Chapter 14 Technical Principles of Malicious Code Prevention
Malicious code overview
-
Malicious code concept and classification
-
definition:
- Malicious Code, a program code that violates the security policy of the target system, will cause the target system information leakage, resource abuse, and damage the integrity and availability of the system
- It can be spread through storage media or networks, from one computer to another computer system, access or damage the computer system without authorization
-
classification:
-
-
Malicious code attack model
-
Six steps: invade the system, maintain or upgrade existing permissions, conceal, hide, destroy, repeat the first five steps
-
-
Malicious code survival technology
- Anti-tracking technology: improve its own camouflage ability and anti-deciphering ability
- Anti-dynamic tracking technology
- Disable trace interrupt
- Detection and tracking method
- Other anti-tracking technologies
- Anti-static analysis technique
- Encrypted execution of program code in blocks: Strive for the analyst to be unable to get the complete code from the memory at any time
- Pseudo-instruction method: similar to code obfuscation
- Example- Apparition
- Anti-dynamic tracking technology
- Encryption Technology
- Information encryption, data encryption, program code encryption
- Examples- "China Bomb", "Ghost Virus", "Cascade"
- Fuzzy transform technology
- Instruction replacement technology
- Command compression technology: synonymous compression for compressible commands
- Instruction extension technology
- Pseudo-instruction technology
- Recompilation Technology: Examples— Macro Virus and Script Malicious Code
- Automatic production technology
- Use "polymorphism generator" to compile a virus with polymorphism
- Examples ---- Bulgaria "Dark Avenger"
- Transformation technology: technology to transform the signature of malicious code
- Reassembly technique: Example — Regswap
- Compression technology
- Expansion technique: inverse transformation of compression
- Pseudo-instruction technology
- Recompilation technology
- Three thread technology
- Principle: A colleague of a malicious code process starts three threads, one is responsible for the main thread of remote control work, and the other two check whether the malicious code is running normally
- Example- "Chinese hacker"
- Process injection technology
- Malicious code embeds itself in the process of booting up the operating system and starting services
- Example- Most key service programs under windows can be injected by "WinEggDropShell"
- Communication covert technology
- Port customization
- Port reuse technology : reuse the ports opened by the system, such as 25, 139
- Communication encryption technology
- Covert channel technology
- Kernel level hiding technology
- LKM hide
- Memory map hiding
- Anti-tracking technology: improve its own camouflage ability and anti-deciphering ability
-
Malicious code attack technology
- Process injection technology
- Super Management Technology
- Malicious code conducts denial of service attacks on anti-malware systems
- Example—"Guangwai Girl", a denial of service attack on "Jinshan Drug Tyrant"
- Port reverse connection technology: reverse shell
- Principle of Reverse Shell
- Examples-"Internet Thief", "Gray Pigeon"
- Buffer overflow attack technology
- Example-"Code Red"
-
Malicious code analysis technology
-
Malicious code prevention strategy
Computer virus analysis and protection
-
Computer virus concept and characteristics
- A set of program codes with self-replication and transmission capabilities
- characteristic:
- Concealment
- Infectious
- Latent
- Destructive
-
Computer virus composition and operating mechanism
- Copy infectious components: control the transmission of viruses to other files
- Hidden components: prevent viruses from being detected
- Destructive components: when the virus meets the activation conditions, perform the destructive operation
- Operating mechanism
- The first stage, the replication and spread of computer viruses
- The second stage, the activation of computer viruses
-
Common types and techniques of computer viruses
- Boot-type virus: Infect the boot area of the computer system
- Macro virus : Use macro language to realize computer virus
- Polymorphic virus: after infecting a new object, changing its form of existence by changing the encryption algorithm
- Covert virus
- Hide file date and time changes
- Hide file size changes
- Virus encryption
-
Computer virus prevention strategy and technology
- Find the source of computer viruses
- Comparison method: compare the original backup with the detected file
- Search method: specific byte string
- Feature word recognition
- Analysis method: dedicated to anti-virus technicians
- Block computer virus transmission
- The user has computer virus prevention security awareness and safe operation habits
- Eliminate computer virus vectors
- Safe zone isolation
- Actively check and kill computer viruses
- Regularly check the computer system for viruses
- Install computer virus software
- Computer virus emergency response and disaster preparedness
- Backup
- Data repair technology
- Network filtering technology
- Computer virus emergency response plan
- Find the source of computer viruses
-
Computer virus protection mode
-
Based on stand-alone computer virus protection
-
Network-based computer virus protection
-
Virus protection based on network classification
- Three-level management mode: stand-alone terminal antivirus-local area network centralized monitoring-WAN headquarters management
-
Based on mail gateway virus protection
-
Gateway-based protection
-
Trojan horse analysis and protection
-
Trojan horse concept and characteristics
- concept:
- Trojan Horse, a malicious program that has the ability to disguise and perform illegal functions in secret , and what the victim user sees on the surface is the execution of legal functions
- Does not have the ability to self-propagate, realized through other propagation mechanisms
- Classification: local Trojan horses, network Trojan horses (main types)
- concept:
-
Trojan horse operating mechanism
-
Trojan Horse Technology
-
Trojan horse implantation technology
- Passive implantation: relying on the manual operation of the victim, mainly implanted through social engineering methods
- File binding
- Mail attachment
- Web page
- Active implantation: the Trojan horse program is automatically installed into the target system through the program, without the victim's operation
- Passive implantation: relying on the manual operation of the victim, mainly implanted through social engineering methods
-
Trojan horse hiding technology
-
Local activity behavior hiding technology
- File hiding
- Process hiding
- Communication connection hiding
-
Hidden technology of remote communication process
-
Communication content encryption technology
-
Communication port multiplexing technology
-
Network covert channel
-
-
-
Trojan Horse Survival Technology
- Use anti-detection technology when invading the target system to interrupt the operation of anti-network Trojans
-
-
Trojan Horse Prevention Technology
- Detection of Trojan horse technology based on viewing open ports
- Detecting Trojan Horse Technology Based on Important System Files
- Detecting Trojan Horse Technology Based on System Registry
- Detection of Trojan horses with hidden capabilities
- Rootkit detection:
- Detect known rootkits
- Analysis and detection method based on execution path
- Analysis and detection method of directly reading kernel data
- Rootkit detection:
- Based on network detection Trojan horse technology: intrusion detection system
- Based on network blocking Trojan horse technology: use firewalls, routers, and security gateways to block communications
- Trojan removal technology: manual removal and software removal two methods
Network Worm Analysis and Protection
-
Concepts and characteristics of network worms
- concept:
- A malicious program that has self-replication and propagation capabilities and can run independently and automatically
- characteristic:
- By exploiting vulnerable node hosts in the system, the worm itself can be propagated from one node to another
- concept:
-
Network worm components and operating mechanism
-
Compose module
-
Operating mechanism
-
-
Network Worm Technology
-
Network worm scanning technology
-
Random scan
-
Sequential scan
-
Selective scan
-
-
Network worm exploit technology
- Vulnerability of trust relationship between hosts
- Program vulnerabilities of the target host
- Default user and password vulnerability of the target host
- Weak user security awareness of the target host
- Vulnerability in client program configuration of target host
-
-
Network Worm Prevention Technology
- Network worm detection and early warning technology: use detectors to collect worm-related information
- Network Worm Propagation Suppression Technology: Constructing an environment to inhibit the spread of worms
- Network system vulnerability detection and system reinforcement technology: improve system security
- Internet Worm Immune Technology: Deception Worm
- Network worm blocking and isolation technology: security equipment blocking
- Network worm removal technology: manual removal and special tool removal methods
Botnet analysis and protection
-
Botnet concepts and characteristics
-
concept:
- The attacker uses intrusion methods to plant bot or zombie on the target computer, and then manipulate the victim machine to perform malicious activities on the network
-
characteristic:
-
-
Botnet operating mechanism and common technologies
- Operating mechanism
- The spread of bots
- Perform remote command operation and control of the bot, and combine the victim's target machine into a network
- The attacker sends attack instructions to the bot program through the control server of the botnet to execute the attack activity
- Operating mechanism
-
Network Worm Prevention Technology
- Botnet threat monitoring: using honeypot technology
- Botnet detection: detect abnormal network traffic in the network
- Active containment of botnets: routing and DNS blacklist blocking
- Zombie killing: special tools
Other malicious code analysis and protection
-
Logic bomb
-
A piece of program code that is attached to other software and has the ability to trigger execution and destruction
-
-
Trapdoor
- A piece of code in a software system that allows users to avoid system security mechanisms to access the system
- Does not have automatic transmission and self-replication functions
-
bacterial
- Independent program with self-replication function
-
Spyware
Main technical indicators and products of malicious code protection
- Main technical indicators of malicious code protection
- Malicious code detection capability
- Malicious code detection accuracy
- Malicious code blocking capability
- Main products of malicious code protection
- Terminal protection products: deployed on protected terminals
- Security gateway products: intercept the spread of malicious code and prevent the expansion of damage
- Malicious code detection product: IDS
- Malicious code protection product: patch management system
- Malicious code emergency response: tools such as Kingsoft Trojan Killer, Trojan Marker, Trojan Cleaner
Malicious code protection technology application
-
Terminal malicious code protection
-
Electronic document and email malicious code protection