Information security: Principles of malicious code prevention technology.
Malicious code in English is Malicious Code. It is a program code that violates the security policy of the target system. It can cause information leakage, resource abuse, and damage to the integrity and availability of the target system.
Table of contents:
(1) Malicious code classification:
(2) Malicious code attacking the market model:
(3) Malicious code survival technology:
(4) Malicious code attack technology:
(5) Malicious code analysis technology:
(6) Malicious code prevention strategy:
Computer virus analysis and protection:
(1) Concept and characteristics of computer viruses:
(2) Composition and operating mechanism of computer viruses:
(3) Common types and technologies of computer viruses:
(4) Computer disease disassembly prevention strategies and technologies:
(5) Computer virus protection plan:
Trojan horse analysis and protection:
(1) Concept and characteristics of Trojan horse:
(2) Trojan horse classification:
(3) Trojan horse operating mechanism:
(4) Trojan horse implantation technology:
(5) Trojan horse hiding technology:
(6) Trojan horse survival technology:
(7) Trojan horse prevention technology:
Network worm analysis and protection:
(1) Concept and characteristics of network worms:
(2) Network worm composition and operating mechanism:
(3) Commonly used techniques for network worms:
(4) Network worm prevention technology:
Botnet analysis and protection:
(1) Botnet concepts and characteristics:
(2) Botnet operating mechanism and technology:
(3) Botnet prevention technology:
Other malicious code analysis and protection:
Main products and technical indicators of malicious code protection:
(1) Main products for malicious code protection:
(2) Main technical indicators of malicious code protection:
Malicious code protection technology applications:
Malicious code overview:
(1) Malicious code classification:
(2) Malicious code attacking the market model:
(3) Malicious code survival technology:
1. Anti-tracking technology:
Malicious code relies on the use of anti-tracking technologyto improve its camouflage and anti-decryption capabilities, making it extremely difficult to detect and remove malicious code Increase.
Anti-tracking technology can be roughly divided into two categories:Anti-dynamic tracking technology and anti-static analysis technology.
3. Fuzzy transformation technology:
4. Automatic production technology:
5. Deformation technology:
6. Three-thread technology:
7. Process injection technology:
8. Communication hiding technology:
9. Kernel-level hiding technology:
LKM hidden: LKM is a loadable kernel module used to extend the Linux kernel functionality. LKM enables dynamic loading into memory without recompiling the kernel.
Memory mapping hidden: Memory mapping refers to the mapping from a file to a block of memory. Memory mapping can map the contents of the hard disk to the memory, and users can read and write files through memory instructions. Using memory mapping avoids calling I/O operations multiple times and reduces unnecessary waste of resources.
(4) Malicious code attack technology:
1. Process injection technology:
2. Super management technology:
Some malicious code can attackanti-malware software. The malicious code uses super management technology to carry out denial-of-service attacks on the anti-malware software system, hindering the normal operation of the anti-malware software. For example, "Guangwai Girl" is a domestic Trojan horse, which is very harmful to "Kingsoft Drug Tyrant" and "Skynet Firewall" "Using super management technology to conduct denial-of-service attacks.
3. Port reverse connection technology:
4. Buffer overflow attack technology:
Malicious code exploits security vulnerabilities in systems and network services to implant and execute attack code.The attack code runs programs with buffer overflow vulnerabilities with certain permissions to gain access to the attacked host. control. For example: Red code.
(5) Malicious code analysis technology:
The analysis method of malicious code consists ofstatic analysis method and dynamic analysis method.
(6) Malicious code prevention strategy:
Computer virus analysis and protection:
(1) Concept and characteristics of computer viruses:
The name of computer virus borrows from the concept of virus in biology.It is a set of program codes with the ability to self-replicate and spread .
Computer viruses have the followingfour basic characteristics:Concealment; contagiousness; latentness ;destructive;
(2) Composition and operating mechanism of computer viruses:
(3) Common types and technologies of computer viruses:
1. Boot virus: Boot virus controls the system by infecting the boot area of the computer system. The virus modifies or replaces the actual boot area content. When the virus program is executed , then start the operating system. Boot viruses are usually memory-resident. Typical boot viruses include disk killer viruses, AntiExe viruses, etc.
2. Macro virus:It can infect any computer running Office;
3. Polymorphic virus: Each time a polymorphic virus infects a new object, it changes its form of existence by changing the encryption algorithm.
4. Covert viruses: Covert viruses try to hide their existence so that the operating system and anti-virus software cannot detect them.
(4) Computer disease disassembly prevention strategies and technologies:
1. Find the source of computer viruses;
2. Block the spread of computer viruses;
3. Actively detect and kill computer viruses;
4. Computer virus emergency response and disaster recovery;
(5) Computer virus protection plan:
1. Based on stand-alone computer virus protection;
2. Network-based computer virus protection;
3. Network-based hierarchical virus protection;
4. Based on email gateway virus protection;
5. Based on gateway protection;
Trojan horse analysis and protection:
(1) Concept and characteristics of Trojan horse:
Trojan Horse (Trojan Horse for short), its name is taken from the Trojan Horse of the Trojan War in ancient Greek mythology. It is a malicious program that has the ability to disguise itself and perform illegal functions covertly. , and what the victim user sees on the surface is the execution of legitimate functions.
It disguises itself as a legitimate program or file and implants it into the system, posing a serious threat to the security of the network system.
(2) Trojan horse classification:
Based on how Trojans are managed, Trojans can be divided intolocal Trojans and network Trojans.
Local Trojan horse is the earliest type of Trojan horse. Its characteristic is that the Trojan horse only runs on a single local host. The Trojan horse has no remote communication function. The attack environment of the Trojan horse is multi-faceted. A typical example of a user's UNIX system is a Trojan horse that steals passwords.
(3) Trojan horse operating mechanism:
(4) Trojan horse implantation technology:
Trojan horse implantation methods can be divided into two categories, namelypassive implantation and Active implant;
Passive implantation means that the Trojan horse program can be installed into the target system through manual intervention. The implantation process must rely on the manual operation of the victim user;
① File bundling method: Bundle the Trojan horse into some commonly used application software packages. When the user installs the software package, the Trojan horse is implanted into the system without the user being aware of it.
(5) Trojan horse hiding technology:
1. Local activity behavior hiding technology:File hiding; process hiding; communication connection hiding;
2. Remote communication process hiding technology: Communication content encryption technology; Communication port reuse technology; Network covert channel;
(6)特洛伊木马存活技术:
特洛伊木马的存活能力取决于网络木马逃避安全监测的能力,一些网络木马侵入目标系统时采用反监测技术,甚至中断反网络木马程序运行。
一些高级木马常具有端口反向连接功能, 例如 “Boinet"“ 网络神偷”“灰鸽子”等木马。端口反向连接技术是指由木马代理在目标系统主动连接外部网的远程木马控制端以逃避防火墙的限制。
(7)特洛伊木马防范技术:
1. 基于查看开放端口检测特洛伊木马技术;
2. 基于重要系统文件检测特洛伊木马技术;
3. 基于系统注册表检测特洛伊木马技术;
4. 检测具有隐藏能力的特洛伊木马技术;
5. 基于网络检测特洛伊木马技术;
6. 基于网络阻断特洛伊木马技术;
7. 清除特洛伊木马技术;
网络蠕虫分析与防护:
(1)网络蠕虫概念与特性:
网络蠕虫是一种具有自我复制和传播能力、可独立自动运行的恶意程序。
(2)网络蠕虫组成与运行机制:
网络蠕虫由四个功能模块构成:探测模块、传播模块、蠕虫引擎模块和负载模块;
探测模块:完成对特定主机的脆弱性检测,决定采用何种攻击渗透方式。
(3)网络蠕虫常用技术:
1. 网络蠕虫扫描技术:将网络蠕虫的传播方法分成三类,即随机扫描、顺序扫描、选择性扫描.
2. 网络蠕虫漏洞利用技术:主机之间的信任关系漏洞;目标主机的程序漏洞;目标主机的默认用户和口令漏洞;目标主机的用户安全意识薄弱漏洞;目标主机的客户端程序配置漏洞;
(4)网络蠕虫防范技术:
僵尸网络分析与防护:
(1)僵尸网络概念与特性:
(2)僵尸网络运行机制与技术:
(3)僵尸网络防范技术:
1. 僵尸网络威胁监测;
2. 僵尸网络检测;
3. 僵尸网络主动遏制;
4. 僵尸程序查杀;
其他恶意代码分析与防护:
(1)逻辑炸弹:
逻辑炸弹是一段依附在其他软件中,并具有触发执行破坏能力的程序代码。逻辑炸弹的触发条件具有多种方式,包括计数器触发方式、时间触发方式、文件触发方式、特定用户访问触发方式等。逻辑炸弹只在触发条件满足后,才开始执行逻辑炸弹的破坏功能;
(2)陷门:
(3)细菌:
(4)问谍软件:
恶意代码防护主要产品与技术指标:
(1)恶意代码防护主要产品:
1. 终端防护产品;
2. 安全网关产品;
3. 恶意代码监测产品;
4. 恶意代码防护产品:补丁管理系统;
5. 恶意代码应急晌应;
(2)恶意代码防护主要技术指标 :
1. 恶意代码检测能力;
2. 恶蔥代码检测准确性;
3. 恶意代码阻断能力;
恶意代码防护技术应用:
(1)终端防护:
终端防护通常是在终端上安装一个恶意代码防护代理程序,该代理程序按照终端管理中心下发的安全策略进行安全控制。