Antivirus Software Shield against Antivirus Terminators

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：12

、訪客IP：18.219.86.155

姓名

陳介文(Chieh-wen Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Antivirus Software Shield against Antivirus Terminators)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ MAC-YURI : My ACcount, YoUr ResponsIbility	★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment	★ PrivacyGuard：A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近半個世紀以來，資訊安全人員與駭客之間的攻防戰從來沒停歇過，攻擊者不斷嘗試找出更多可利用的安全漏洞，而資安人員則致力於保護使用者的資訊安全。一般最常見也最基本的保護措施即安裝防毒軟體。若是每位防毒軟體使用者都具有基本的資訊安全知識並定期更新病毒碼，攻擊者在撰寫惡意程式時就必須花很多心力避免被防毒軟體偵測到以利於惡意軟體的運作。
因此，惡意軟體自我保護機制也逐漸的發展成形。其中一種常見的惡意軟體自我保護機制為一旦惡意軟體被執行，首要的工作就是將運作環境中的防毒軟體關閉，當防毒軟體被關閉，使用者的電腦保護傘如同虛設，攻擊者便如入無人之境能夠為所欲為，這對使用者的資訊安全將會造成很大的危害。
這篇論文主要針對惡意軟體強制關閉防毒軟體的行為提出防護的方法。我們分析了數隻病毒樣本得到攻擊者常見的攻擊手法，並根據這些攻擊手法設計了一套以SSDT hook為基礎的防護方案。我們提供了一個對系統運作效率影響極低且有效的防禦機制。

摘要(英)

In the near several decades, the arms race between malware writers and system security watchmen has become more and more severe. The simplest way for a user to secure her/his computer while using it is to install antivirus software on her/his computer. As antivirus software becomes more sophisticated and powerful, evading the detection of antivirus software becomes an important part of malware. Without a good approach to bypass the detection of antivirus software, before doing any vicious activity, malware may have already been removed by antivirus software.
As a result, malware writers have developed various approaches to increase the survivability and stealth of their malware. And many malware self-defense technologies have been implemented. One of these technologies is to disrupt the functionality of security solutions, especially antivirus software. For example, lot of malware terminates antivirus software right after their execution. Without the protection of the terminated security tool, an attacker can do anything on the intruded host.
In this paper, we propose a mechanism, called ANtivirus Software Shield (ANSS), to prevent antivirus software from being terminated without the consciousness of the antivirus software users. ANSS uses SSDT hook to intercept specific Windows APIs and analyzes them to filter out hazardous API calls that will viciously terminate antivirus software. Experimental results show that ANSS can protect antivirus software from being terminated by malware used in our experiments with at most 3.5% performance overhead.

關鍵字(中)

★ 防毒軟體
★ 資訊安全

關鍵字(英)

★ antivirus software
★ security

論文目次

摘要 ........................................................................................................................... i
Abstract ......................................................................................................................ii
Table of Contents....................................................................................................... iii
List of figures ............................................................................................................. iv
List of tables ...............................................................................................................v
1 Introduction ........................................................................................................... 1
2 Background Knowledge .......................................................................................... 4
2.1 Malware self protection mechanism ............................................................ 4
2.2 Concept of Windows API .............................................................................. 5
2.3 Ways to terminate antivirus software......................................................... 10
2.4 Related work .............................................................................................. 15
2.4.1 Registry monitor .............................................................................. 16
2.4.2 Process protected ............................................................................ 17
3 Design .................................................................................................................. 19
3.1 Ways to intercept Windows API ................................................................. 19
3.2 ANSS Structure ........................................................................................... 23
3.2.1 Interceptor of ANSS ......................................................................... 24
3.2.2 Filter of ANSS .................................................................................. 27
3.2.3 Blocker of ANSS ............................................................................... 29
3.2.4 Testbed Setup .................................................................................. 29
3.3 Limitation................................................................................................... 30
4 Discussion............................................................................................................. 33
4.1 Sample Analysis and Discussion ................................................................. 33
4.2 Effect Test .................................................................................................. 37
4. 3 Performance Evaluation ............................................................................ 39
5 Conclusion ............................................................................................................ 41
References............................................................................................................... 43

參考文獻

[1] Kerivan, J.E. and Brothers, K. Self-Defending Security Software. In Military Communications Conference, 2005
[2] Nima Bagheri Anti Anti-Virus; Disable Anti Virus services. In MalCon, 2010
[3] Alsagoff, S. Malware self protection mechanism. In ITSim, 2008
[4] Microsoft Corp., Overview of the Windows API http://msdn.microsoft.com/en-us/library/Aa383723
[5] Microsoft Corp., Introduction to Win32/Win64 http://technet.microsoft.com/en-us/library/bb496995.aspx
[6] Wikipedia - Windows API http://en.wikipedia.org/wiki/Windows_API
[7] Sven Schreiber, Undocumented Windows 2000 Secrets: A Programmer's Cookbook, Addison-Wesley Professional, 2001
[8] 張帆,史彩成, Windows Driver Development Internals, Publishing House of Electronics Industry, 2008
[9] AV comparatives – Security survey http://www.av-comparatives.org
[10] OPSWAT – Market share report http://www.opswat.com/media/reports
[11] W3schools.com – OS platform statistics http://www.w3schools.com/browsers/browsers_os.asp
[12] Anubis – Analyzing unknown binaries http://anubis.iseclab.org/
[13] Wikipedia – Windows Registry http://en.wikipedia.org/wiki/Windows_Registry
[14] PassMark Software – Performance Test http://www.passmark.com/products/pt.htm
[15] Salvatore J. Stolfo, Frank Apap, Eleazar Eskin, Katherine Heller, Shlomo Hershkop, Andrew Honig, and Krysta Svore, A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection, Journal of Computer Security, 2005
[16] DiamondCS – RegistryProt http://www.diamondcs.com.au/index.php
[17] Mikko Technology - Registry Protecto http://www.mikkotech.com/
[18] DeviceLock – Active Registry Monitor http://www.devicelock.com/
[19] Ashampoo – Registry Cleaner http://www.ashampoo.com/en/usd
[20] J. Butler and G. Hoglund, VICE–catch the hookers, Black Hat USA, July 2004
[21] IceSword. http://www.antirootkit.com/software/IceSword.htm
[22] J. Rutkowska, System virginity verifier: Defining the roadmap for malware detection on windows systems, Hack in the Box Security Conference, September 2005
[23] Heng Yin, Zhenkai Liang, Dawn Song, HookFinder: Identifying and Understanding Malware Hooking Behaviors, 15th Annual Network and Distributed System Security Symposium (NDSS), February 2008
[24] Muhammad Aslam, Rana Naveed Idrees, Mirza Muzammil Baig, and Muhammad Asif Arshad, Anti-Hook Shield against the Software Key Loggers, Proc. of Nat. Conf. of Emerging Technologies, 2004
[25] C. K. Tan, Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration,http://www.security.org.sg/code/SIG2_DefeatingNativeAPIHookers.pdf, July 2004.
[26] Windows – Protected Process in Windows Vista http://msdn.microsoft.com/en-us/windows/hardware/gg463417
[27] ProcessGuard http://www.diamondcs.com.au/index.php
[28] Szor, Peter, The Art Of Computer Virus Research And Defense, Addison Wesley Professional, Maryland, 2005
[29] SECURELIST - The evolution of self-defense technologies in malware http://www.securelist.com/en/analysis?pubid=204791949
[30] Symeon D Xenitellis, A New Avenue of Attack: Event-driven System Vulnerabilities, European Conference in Information Warfare, July, 2002

指導教授

許富皓(Fu-hau Hsu)

審核日期

2011-7-20

推文