiments, in addition to:
S150, if not finding the behavior, destroys the mock disc created.
If specifically, not finding to propagate the behavior of malicious code, destroying the mock disc of establishment, this method can be spaced one Duan Chongfu, more move media malicious dissemination behaviors are identified to detect.
Fig. 2 is the block diagram that malicious code Activity recognition system is propagated according to a kind of utilization move media of the embodiment of the present invention.Such as Described in Fig. 2, system can include:Creation module 210, modified module 220, monitoring module 230, determination module 240.
Creation module 210, for creating no less than three mock discs.
Modified module 220, is moveable magnetic disc type for changing no less than two mock disc type of drivers.
No less than one mock disc is not modified, and keeps disk drive types.
Monitoring module 230, the behavior for whether having newly-built executable file under the mock disc drive created for monitoring.
It is newly-built including new script behavior, newly-built hiding type file behavior, the behavior of establishment file shortcut.Judge Module 240, for finding there is the behavior no less than two mock discs in preset time, then can determine whether the row For for malicious act.
In certain embodiments, in addition to:
Removing module 250, if for not finding the behavior, destroying the mock disc created.
Utilize the mock disc disk for creating mock disc and being created by hook technology modification mock disc type of drivers, monitoring Whether there is the behavior of newly-built executable file under symbol to find that multiple move medias are transmitted malicious code.Shifting can effectively be recognized Dynamic medium malicious dissemination behavior, and then move media class wooden horse is monitored with traveling through the malice row such as disk sort wooden horse by the behavior To the method increase the detection degree of accuracy of move media class malicious act, reducing wrong report.
So far combined preferred embodiment invention has been described.It should be understood that those skilled in the art are not departing from In the case of the spirit and scope of the present invention, various other changes can be carried out, replaces and adds.Therefore, model of the invention Enclose and be not limited to above-mentioned specific embodiment, and should be defined by the appended claims.

Claims (8)

1. one kind propagates malicious code Activity recognition method using move media, it is characterised in that including:
Create no less than three mock discs;
No less than two mock disc type of drivers of modification are moveable magnetic disc type;
Monitor the behavior for whether having newly-built executable file under the mock disc drive created;
If finding there is the behavior no less than two mock discs in preset time, can determine whether the behavior is evil Meaning behavior.
2. according to the method described in claim 1, it is characterised in that methods described includes:If not finding the behavior, destroy The mock disc created.
3. according to the method described in claim 1, it is characterised in that no less than one mock disc is not modified, keep Disk drive types.
4. according to the method described in claim 1, it is characterised in that described newly-built including new script behavior, newly-built hiding class The behavior of type file, the behavior of establishment file shortcut.
5. one kind propagates malicious code Activity recognition system using move media, it is characterised in that including:
Creation module, for creating no less than three mock discs;
Modified module, is moveable magnetic disc type for changing no less than two mock disc type of drivers;
Monitoring module, the behavior for whether having newly-built executable file under the mock disc drive created for monitoring;
Determination module, for finding there is the behavior no less than two mock discs in preset time, then can determine whether The behavior is malicious act.
6. system according to claim 5, it is characterised in that the system includes:
Removing module, if for not finding the behavior, destroying the mock disc created.
7. system according to claim 5, it is characterised in that no less than one mock disc is not modified, keeps Disk drive types.
8. system according to claim 5, it is characterised in that described newly-built including new script behavior, newly-built hiding class The behavior of type file, the behavior of establishment file shortcut.
CN201610906367.9A 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media Active CN107016285B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610906367.9A CN107016285B (en) 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610906367.9A CN107016285B (en) 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media

Publications (2)

Publication Number Publication Date
CN107016285A true CN107016285A (en) 2017-08-04
CN107016285B CN107016285B (en) 2019-11-05

Family

ID=59438749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610906367.9A Active CN107016285B (en) 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media

Country Status (1)

Country Link
CN (1) CN107016285B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101178762A (en) * 2007-12-18 2008-05-14 唐璐峤 Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof
CN101944169A (en) * 2010-07-22 2011-01-12 北京安天电子设备有限公司 Immune method for self-starting viruses of USB removable storage devices
CN102110214A (en) * 2011-04-12 2011-06-29 姚志浩 Method and device for preventing viruses in mobile memory from infecting computer
CN102799801A (en) * 2011-05-27 2012-11-28 网秦无限(北京)科技有限公司 Method and system for killing viruses of mobile equipment by utilizing mobile memory
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101178762A (en) * 2007-12-18 2008-05-14 唐璐峤 Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof
CN101944169A (en) * 2010-07-22 2011-01-12 北京安天电子设备有限公司 Immune method for self-starting viruses of USB removable storage devices
CN102110214A (en) * 2011-04-12 2011-06-29 姚志浩 Method and device for preventing viruses in mobile memory from infecting computer
CN102799801A (en) * 2011-05-27 2012-11-28 网秦无限(北京)科技有限公司 Method and system for killing viruses of mobile equipment by utilizing mobile memory
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
贺惠萍等: "autorun.inf病毒的原理及防范", 《电脑知识与技术》 *

Also Published As

Publication number Publication date
CN107016285B (en) 2019-11-05

Similar Documents

Publication Publication Date Title
US9882920B2 (en) Cross-user correlation for detecting server-side multi-target intrusion
JP6101408B2 (en) System and method for detecting attacks on computing systems using event correlation graphs
US9838405B1 (en) Systems and methods for determining types of malware infections on computing devices
US10242186B2 (en) System and method for detecting malicious code in address space of a process
JP4828199B2 (en) System and method for integrating knowledge base of anti-virus software applications
US9354951B2 (en) Method and device for browsing webpage
US9230106B2 (en) System and method for detecting malicious software using malware trigger scenarios in a modified computer environment
US8904538B1 (en) Systems and methods for user-directed malware remediation
TWI528216B (en) Method, electronic device, and user interface for on-demand detecting malware
CN102713853B (en) Use the aggressiveness that the behavior of file popularity degree notice is soundd out
JP2016503219A (en) System and method for cognitive behavior recognition
CN106055976B (en) File detection method and sandbox controller
US9904787B2 (en) Identifying stored security vulnerabilities in computer software applications
US11609988B2 (en) Systems and methods for detecting malicious behavior in process chains
US20190026460A1 (en) Dynamic creation of isolated scrubbing environments
Pont et al. A roadmap for improving the impact of anti-ransomware research
US9202053B1 (en) MBR infection detection using emulation
JP5711824B2 (en) Vulnerability detection apparatus and method
US9311481B1 (en) Systems and methods for classifying package files as trojans
CN103646213A (en) Method and device for classifying malicious software
Poeplau et al. A honeypot for arbitrary malware on USB storage devices
US9646157B1 (en) Systems and methods for identifying repackaged files
CN107016285A (en) One kind propagates malicious code Activity recognition method and system using move media
US10290033B1 (en) Method, system, and computer-readable medium for warning users about untrustworthy application payment pages
EP3800567B1 (en) Systems and methods for countering removal of digital forensics information by malicious software

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No.

Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd.

Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No.

Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder