Information security: Principles of malicious code prevention technology.

Malicious code in English is Malicious Code. It is a program code that violates the security policy of the target system. It can cause information leakage, resource abuse, and damage to the integrity and availability of the target system.

Malicious code overview:

(1) Malicious code classification:

The main types of malicious code include:Computer viruses , worms, Trojan horses, logic bombs, Bacterial malicious scriptsand malicious ActiveX controls, spyware , etc.

According to the propagation characteristics of malicious code, malicious code can be divided intotwo categories:

(2) Malicious code attacking the market model:

Step one:Invade the system. The first step for malicious code to achieve its malicious purpose is to invade the system. There are many ways for malicious code to invade, such as: programs downloaded from the Internet, which may themselves contain malicious code; receiving maliciously infected emails; software installed on the system through CDs or floppy disks; attackers deliberately implanting System malicious code, etc.

Step 2: Maintain orincreaseexistingpermissions. The spread and destruction of malicious code need to be based on stealing the legitimate permissions of users or processes.

Step 3:Concealment. In order to hide the malicious code that has invaded the system, methods such as renaming the malicious code, deleting the source files, or modifying the system's security policy may be adopted.

Step 4:lurking. After malicious code invades the system, it will attack when it has sufficient permissions and meets certain conditions, and at the same time performs destructive activities.

Step 5:Destruction. Malicious code is destructive in nature and aims to cause information loss, leakage, and damage to system integrity.

The sixth step,Repeat the previous five steps to attack the new target.

(3) Malicious code survival technology:

1. Anti-tracking technology:

Malicious code relies on the use of anti-tracking technologyto improve its camouflage and anti-decryption capabilities, making it extremely difficult to detect and remove malicious code Increase.

Anti-tracking technology can be roughly divided into two categories:Anti-dynamic tracking technology and anti-static analysis technology.

① Anti-dynamic tracking technology:Disable tracking interruption; detect tracking method; other anti-tracking technologies;

② Anti-static analysis technology: Block encrypted execution of program code; pseudo-instruction method;

2. Encryption technology:

From the perspective of encryptedcontent, there are three encryption methods, namelyinformation encryption and data encryption. and program code encryption.

3. Fuzzy transformation technology:

Every time the malicious code infects an object, it will use fuzzy transformation technology to make the code sneaked into the host program different.

Fuzzy transformation technology is mainly divided into the following types:Instruction replacement technology; instruction compression technology; instruction expansion technology; pseudo-instruction technology; recompilation technology;

4. Automatic production technology:

Ordinary viruses can be compiled into polymorphic viruses using the "polymorphism generator". The polymorphic transformation engine allows the program code itself to change while maintaining the original functionality. For example, Bulgaria's "Dark Avenger", transformation engine will change every time a malicious code is generated, and its program body will change. If the anti-malware code software only uses signature-based scanning technology, it cannot detect and remove it. This kind of malicious code.

5. Deformation technology:

Malicious code with the same specific function but different signatures;

Malicious code deformation technology includes the following aspects: reassembly technology; compression technology; expansion technology; recompilation technology;

6. Three-thread technology:

Threading technology is used in malicious code to prevent malicious code from being stopped by external operations. The working principle of thread technology is that a malicious code processopens three threads at the same time, one of which is responsible for remote control workThe main thread, and the other two are used tomonitoring threads are responsible for checking whether the malicious code program has been deleted or Stop self-started monitoring threads and daemon threads. Inject the daemon process into other executable files, synchronizing with the malicious code process. As soon as the process is stopped, it restarts the process while providing the necessary data to the main thread, thus allowing the malicious code to continue running. “Chinese hackers”

It ismalicious code that uses this technique.

7. Process injection technology:

System services and network services of the operating system can generally be loaded automatically during system startup. In order to achieve hiding and activation, the malicious code program embeds itself into processes related to these services. This type of malicious code only needs to be installed once before it can be loaded into the system by the service and can remain active all the time.

8. Communication hiding technology:

There are generally four types of communication hiding technologies to implement malicious code:Port customization technology, port reuse technology, communication encryption technology, and covert channel technology.

9. Kernel-level hiding technology:

LKM hidden: LKM is a loadable kernel module used to extend the Linux kernel functionality. LKM enables dynamic loading into memory without recompiling the kernel.

Memory mapping hidden: Memory mapping refers to the mapping from a file to a block of memory. Memory mapping can map the contents of the hard disk to the memory, and users can read and write files through memory instructions. Using memory mapping avoids calling I/O operations multiple times and reduces unnecessary waste of resources.

(4) Malicious code attack technology:

1. Process injection technology:

System services and network services are in the operating system and are automatically loaded whenthe system starts.

2. Super management technology:

Some malicious code can attackanti-malware software. The malicious code uses super management technology to carry out denial-of-service attacks on the anti-malware software system, hindering the normal operation of the anti-malware software. For example, "Guangwai Girl" is a domestic Trojan horse, which is very harmful to "Kingsoft Drug Tyrant" and "Skynet Firewall" "Using super management technology to conduct denial-of-service attacks.

3. Port reverse connection technology:

InstructionThe malicious code uses port reverse connection technology to make the attacking server (controlled end) actively connect to the client (controlling end) port;

"Network Thief" is the earliest malicious code to implement port reverse connection technology in my country.

"Gray Pigeon" is the master of this technology. It has built-in server-side online notification functions such as FTP, domain name, and server-side active connection.

4. Buffer overflow attack technology:

Malicious code exploits security vulnerabilities in systems and network services to implant and execute attack code.The attack code runs programs with buffer overflow vulnerabilities with certain permissions to gain access to the attacked host. control. For example: Red code.

(5) Malicious code analysis technology:

The analysis method of malicious code consists ofstatic analysis method and dynamic analysis method.

(6) Malicious code prevention strategy:

Prevent malicious code: frommanagement and technically< a i=4>Reinforce;

Computer virus analysis and protection:

(1) Concept and characteristics of computer viruses:

The name of computer virus borrows from the concept of virus in biology.It is a set of program codes with the ability to self-replicate and spread .

Computer viruses have the followingfour basic characteristics:Concealment; contagiousness; latentness ;destructive;

(2) Composition and operating mechanism of computer viruses:

Computer viruses are composed of three parts: replicating infectious components, hidden components, and destructive components. The function of the copy infection component is to control the infection of viruses to other files; the function of the hidden component is to prevent the virus from being detected; and the destruction component is used to perform destruction operations when the virus meets the activation conditions. Computer viruses combine the above three components, and then the virus implementer infects the system with a virus that cannot be detected by current anti-virus software, and then the virus gradually begins to spread.

The life cycle of computer viruses mainlyhas two stages: the first stage,the development of computer viruses Replication and propagation stage; second stage, activation stage of computer virus;

(3) Common types and technologies of computer viruses:

1. Boot virus: Boot virus controls the system by infecting the boot area of the computer system. The virus modifies or replaces the actual boot area content. When the virus program is executed , then start the operating system. Boot viruses are usually memory-resident. Typical boot viruses include disk killer viruses, AntiExe viruses, etc.

2. Macro virus:It can infect any computer running Office;

3. Polymorphic virus: Each time a polymorphic virus infects a new object, it changes its form of existence by changing the encryption algorithm.

4. Covert viruses: Covert viruses try to hide their existence so that the operating system and anti-virus software cannot detect them.

(4) Computer disease disassembly prevention strategies and technologies:

1. Find the source of computer viruses;

2. Block the spread of computer viruses;

3. Actively detect and kill computer viruses;

4. Computer virus emergency response and disaster recovery;

(5) Computer virus protection plan:

1. Based on stand-alone computer virus protection;

2. Network-based computer virus protection;

3. Network-based hierarchical virus protection;

4. Based on email gateway virus protection;

5. Based on gateway protection;

Trojan horse analysis and protection:

(1) Concept and characteristics of Trojan horse:

Trojan Horse (Trojan Horse for short), its name is taken from the Trojan Horse of the Trojan War in ancient Greek mythology. It is a malicious program that has the ability to disguise itself and perform illegal functions covertly. , and what the victim user sees on the surface is the execution of legitimate functions.

It disguises itself as a legitimate program or file and implants it into the system, posing a serious threat to the security of the network system.

Compared withcomputer viruses and network worms, Trojan horses do not have the ability to self-propagate, but do so through other propagation mechanisms. When a computer is compromised by a Trojan horse, the attacker can remotely control the victim computer to varying degrees, such as accessing the victim computer, executing commands on the victim computer, or using the victim computer to conduct DDoS attacks.

(2) Trojan horse classification:

Based on how Trojans are managed, Trojans can be divided intolocal Trojans and network Trojans.

Local Trojan horse is the earliest type of Trojan horse. Its characteristic is that the Trojan horse only runs on a single local host. The Trojan horse has no remote communication function. The attack environment of the Trojan horse is multi-faceted. A typical example of a user's UNIX system is a Trojan horse that steals passwords.

Network Trojan horse refers to a type of Trojan horse that has network communication connection and service functions, referred to as network Trojan horse.

(3) Trojan horse operating mechanism:

The entire Trojan attack process is mainly divided into five parts: ① Finding the attack target; ② Collecting information about the target system; ③ Implanting the Trojan into the target system; ④ Hiding the Trojan; ⑤ Realizing the attack intention;

(4) Trojan horse implantation technology:

Trojan horse implantation methods can be divided into two categories, namelypassive implantation and Active implant;

Passive implantation means that the Trojan horse program can be installed into the target system through manual intervention. The implantation process must rely on the manual operation of the victim user;

① File bundling method: Bundle the Trojan horse into some commonly used application software packages. When the user installs the software package, the Trojan horse is implanted into the system without the user being aware of it.

② Email attachment: The Trojan designer disguises the Trojan program as an email attachment and then sends it to the target user. If the user executes the email attachment, the Trojan horse will be implanted in the system.

③ Web page: The Trojan horse program is hidden in the html file. When the victim clicks on the web page, the Trojan horse is implanted into the target system.

Active implantation refers to the active attack method. The Trojan program is automatically installed into the target system through the program. The implantation process does not require the victim's operation.

(5) Trojan horse hiding technology:

1. Local activity behavior hiding technology:File hiding; process hiding; communication connection hiding;

2. Remote communication process hiding technology: Communication content encryption technology; Communication port reuse technology; Network covert channel;

（6）特洛伊木马存活技术：

特洛伊木马的存活能力取决于网络木马逃避安全监测的能力，一些网络木马侵入目标系统时采用反监测技术，甚至中断反网络木马程序运行。

一些高级木马常具有端口反向连接功能，例如 “Boinet"“ 网络神偷”“灰鸽子”等木马。端口反向连接技术是指由木马代理在目标系统主动连接外部网的远程木马控制端以逃避防火墙的限制。

（7）特洛伊木马防范技术：

1. 基于查看开放端口检测特洛伊木马技术；

2. 基于重要系统文件检测特洛伊木马技术；

3. 基于系统注册表检测特洛伊木马技术；

4. 检测具有隐藏能力的特洛伊木马技术；

5. 基于网络检测特洛伊木马技术；

6. 基于网络阻断特洛伊木马技术；

7. 清除特洛伊木马技术；

网络蠕虫分析与防护：

（1）网络蠕虫概念与特性：

网络蠕虫是一种具有自我复制和传播能力、可独立自动运行的恶意程序。

（2）网络蠕虫组成与运行机制：

网络蠕虫由四个功能模块构成：探测模块、传播模块、蠕虫引擎模块和负载模块；

探测模块：完成对特定主机的脆弱性检测，决定采用何种攻击渗透方式。

传播模块：该模块可以采用各种形式生成各种形态的蠕虫副本，在不同主机间完成蠕虫副本传递。

蠕虫引擎模块：该模块决定采用何种搜索算法对本地或者目标网络进行信息搜集，内容包括本机系统信息、用户信息、邮件列表、对本机的信任或授权的主机、本机所处网络的拓扑结构、边界路由信息等。这些信息可以单独使用或被其他个体共享。

负载模块：也就是网络蠕虫内部的实现伪代码。

（3）网络蠕虫常用技术：

1. 网络蠕虫扫描技术：将网络蠕虫的传播方法分成三类，即随机扫描、顺序扫描、选择性扫描.

2. 网络蠕虫漏洞利用技术：主机之间的信任关系漏洞；目标主机的程序漏洞；目标主机的默认用户和口令漏洞；目标主机的用户安全意识薄弱漏洞；目标主机的客户端程序配置漏洞；

（4）网络蠕虫防范技术：

网络蠕虫已经成为网络系统的极大威胁，防范网络蠕虫需要多种技术综合应用，包括网络蠕虫监测与预警、网络蠕虫传播抑制、网络蠕虫漏洞自动修复、网络蠕虫阻断等，下面将说明近几年的网络蠕虫检测防御的主要技术。

僵尸网络分析与防护：

（1）僵尸网络概念与特性：

僵尸网络是指攻击者利用入侵手段将僵尸程序植入目标计算机上，进而操纵受害机执行恶意活动的网络；

僵尸网络的构建方式主要有远程漏洞攻击、弱口令扫描入侵、邮件附件、恶意文档、文件共享等；

（2）僵尸网络运行机制与技术：

僵尸网络的运行机制主要由三个基本环节构成。

第一步，僵尸程序的传播。通过利用计算机网络系统的漏洞、社会工程学、犯罪工具包等方式，传播僵尸程序到目标网络的计算机上。

第二步，对僵尸程序进行远程命令操作和控制，将受害目标机组成个网络。僵尸网络可分为集中式和分布式，僵尸程序和控制端的通信协议方式有 IRC HTTP 。

第三步，攻击者通过僵尸网络的控制服务器，给僵尸程序发送攻击指令，执行攻击活动，如发送垃圾电子邮件、 DDoS攻击等。

僵尸网络为保护自身安全，其控制服务器和僵尸程序的通信使用加密机制，并把通信内容嵌入正常的 HTTP 流量中，以保护服务器的隐蔽性和匿名性。控制服务器和僵尸程序也采用认证机制，以防范控制消息伪造和篡改。

（3）僵尸网络防范技术：

1. 僵尸网络威胁监测；

2. 僵尸网络检测；

3. 僵尸网络主动遏制；

4. 僵尸程序查杀；

其他恶意代码分析与防护：

（1）逻辑炸弹：

逻辑炸弹是一段依附在其他软件中，并具有触发执行破坏能力的程序代码。逻辑炸弹的触发条件具有多种方式，包括计数器触发方式、时间触发方式、文件触发方式、特定用户访问触发方式等。逻辑炸弹只在触发条件满足后，才开始执行逻辑炸弹的破坏功能；

逻辑炸弹一旦触发，有可能造成文件删除、服务停止、软件中断运行等破坏。逻辑炸弹不能复制自身，不能感染其他程序。

（2）陷门：

陷门是软件系统里的一段代码，允许用户避开系统安全机制而访问系统。陷门由专门的命令激活，一般不容易发现。陷门通常是软件开发商为调试程序、维护系统而设定的功能。陷门不具有自动传播和自我复制功能。

（3）细菌：

细菌是指具有自我复制功能的独立程序。虽然细菌不会直接攻击任何软件，但是它通过复制本身来消耗系统资源；

（4）问谍软件：

间谍软件通常指那些在用户不知情的情况下被安装在计算机中的各种软件，执行用户非期望的功能。这些软件可以产生弹出广告，重定向用户浏览器到陌生的网站。

同时，间谍软件还具有收集信息的能力，可记录用户的击键情况、浏览习惯，甚至会窃取用户的个人信息（如用户账号和口令、信用卡号），然后经因特网传送给攻击者。一般来说，间谍软件不具备自我复制功能。

恶意代码防护主要产品与技术指标：

（1）恶意代码防护主要产品：

1. 终端防护产品；

2. 安全网关产品；

3. 恶意代码监测产品；

4. 恶意代码防护产品：补丁管理系统；

5. 恶意代码应急晌应；

（2）恶意代码防护主要技术指标：

1. 恶意代码检测能力；

2. 恶蔥代码检测准确性；

3. 恶意代码阻断能力；

恶意代码防护技术应用：

（1）终端防护：

终端防护通常是在终端上安装一个恶意代码防护代理程序，该代理程序按照终端管理中心下发的安全策略进行安全控制。

（2）APT 防护：

高级持续威胁（简称 APT) 通常利用电子邮件作为攻击目标系统。攻击者将恶意代码嵌入电子邮件中，然后把它发送到目标人群，诱使收件人打开恶意电子文档或单击某个指向恶意站点的链接。一旦收件人就范，恶意代码将会安装在其计算机中，从而远程控制收件人的计算机，进而逐步渗透到收件人所在网络，实现其攻击意图。

学习书籍：信息安全工程师教程.