USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：17

、訪客IP：3.144.42.196

姓名

廖世傑(Shih-Chieh Liao) 查詢紙本館藏

畢業系所

資訊工程學系在職專班

論文名稱

USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm
(USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm)

相關論文

★ Discoverer- Rootkit即時偵測系統	★ 一項Android手機上詐騙簡訊的偵測與防禦機制
★ SRA系統防禦ARP欺騙劫持路由器	★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines
★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統	★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統
★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection	★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks
★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection	★ Shark: Phishing Information Recycling from Spam Mails
★ FFRTD: Beat Fast-Flux by Response Time Differences	★ Antivirus Software Shield against Antivirus Terminators
★ MAC-YURI : My ACcount, YoUr ResponsIbility	★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment	★ PrivacyGuard：A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

由於USB儲存裝置的普遍與便利，加上Windows作業系統支援autorun的功能，導致USB儲存裝置成為新的蠕蟲傳播方式。有別於以往的蠕蟲直接透過網路進行遠端入侵，USB蠕蟲則是利用被廣泛使用的USB儲存裝置從組織內部進行感染，這種感染方式使得網路防火牆與入侵偵測系統形同虛設，也讓全世界的企業與個人遭受到巨大的損失。
在本篇論文中，我們藉由分析USB蠕蟲感染USB儲存裝置的方式，設計出一套可自我散佈的USB蠕蟲偵測機制 ─ USB Worm Killer (UWK)，以解決目前USB蠕蟲的問題。UWK透過DLL Injection與API Hooking的技術，將此機制注入USB儲存裝置裡的autorun.inf所指定執行的可疑行程中，並藉由模擬USB儲存裝置，讓可疑行程誤以為系統中有多個USB儲存裝置存在而嘗試對其寫入autorun.inf與可疑執行檔，一旦可疑行程有上述行為，UWK就會將其判定為USB蠕蟲並中止其執行，以達到防止USB蠕蟲的散佈。

摘要(英)

Due to the widespread-use of the USB storage devices and the autorun function provided by Windows OS, the USB storage devices have become the new spread method used by the USB worms. Differentiated from the past worms scanned the computers directly and intruded in them remotely via the Internet, USB worms could utilize the storage devices to infect the internal computers of the organizations. This infection makes the Internet Firewall and the Network Intrusion Detection System work ineffectively, and it also causes the whole-world entrepreneur suffer the severely tremendous losses as well as the individuals.
In this paper, we present a self-spread USB worm detection system, USB Worm Killer (UWK), to solve the current problems caused by the USB worms. UWK utilizes the DLL Injection and API Hooking techniques to inject itself into the address space of the process which specified by the autorun.inf. UWK also simulates the USB storage devices and catch the request of writing the autorun.inf and worm itself. Once the above request occur, UWK will determine it as an USB worm and terminate it to avoid the spread of the USB worm.

關鍵字(中)

★ Malware偵測
★ DLL Injection
★ API Hooking
★ Security
★ USB蠕蟲

關鍵字(英)

★ Security
★ Malware detection
★ DLL Injection
★ API Hooking
★ USB Worm

論文目次

摘要 .... i
Abstract ...... ii
致謝辭 ...... iii
目錄 .. iv
圖目錄 ...... vi
表目錄 ..... vii
第一章緒論 1
1.1 背景與目的 .... 2
1.2 方法概述 3
1.3 章節架構 3
第二章背景技術 5
2.1 Windows API ... 5
2.2 PE 檔案格式 ... 9
2.2.1 基底位址 .. 10
2.2.2 相對虛擬位址 .. 11
2.2.3 DOS Header ...... 11
2.2.4 PE Header . 12
2.2.5 導出表 ...... 16
2.2.6 導出位址表 ...... 17
2.2.7 導入表 ...... 18
2.2.8 導入位址表 ...... 19
2.3 USB 蠕蟲的特性與常用的技術 ... 21
2.3.1 何謂USB 蠕蟲 .. 22
2.3.2 USB 蠕蟲常用的技術 ....... 22
第三章 UWK 系統設計與實作 25
3.1 DLL Injection . 25
3.2 攔截Windows API 的方式 ... 28
3.2.1 IAT Hooking ....... 28
3.2.2 EAT Hooking ...... 30
3.2.3 Inline Hooking ... 31
3.2.4 SSDT Hooking .... 31
3.3 UWK 系統架構 ..... 32
3.3.1 攔截Windows API 函式 ... 32
3.3.2 UWK 架構說明 . 34
3.3.3 Hook Component ...... 36
3.3.4 Simulation Component ..... 37
3.3.5 Filter Component ...... 38
3.3.6 Spread Component ... 38
3.4 UWK 的限制 . 39
第四章實驗分析 ...... 40
4.1 測試樣本簡介 ...... 40
4.2 Effectiveness 測試 41
4.3 系統效能測試 ...... 42
第五章相關研究 ...... 45
5.1 Signature-Based Malware 偵測 .... 45
5.2 Behavior-Based Malware 偵測 ..... 45
5.3 系統復原機制 ...... 46
第六章結論 ...... 47
6.1 貢獻 ...... 47
6.2 未來工作 ...... 47
參考文獻 . 49
附錄 . 53
A. 2008 年地下數位資產市值 ..... 53
B. Windows 各版本市占率 .. 54
C. 各類Malware 的分佈比例 ...... 55

參考文獻

[1] McAfee Threats Report, Q1 2011
https://secure.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2011.pdf
[2] Anti-Virus Comparative No. 25, Feb 2010
http://www.av-comparatives.org/images/stories/test/ondret/avc_report25.pdf
[3] Microsoft Corp., Overview of the Windows API
http://msdn.microsoft.com/en-us/library/Aa383723
[4] Microsoft Corp., Introduction to Win32/Win64
http://technet.microsoft.com/en-us/library/bb496995.aspx
[5] Microsoft Corp., hooked ShimEng.dll
http://forum.sysinternals.com/hooked-shimengdll_topic18127.html
[6] Microsoft Corp., An In-Depth Look into the Win32 Portable Executable File Format
http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
[7] Microsoft Corp., Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
http://msdn.microsoft.com/en-us/library/ms809762.aspx
[8] Microsoft Corp., Sysinternals
http://technet.microsoft.com/en-us/sysinternals/bb545021
[9] Wikipedia, Autorun
http://en.wikipedia.org/wiki/Autorun
[10] Wikipedia, Computer Virus
http://en.wikipedia.org/wiki/Computer_virus
[11] Wikipedia, DLL Injection
http://en.wikipedia.org/wiki/DLL_injection
[12] Wikipedia, Malware
http://en.wikipedia.org/wiki/Malware
[13] Wikipedia, Native API
http://en.wikipedia.org/wiki/Native_API
[14] Wikipedia, Stuxnet
http://en.wikipedia.org/wiki/Stuxnet
[15] Wikipedia, Timeline of Computer Virus and Worms
http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
[16] Wikipedia, Windows
http://en.wikipedia.org/wiki/Windows
[17] Wikipedia, Windows API
http://en.wikipedia.org/wiki/Windows_API
[18] 「熊貓燒香」病毒設計者出獄　改邪歸正當掃毒顧問
http://www.nownews.com/2010/01/06/162-2555103.htm
[19] 雲端運算安全趨勢blog, 網路犯罪年產值高於全球販毒營收總額
http://domynews.blog.ithome.com.tw/trackbacks/1252/21372
[20] ZDNet, 問世20年，電腦病毒仍無解(上)
http://www.zdnet.com.tw/news/pix/0,2000085677,20086011,00.htm
[21] ZDNet, 問世20年，電腦病毒仍無解(下)
http://www.zdnet.com.tw/news/software/0,2000085678,20086025,00.htm
[22] 旻盛資訊有限公司, 讓電腦遠離USB病毒(1)
http://www.sweb.com.tw/modules/psbb/?op=openthr&id=31
[23] 趨勢科技, 2008 技術通報 - USB病毒防治要點
http://tw.trendmicro.com/tw/support/tech-support/board/tech/article/20080110081233.html
[24] iThome, 天啊！我的隨身碟又中毒了
http://www.ithome.com.tw/itadm/article.php?c=47219&s=1
[25] 不易分析來源與感染途徑的USB病毒
http://www.ithome.com.tw/itadm/article.php?c=47219&s=2
[26] USB病毒成為企業最頭痛的資安漏洞
http://www.ithome.com.tw/itadm/article.php?c=47370
[27] 我的隨身碟中毒了，該怎麼辦
http://netsrv.nutn.edu.tw/isms_web/e-paper/e-paper001.htm
[28] 惡意程式的隱形斗篷-rootkits
http://albertinformation.blogspot.com/2010/03/rootkit.html
[29] USB Worms Top The List of Malware in Q1 2010
https://blog.ironkey.com/?p=976
[30] Process-wide API spying
http://www.codeproject.com/KB/system/api_spying_hack.aspx?msg=918790
[31] IAT Function Hooking
http://sandsprite.com/CodeStuff/IAT_Hooking.html
[32] EAT Hooking
http://0v1.org/forums/topic337.html
[33] UNKNOWN CHEATS, Writing drivers to perform kernel-level SSDT Hooking.
http://www.uc-forum.com/forum/c-and-c/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html
[34] Offensive Computing
http://offensivecomputing.net
[35] PassMark
http://www.passmark.com
[36] 俞甲子, 石凡, 潘愛民, 程式設計師的自我修養碁峯資訊股份有限公司
[37] 段鋼, 加密與解密第三版, 碁峯資訊股份有限公司
[38] 羅雲彬, Windows環境下32位元組合語言程式設計
[39] 陳介文, 許富皓, Antivirus Software Shield against the Antivirus Terminator, 國立中央大學資訊工程系碩士論文
[40] Peter Ferrie. Attacks on Virtual Machine Emulators. Symantec Advanced Threat Research
[41] S. Mukkamala, A. Sung, J. Xu, and P. Chavez. Static analyzer for vicious executables (SAVE). In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04), pages 326-334, Tucson, AZ, USA, Dec. 2004.
[42] J. Xu, A. H. Sung, P. Chavez, and S. Mukkamala. Polymorphic malicious executable scanner by API sequence analysis. In Proceedings of the 4th International Conference on Hybrid Intelligent Systems (HIS’04), pages 378-383, Kitakyushu, Japan, Dec. 2004. IEEE Computer Society.
[43] Abhinav Srivastava, Jonathon Giffin. Automatic Discovery of Parasitic Malware. In International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2010
[44] Roberto Paleari, Lorenzo Martignoni, Emanuele Passerini, Drew Davidson, Matt Fredrikson, Jon Giffin, Somesh Jha. Automatic Generation of Remediation Procedures for Malware Infections. USENIX Security Symposium, Aug. 2010
[45] E. Passerini, R. Paleari, and L. Martignoni. How good are malware detectors at remediating infected systems? In 6th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Como, Italy, July 2009.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2011-8-22

推文