近半個世紀以來,資訊安全人員與駭客之間的攻防戰從來沒停歇過,攻擊者不斷嘗試找出更多可利用的安全漏洞,而資安人員則致力於保護使用者的資訊安全。一般最常見也最基本的保護措施即安裝防毒軟體。若是每位防毒軟體使用者都具有基本的資訊安全知識並定期更新病毒碼,攻擊者在撰寫惡意程式時就必須花很多心力避免被防毒軟體偵測到以利於惡意軟體的運作。 因此,惡意軟體自我保護機制也逐漸的發展成形。其中一種常見的惡意軟體自我保護機制為一旦惡意軟體被執行,首要的工作就是將運作環境中的防毒軟體關閉,當防毒軟體被關閉,使用者的電腦保護傘如同虛設,攻擊者便如入無人之境能夠為所欲為,這對使用者的資訊安全將會造成很大的危害。 這篇論文主要針對惡意軟體強制關閉防毒軟體的行為提出防護的方法。我們分析了數隻病毒樣本得到攻擊者常見的攻擊手法,並根據這些攻擊手法設計了一套以SSDT hook為基礎的防護方案。我們提供了一個對系統運作效率影響極低且有效的防禦機制。 In the near several decades, the arms race between malware writers and system security watchmen has become more and more severe. The simplest way for a user to secure her/his computer while using it is to install antivirus software on her/his computer. As antivirus software becomes more sophisticated and powerful, evading the detection of antivirus software becomes an important part of malware. Without a good approach to bypass the detection of antivirus software, before doing any vicious activity, malware may have already been removed by antivirus software. As a result, malware writers have developed various approaches to increase the survivability and stealth of their malware. And many malware self-defense technologies have been implemented. One of these technologies is to disrupt the functionality of security solutions, especially antivirus software. For example, lot of malware terminates antivirus software right after their execution. Without the protection of the terminated security tool, an attacker can do anything on the intruded host. In this paper, we propose a mechanism, called ANtivirus Software Shield (ANSS), to prevent antivirus software from being terminated without the consciousness of the antivirus software users. ANSS uses SSDT hook to intercept specific Windows APIs and analyzes them to filter out hazardous API calls that will viciously terminate antivirus software. Experimental results show that ANSS can protect antivirus software from being terminated by malware used in our experiments with at most 3.5% performance overhead.
