隨著電腦與網路的普及,使用者對於電腦基本安全防護的認 識也有提升,大部分使用者會安裝防毒軟體或是防火牆等的軟 體,使電腦有所防護。但是防毒軟體與防火牆都是安裝於作業 系統上,也因此即便電腦安裝了防毒軟體及防火牆,使用者也 有著良好的電腦使用習慣,攻擊者還是有可能透過系統漏洞,繞 過防火牆以及防毒軟體的防禦,奪走使用者的電腦控制權或是得 到使用者的私人資訊。所以說,作業系統的更新,對於電腦整體 的資訊安全,扮演著一個舉足輕重的腳色。而更新的行為,作業 系統通常會自動的執行,或是通知使用者去做系統更新。但是我 們發現,有一些惡意程式,會去關閉系統的自動更新服務,藉此 使得使用者的作業系統無法保持在最新的狀態。在更新補丁發布 之後,無法藉由更新來防護系統,使得使用者電腦暴露在危險之 中。 本篇論文以Windows XP 作業系統為平台,研究其自動更新 服務如何運作,依其相關知識提出數個關閉更新服務的方法。同 時分析數個惡意軟體樣本,了解它們關閉自動更新服務的原理, 最後提出一個以System Service Dispatch Table (SSDT) hook 為 基礎的解決方式,有效的防禦這一些攻擊。 Nowadays, people rely on personal computer to do lots of things. They would install some application to protect their com- puters, such as antivirus software or rewall to make their comput- ers safer from attacker's attack. Because Antivirus software and rewall are installed on top of the operating system, if there are some bugs in the operating system, attackers can bypass antivirus software and rewall through bugs and launch an attack to get the private user data and control users' computer. As a consequence, updating operating system becomes an important method in whole information security of computer. The update behavior is usually done automatically by oper- ating system. Users can also update his/her system when they get the update noti cation. But we found there exist some malware will disable the automatic update service of the operating system. So users cannot download the newest patch to protect their own computers in time and means that both of their computers and data are in danger. In this paper, we study how an automatic update service run- ning on Windows XP system and show approaches to disable au- tomatic update service. We also analyze some malware to nd out what method they used to disable automatic update service. Finally, we propose a solution based on SSDT hook, which named Windows AutoUpdate Service Guardian (WASG) to protect Win- dows automatic update service e fficiently.
