基于虚拟化的恶意软件分析工具的研究与实现
|
摘要
恶意软件分析是快速准确的识别恶意软件行为,清除恶意软件,保护系统和其他应用程序安全的重要措施。随着恶意软件抗分析技术的发展,恶意软件广泛使用了加壳、加密、混淆等抗分析技术,对恶意软件的分析难度越来越大。对恶意代码分析的研究已经成为信息安全领域的一个研究热点。
目前的恶意软件分析工具存在着分析环境安全性差、可扩展性能力不足、静态分析和动态分析相互独立,无法适应海量恶意代码分析需求的问题。因此,本文以实现一个安全可靠、可扩展性强、动静态分析结合的恶意软件分析工具为研究目标。
本文主要的研究工作如下:
1)从动态分析和静态分析两方面研究了恶意软件的分析和检测方法,比较了这些方法的优劣。对恶意软件的抗分析方法进行归纳,明确系统的目标和需求。
2)总结了利用系统虚拟化实现恶意软件分析的常用方法和特点及目前的相关研究成果,详细介绍了本文实现所使用的Intel-VT硬件虚拟化技术;
3)提出一种基于虚拟化技术的恶意软件分析工具的设计方案,利用硬件虚拟化技术构建安全可靠的动态分析环境,并结合静态分析技术为动态分析过程产生分析策略。通过对开源软件Ether的二次开发实现系统原型,动态分析环境可以从系统调用和指令执行两个粒度截获恶意软件运行过程中状态信息,提供对状态信息调试控制和恶意软件的解密、解壳操作。
4)根据实现的系统原型,结合程序切片技术,通过静态分析提取控制流转换的关键信息,产生恶意代码多路径的动态分析调试策略,提高代码覆盖率。
实验表明,本文设计的恶意代码分析工具有较强的适应性和扩展性,通过动静态结合分析能够有效的防止加壳、加密等抗分析技术,完成对恶意代码的分析调试工作。
Malware analysis is an important method to rapidly and accurately identifying the behavior of the malware, for it can improve the security of operating systems and software applications by controlling and removing malware. With the development of anti-analysis technology, malicious software take advantage of the anti-analysis techniques, including packer, encryption and code obfuscation, which increases the difficulties of the malware analysis. Malicious code analysis has become a hot research topic in the field of information security.
Several Challenges exist for the current malware analysis platforms, including the insecure environment for analyzing, poor salable capacity, independence between static and dynamic analysis as well as the inadaptability of the demands within the mass malicious codes analysis. To solve these problems, this thesis aims to implement a secure, reliable and scalable malware analysis tool by combining static and dynamic analysis.
The main contributions of this thesis are as follows:
1) The methods for malware analysis are discussed for static and dynamic analysis, and both the advantages and disadvantages of these methods are compared. Then this thesis summarizes the anti-analysis methods as well as the goals and requirements of the system.
2) The common methods and features of malware analysis on the basis of system virtualization are summarized. In particular, the Intel-VT hardware virtualization technology is introduced and employed;
3) This thesis designs a framework for the malware analysis tool on the basis of virtualization technology. This framework uses hardware virtualization technology to build a safe and reliable dynamic analysis environment, and generates the appropriate analysis strategy for the dynamic analysis process by static analysis technique. The prototype system is implemented via the secondary development of open source software named ether. The dynamic analysis environment in the analysis tool can intercept and capture the state information of malicious code from two granularities including system call and instructions, and can debug the state information. The analysis tool also enables the unpacking and decryption of the malware with anti-analysis capabilities.
4) According to the implemented prototype system, program slicing technique is utilized by statically analyzing and extracting the important information of control flow conversion. On the other hand, dynamic analysis with respect to multi-paths of the malicious codes is automatically performed, which effectively increases the code coverage.
The experimental results illustrate that the malicious code analysis tool designed in this thesis is adaptable and scalable with respect to the analyzing and debugging of the malicious code. Both static and dynamic analysis is combined to prevent the packers, encryption and anti-analysis techniques.
目前的恶意软件分析工具存在着分析环境安全性差、可扩展性能力不足、静态分析和动态分析相互独立,无法适应海量恶意代码分析需求的问题。因此,本文以实现一个安全可靠、可扩展性强、动静态分析结合的恶意软件分析工具为研究目标。
本文主要的研究工作如下:
1)从动态分析和静态分析两方面研究了恶意软件的分析和检测方法,比较了这些方法的优劣。对恶意软件的抗分析方法进行归纳,明确系统的目标和需求。
2)总结了利用系统虚拟化实现恶意软件分析的常用方法和特点及目前的相关研究成果,详细介绍了本文实现所使用的Intel-VT硬件虚拟化技术;
3)提出一种基于虚拟化技术的恶意软件分析工具的设计方案,利用硬件虚拟化技术构建安全可靠的动态分析环境,并结合静态分析技术为动态分析过程产生分析策略。通过对开源软件Ether的二次开发实现系统原型,动态分析环境可以从系统调用和指令执行两个粒度截获恶意软件运行过程中状态信息,提供对状态信息调试控制和恶意软件的解密、解壳操作。
4)根据实现的系统原型,结合程序切片技术,通过静态分析提取控制流转换的关键信息,产生恶意代码多路径的动态分析调试策略,提高代码覆盖率。
实验表明,本文设计的恶意代码分析工具有较强的适应性和扩展性,通过动静态结合分析能够有效的防止加壳、加密等抗分析技术,完成对恶意代码的分析调试工作。
Malware analysis is an important method to rapidly and accurately identifying the behavior of the malware, for it can improve the security of operating systems and software applications by controlling and removing malware. With the development of anti-analysis technology, malicious software take advantage of the anti-analysis techniques, including packer, encryption and code obfuscation, which increases the difficulties of the malware analysis. Malicious code analysis has become a hot research topic in the field of information security.
Several Challenges exist for the current malware analysis platforms, including the insecure environment for analyzing, poor salable capacity, independence between static and dynamic analysis as well as the inadaptability of the demands within the mass malicious codes analysis. To solve these problems, this thesis aims to implement a secure, reliable and scalable malware analysis tool by combining static and dynamic analysis.
The main contributions of this thesis are as follows:
1) The methods for malware analysis are discussed for static and dynamic analysis, and both the advantages and disadvantages of these methods are compared. Then this thesis summarizes the anti-analysis methods as well as the goals and requirements of the system.
2) The common methods and features of malware analysis on the basis of system virtualization are summarized. In particular, the Intel-VT hardware virtualization technology is introduced and employed;
3) This thesis designs a framework for the malware analysis tool on the basis of virtualization technology. This framework uses hardware virtualization technology to build a safe and reliable dynamic analysis environment, and generates the appropriate analysis strategy for the dynamic analysis process by static analysis technique. The prototype system is implemented via the secondary development of open source software named ether. The dynamic analysis environment in the analysis tool can intercept and capture the state information of malicious code from two granularities including system call and instructions, and can debug the state information. The analysis tool also enables the unpacking and decryption of the malware with anti-analysis capabilities.
4) According to the implemented prototype system, program slicing technique is utilized by statically analyzing and extracting the important information of control flow conversion. On the other hand, dynamic analysis with respect to multi-paths of the malicious codes is automatically performed, which effectively increases the code coverage.
The experimental results illustrate that the malicious code analysis tool designed in this thesis is adaptable and scalable with respect to the analyzing and debugging of the malicious code. Both static and dynamic analysis is combined to prevent the packers, encryption and anti-analysis techniques.
引文
[1]瑞星信息技术有限公司.瑞星2011年度安全报告[Z].2012:2012.
[2]国家互联网应急中心.2011年我国互联网网络安全态势综述[Z].2012:2012.
[3]许秀中.网络与网络犯罪[M].中信出版社,2003.592.
[4]White-House. International Strategy for Cyberspace. Prosperity, Security, and Openness in a Networked World[R]. Technical Washington,2011.
[5]Dinaburg Artem, Royal Paul, Sharif Monirul, et al. Ether:malware analysis via hardware virtualization extensions[C]. In:Proceedings of the 15th ACM conference on Computer and communications security.Alexandria, Virginia, USA:ACM,2008:51-62.
[6]Nguyen Anh M., Schear Nabil, Jung Heedong, et al. MAVMM:Lightweight and Purpose Built VMM for Malware Analysis[J]. Computer Security Applications Conference, Annual.2009:441-450.
[7]Song Dawn, Brumley David, Yin Heng, et al. BitBlaze:A New Approach to Computer Security via Binary Analysis[C]. In:ICISS'08.Berlin, Heidelberg:Springer-Verlag,2008:1-25.
[8]Kruegel Christopher, Kirda Engin, Bayer Ulrich. TTAnalyze:A Tool for Analyzing Malware[C]. In:Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.Hamburg, Germany:2006.
[9]Balzarotti Davide, Cova Marco, Karlberger Christoph, et al. Efficient Detection of Split Personalities in Malware[C]. In:17th Annual Network and Distributed System Security Symposium (NDSS 2010).San Diego:2010.
[10]Moser Andreas, Kruegel Christopher, Kirda Engin. Exploring Multiple Execution Paths for Malware Analysis[C]. In:SP'07.Washington, DC, USA:IEEE Computer Society,2007:231-245.
[11]王祥根,司端锋,冯登国,等.基于代码覆盖的恶意代码多路径分析方法[J].电子学报.2009,37(4):701-705.
[12]Jones Stephen T., Arpaci-Dusseau Andrea C., Arpaci-Dusseau Remzi H. VMM-based hidden process detection and identification using Lycosid[C]. In:VEE'08.New York, NY, USA:ACM,2008: 91-100.
[13]Jiang Xuxian, Wang Xinyuan, Xu Dongyan. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction[C]. In:CCS'07.New York, NY, USA:ACM,2007: 128-138.
[14]Dolan-Gavitt Brendan, Leek Tim, Zhivich Michael, et al. Virtuoso:Narrowing the Semantic Gap in Virtual Machine Introspection[C]. In:Proceedings of the 2011 IEEE Symposium on Security and Privacy.Washington, DC, USA:IEEE Computer Society,2011:297-312.
[15]Payne Bryan D., Carbone Martim, Sharif Monirul, et al. Lares:An Architecture for Secure Active Monitoring Using Virtualization[C]. In:SP'08.Washington, DC, USA:IEEE Computer Society,2008: 233-247.
[16]Wang Zhi, Jiang Xuxian, Cui Weidong, et al. Countering kernel rootkits with lightweight hook protection[C]. In:CCS'09.New York, NY, USA:ACM,2009:545-554.
[17]范荣荣.基于操作虚拟化及时序逻辑的恶意代码分析[D].硕士,山东大学,2011.
[18]王德强.恶意代码设计和分析技术的研究与实现[D].硕士,清华大学,2005.
[19]Tzu-Yen Wang, Shi-Jinn Horng, Ming-Yang Su, et al. A Surveillance Spyware Detection System Based on Data Mining Methods[C]. In:Evolutionary Computation, CEC 2006..2006:3236-3241.
[20]Siddiqui Muazzam, Wang Morgan C., Lee Joohan. A survey of data mining techniques for malware detection using file features[C]. In:ACM-SE 46.New York, NY, USA:ACM,2008:509-510.
[21]Bonfante Guillaume, Kaczmarek Matthieu, Marion Jean-Yves. Architecture of a morphological malware detector[J]. Journal in Computer Virology.2009,5:263-270.
[22]王蕊,苏璞睿,杨轶,等.一种抗混淆的恶意代码变种识别系统[J].电子学报.2011,39(10):2322-2330.
[23]Beaucamps Philippe, Gnaedig Isabelle, Marion Jean-Yves. Behavior abstraction in malware analysis[C]. In:Proceedings of the First international conference on Runtime verification. St. Julians, Malta:Springer-Verlag,2010:168-182.
[24]方志鹤.恶意代码分类的研究与实现[D].硕士,国防科技大学,2011.
[25]Eagle Chris. IDA Pro权威指南[M].人民邮电出版社,2010.445.
[26]覃丽芳.恶意代码动态分析技术的研究与实现[D].硕士,电子科技大学,2009.
[27]罗宏,蒋剑琴,曾庆凯.用于软件保护的代码混淆技术[J].计算机工程.2006,32(11):177-179.
[28]Archer, Feuerrader. http://www.woodmann.com/collaborative/tools/index.php/Quick_Unpack[Z]. 2009:2012.
[29]Liston T., Skoudis E. On the Cutting Edge:Thwarting Virtual Machine Detection[R]. Technical, 2006.
[30]余冲,王振兴,郭浩然,等.基于监控器时间开销的虚拟机发现方法[J].计算机工程.2009,35(22):47-49.
[31]Smith James E虚拟机系统与进程的通用平台[M].北京:机械工业出版社,2009.382.
[32]英特尔开源软件技术中心复旦大学并行处理研究所著.系统虚拟化:原理与实现[M].北京:清华大学出版社,2009.
[33]Popek Gerald J., Goldberg Robert P. Formal requirements for virtualizable third generation architectures[J]. Communications of the ACM.1974,17(7):412-421.
[34]Kivity Avi, Kamay Yaniv, Laor Dor, et al. KVM:the Linux Virtual Machine Monitor[C]. In:In Proceedings of the Linux Symposium 2007.2007:225-230.
[35]Barham Paul, Dragovic Boris, Fraser Keir, et al. Xen and the art of virtualization[C]. In:SOSP '03.New York, NY, USA:ACM,2003:164-177.
[36]Uhlig Rich, Neiger Gil, Rodgers Dion, et al. Intel Virtualization Technology[J]. Computer.2005, 38(5):48-56.
[37]Amd. AMD64 Virtualization Technology:Secure Virtual Machine Architecture Reference Manual[Z].2005.
[38]Intel-Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual-Volume 3B[Z]. 2007.
[39]Wiki. http://en.wikipedia.org/wiki/Extended_Page_Table[Z].2012:2012.
[40]Vmitools. VMItools http://code.google.com/p/vmitools/[Z].2012:2012.
[41]王雪莲,赵瑞莲,李立健.一种用于测试数据生成的动态程序切片算法[J].计算机应用.2005,25(6):1445-1447,1450.
[2]国家互联网应急中心.2011年我国互联网网络安全态势综述[Z].2012:2012.
[3]许秀中.网络与网络犯罪[M].中信出版社,2003.592.
[4]White-House. International Strategy for Cyberspace. Prosperity, Security, and Openness in a Networked World[R]. Technical Washington,2011.
[5]Dinaburg Artem, Royal Paul, Sharif Monirul, et al. Ether:malware analysis via hardware virtualization extensions[C]. In:Proceedings of the 15th ACM conference on Computer and communications security.Alexandria, Virginia, USA:ACM,2008:51-62.
[6]Nguyen Anh M., Schear Nabil, Jung Heedong, et al. MAVMM:Lightweight and Purpose Built VMM for Malware Analysis[J]. Computer Security Applications Conference, Annual.2009:441-450.
[7]Song Dawn, Brumley David, Yin Heng, et al. BitBlaze:A New Approach to Computer Security via Binary Analysis[C]. In:ICISS'08.Berlin, Heidelberg:Springer-Verlag,2008:1-25.
[8]Kruegel Christopher, Kirda Engin, Bayer Ulrich. TTAnalyze:A Tool for Analyzing Malware[C]. In:Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.Hamburg, Germany:2006.
[9]Balzarotti Davide, Cova Marco, Karlberger Christoph, et al. Efficient Detection of Split Personalities in Malware[C]. In:17th Annual Network and Distributed System Security Symposium (NDSS 2010).San Diego:2010.
[10]Moser Andreas, Kruegel Christopher, Kirda Engin. Exploring Multiple Execution Paths for Malware Analysis[C]. In:SP'07.Washington, DC, USA:IEEE Computer Society,2007:231-245.
[11]王祥根,司端锋,冯登国,等.基于代码覆盖的恶意代码多路径分析方法[J].电子学报.2009,37(4):701-705.
[12]Jones Stephen T., Arpaci-Dusseau Andrea C., Arpaci-Dusseau Remzi H. VMM-based hidden process detection and identification using Lycosid[C]. In:VEE'08.New York, NY, USA:ACM,2008: 91-100.
[13]Jiang Xuxian, Wang Xinyuan, Xu Dongyan. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction[C]. In:CCS'07.New York, NY, USA:ACM,2007: 128-138.
[14]Dolan-Gavitt Brendan, Leek Tim, Zhivich Michael, et al. Virtuoso:Narrowing the Semantic Gap in Virtual Machine Introspection[C]. In:Proceedings of the 2011 IEEE Symposium on Security and Privacy.Washington, DC, USA:IEEE Computer Society,2011:297-312.
[15]Payne Bryan D., Carbone Martim, Sharif Monirul, et al. Lares:An Architecture for Secure Active Monitoring Using Virtualization[C]. In:SP'08.Washington, DC, USA:IEEE Computer Society,2008: 233-247.
[16]Wang Zhi, Jiang Xuxian, Cui Weidong, et al. Countering kernel rootkits with lightweight hook protection[C]. In:CCS'09.New York, NY, USA:ACM,2009:545-554.
[17]范荣荣.基于操作虚拟化及时序逻辑的恶意代码分析[D].硕士,山东大学,2011.
[18]王德强.恶意代码设计和分析技术的研究与实现[D].硕士,清华大学,2005.
[19]Tzu-Yen Wang, Shi-Jinn Horng, Ming-Yang Su, et al. A Surveillance Spyware Detection System Based on Data Mining Methods[C]. In:Evolutionary Computation, CEC 2006..2006:3236-3241.
[20]Siddiqui Muazzam, Wang Morgan C., Lee Joohan. A survey of data mining techniques for malware detection using file features[C]. In:ACM-SE 46.New York, NY, USA:ACM,2008:509-510.
[21]Bonfante Guillaume, Kaczmarek Matthieu, Marion Jean-Yves. Architecture of a morphological malware detector[J]. Journal in Computer Virology.2009,5:263-270.
[22]王蕊,苏璞睿,杨轶,等.一种抗混淆的恶意代码变种识别系统[J].电子学报.2011,39(10):2322-2330.
[23]Beaucamps Philippe, Gnaedig Isabelle, Marion Jean-Yves. Behavior abstraction in malware analysis[C]. In:Proceedings of the First international conference on Runtime verification. St. Julians, Malta:Springer-Verlag,2010:168-182.
[24]方志鹤.恶意代码分类的研究与实现[D].硕士,国防科技大学,2011.
[25]Eagle Chris. IDA Pro权威指南[M].人民邮电出版社,2010.445.
[26]覃丽芳.恶意代码动态分析技术的研究与实现[D].硕士,电子科技大学,2009.
[27]罗宏,蒋剑琴,曾庆凯.用于软件保护的代码混淆技术[J].计算机工程.2006,32(11):177-179.
[28]Archer, Feuerrader. http://www.woodmann.com/collaborative/tools/index.php/Quick_Unpack[Z]. 2009:2012.
[29]Liston T., Skoudis E. On the Cutting Edge:Thwarting Virtual Machine Detection[R]. Technical, 2006.
[30]余冲,王振兴,郭浩然,等.基于监控器时间开销的虚拟机发现方法[J].计算机工程.2009,35(22):47-49.
[31]Smith James E虚拟机系统与进程的通用平台[M].北京:机械工业出版社,2009.382.
[32]英特尔开源软件技术中心复旦大学并行处理研究所著.系统虚拟化:原理与实现[M].北京:清华大学出版社,2009.
[33]Popek Gerald J., Goldberg Robert P. Formal requirements for virtualizable third generation architectures[J]. Communications of the ACM.1974,17(7):412-421.
[34]Kivity Avi, Kamay Yaniv, Laor Dor, et al. KVM:the Linux Virtual Machine Monitor[C]. In:In Proceedings of the Linux Symposium 2007.2007:225-230.
[35]Barham Paul, Dragovic Boris, Fraser Keir, et al. Xen and the art of virtualization[C]. In:SOSP '03.New York, NY, USA:ACM,2003:164-177.
[36]Uhlig Rich, Neiger Gil, Rodgers Dion, et al. Intel Virtualization Technology[J]. Computer.2005, 38(5):48-56.
[37]Amd. AMD64 Virtualization Technology:Secure Virtual Machine Architecture Reference Manual[Z].2005.
[38]Intel-Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual-Volume 3B[Z]. 2007.
[39]Wiki. http://en.wikipedia.org/wiki/Extended_Page_Table[Z].2012:2012.
[40]Vmitools. VMItools http://code.google.com/p/vmitools/[Z].2012:2012.
[41]王雪莲,赵瑞莲,李立健.一种用于测试数据生成的动态程序切片算法[J].计算机应用.2005,25(6):1445-1447,1450.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |