共查询到19条相似文献,搜索用时 142 毫秒
1.
自隐藏恶意代码已成为PC平台下急需解决的安全问题,进程隐藏则是这类恶意代码最常用和最基本的规避检测的自隐藏技术。针对这个问题,提出了一种新的基于本地虚拟化技术的隐藏进程检测技术——Gemini。基于该本地虚拟化技术,Gemini在本地化启动的虚拟机中(Local-Booted Virtual Machine)完整重现了宿主操作系统的运行环境,结合隐式的真实进程列表(TVPL)获取技术,Gemini实现了在虚拟机监视器(VMM)内检测宿主操作系统内隐藏进程的能力。测试结果证明了宿主计算环境重现的有效性与隐藏进程检测的完整性。 相似文献
2.
3.
基于内存扫描的隐藏进程检测技术 总被引:2,自引:1,他引:1
针对恶意代码普遍使用Rootkit技术来隐藏自身进程这一特点,提出了基于内存扫描的隐藏进程检测方法。该方法通过对系统高端虚拟内存的扫描,判断其中存在的Windows内核对象的类型,得到可信的系统进程信息,从而实现对隐藏进程的检测。同时,该检测方法可以实现对其他类型的Windows内核对象的扫描,具有一定的扩展性。 相似文献
4.
Windows内核恶意代码是指能够通过改变Windows执行流程或者改变内核审计和簿记系统所依赖的数据结构等手段以达到隐藏自身,实现恶意功能的程序或程序集,对操作系统安全造成很大的危害。对近年来基于NT内核的微软Windows操作系统下恶意代码主要的隐藏实现技术(包括对进程函数、注册表函数、SSDT等的HOOK行为)进行了深入分析研究,提出了一些具有实用价值的恶意代码检测技术方案。实践表明文中提出的恶意代码分析检测技术在实际中具有积极的指导意义。 相似文献
5.
基于HSC的进程隐藏检测技术 总被引:6,自引:3,他引:3
介绍了目前Windows下常见的进程隐藏检测技术,提出了基于截获系统调用(HSC)的进程隐藏检测技术,利用隐藏进程的行为特征,通过截获系统调用建立完整的进程列表来检测隐藏进程,并针对该技术对抗RootKit的攻击提出了改进。该种隐藏进程的检测方法十分可靠,可以检测出常规安全检测工具不能发现的系统恶意程序。 相似文献
6.
程微微 《网络安全技术与应用》2011,(2):28-32
目前恶意代码研究领域普遍使用虚拟机来动态分析恶意代码,然而众多恶意代码都使用了虚拟机检测的技术来对抗。本文首先简单介绍了虚拟机技术,然后对虚拟机检测技术及其相应检测算法进行了研究,最后介绍了一些反虚拟机检测技术。 相似文献
7.
对现有的Windows Rootkit进程隐藏技术进行了研究,提出了基于交叉视图的Rootkit进程隐藏检测技术.该技术通过比较从操作系统的高层和底层获取到的进程列表来检测被Rootkit所隐藏的进程,其中,底层进程列表是通过搜索内存中的内核对象来获得的.实验表明,该技术具有较好的检测效果. 相似文献
8.
对现有的Windows下各种隐藏进程检测技术及其反检测技术进行了研究,提出了基于内存搜索的隐藏进程检测技术,并针对该技术的性能提出了改进。该种检测技术利用进程的固有特征对系统地址空间的遍历建立完整的进程列表来检测隐藏进程。通过实验表明,该技术具有较好的可靠性、检测效率和完整性。 相似文献
9.
利用虚拟机监视器检测及管理隐藏进程 总被引:3,自引:0,他引:3
恶意进程是威胁计算机系统安全的重大隐患,与内核级rootkit合作时具有较强的隐蔽性和不可觉察性.传统的隐藏进程检测工具驻留在被监控系统中,容易受到恶意篡改.为提高检测信息的精确性和检测系统的抗攻击能力,设计并实现一种基于虚拟机监视器的隐藏进程检测系统.该系统驻留在被监控虚拟机外,利用虚拟机自省机制获取被监控主机的底层状态信息,借助语义视图重构技术重构其进程队列,并通过交叉视图的方式比较各进程队列间的差异,从而确定隐藏进程.同时,该系统也提供相应的响应机制,用以汇报隐藏进程的详细信息(包括实际占用内存信息、网络端口等),以及提供终止和挂起隐藏进程的功能.通过对具有隐藏进程能力的rootkit进行实验,证明了系统的有效性和可行性. 相似文献
10.
基于可执行路径分析的隐藏进程检测方法 总被引:1,自引:0,他引:1
韩芳 《计算机与数字工程》2009,37(1):115-117
研究了内核模式下进程隐藏的原理和进程隐藏检测技术。在此基础上,提出了一种Windows操作系统内核模式下基于可执行路径分析(EPA)的隐藏进程检测技术。通过检查某些关键系统函数执行时所用的指令个数,来判断这些函数是否执行了多余的代码,从而断定系统被Windows Rootkit修改过了。利用该方法,可以检测出当前常规安全检测工具不能发现的系统恶意程序的进程隐藏。 相似文献
11.
In this paper we present a cost model to analyze impacts of Internet malware in order to estimate the cost of incidents and risk caused by them. The model is useful in determining parameters needed to estimate recovery efficiency, probabilistic risk distributions, and cost of malware incidents. Many users tend to underestimate the cost of curiosity coming with stealth malware such as email-attachments, freeware/shareware, spyware (including keyloggers, password thieves, phishing-ware, network sniffers, stealth backdoors, and rootkits), popups, and peer-to-peer fileshares. We define two sets of functions to describe evolution of attacks and potential loss caused by malware, where the evolution functions analyze infection patterns, while the loss functions provide risk-impact analysis of failed systems. Due to a wide range of applications, such analyses have drawn the attention of many engineers and researchers. Analysis of malware propagation itself has little to contribute unless tied to analysis of system performance, economic loss, and risks. 相似文献
12.
13.
计算机病毒对抗检测高级技术分析 总被引:1,自引:0,他引:1
从有效防范和清除计算机病毒的目的出发,深入剖析当前流行病毒的复杂性、欺骗性和对抗性特点及其背后的工作机理。研究表明,计算机病毒普遍采用了反代码分析、规避检测、欺骗隐身和暴力对抗四个方面的先进技术对抗安全软件的保护,计算机病毒与反病毒技术的斗争将趋于更加激烈。 相似文献
14.
For pt.I see ibid., vol. 5, no.1, p.67-69 (2007). This article discusses about stealthy software-that is, software that manipulates a computer in some way to avoid some aspect of its operation. The stealth is divided up into roughly three categories: passive, hooking, and hypervisor-based stealth detection. Most stealth malware hides by hooking and redirecting system calls, either at the kernel or the operating system (OS) level. 相似文献
15.
《Security & Privacy, IEEE》2009,7(2):83-86
Our study illustrates that the risk of getting infected by malware that antivirus protection doesn't detect is alarmingly high. New malware that the antivirus engines don't have signatures for is likely to escape detection by a desktop antivirus solution. Taking precautions while using the Internet can protect users only to a certain extent. If they visit the wrong Web site or download a file infected with 0-day malware, they probably won't be protected from infection. The malware specimens that our antivirus packages didn't detect during our two-week exposure period suggest to us that signature-based antivirus software doesn't provide sufficient protection for users who live on the bleeding edge with respect to where they obtain their software. Coupled with the exponential growth of new malware variants, our findings suggest that antivirus vendors have major problems keeping the signature lag within acceptable limits. 相似文献
16.
Osamah L. Barakat Shaiful J. Hashim Raja Syamsul Azmir B. Raja Abdullah Abdul Rahman Ramli Fazirulhisyam Hashim Khairulmizam Samsudin Mahmud Ab Rahman 《Journal in Computer Virology》2014,10(1):1-10
Nowadays, computer based technology has taken a central role in every person life. Hence, damage caused by malicious software (malware) can reach and effect many people globally as what could be in the early days of computer. A close look at the current approaches of malware analysis shows that the respond time of reported malware to public users is slow. Hence, the users are unable to get prompt feedback when reporting suspicious files. Therefore, this paper aims at introducing a new approach to enhance malware analyzer performance. This approach utilizes cloud computing features and integrates it with malware analyzer. To evaluate the proposed approach, two systems had been prepared carefully with the same malware analyzer, one of them utilizes cloud computing and the other left without change. The evaluation results showed that the proposed approach is faster by 23 % after processing 3,000 samples. Furthermore, utilizing cloud computing can open door to crowd-source this service hence encouraging malware reporting and accelerate malware detection by engaging the public users at large. Ultimately this proposed system hopefully can reduce the time taken to detect new malware in the wild. 相似文献
17.
随着P2P技术被广泛地应用在文件共享系统中,有越来越多的蠕虫和病毒等恶意代码通过这些P2P系统快速传播。P2P系统的特性使得恶意代码易传播而难防治。对此,提出一种用于恶意代码防治的激励机制,可以激励网络中的用户提高自身节点对恶意代码的防范能力。这种激励机制可以和现有的P2P文件共享系统相结合,以此来减缓、遏制恶意代码在这些系统内的传播。 相似文献
18.
Linux, is an Unix-like operating system. Although it is used mainly as a server operating system, it is slowly gaining more acceptance amongst end users. It has integrated security features and has the potential to help users protect themselves against malware. However, as we have seen, even Linux is not immune from such attacks.While the number of Windows worms has been increasing exponentially, to date there have only been a handful of malware programs directed at Linux. But as the number of workstation users running Linux increases, and as home users start to be connected via leased lines to the Internet, the situation may change. One indication of such progress was seen earlier this year, when Ramen was spreading Linux systems.This paper concentrates on current Linux malware, and describes the most typical malware seen on a Linux host.
Worms
The first Linux worm found in the wild, namely ADMworm, was reported by CERT®/CC[1] in 1998. It propagated in a fully automated fashion using a buffer overflow vulnerability in bind Domain Name Service server [1], and as such was very similar to the Internet Worm created by Robert Morris. The Morris worm almost shut down the entire Internet in November 1998. It was a VAX/VMS and SunOS based worm that exploited known vulnerabilities in sendmail’s debugging mode, fingerd and rsh/rexec. Within few hours the worm spread allegedly to more than half of the computers on the Internet at that time.This worm is similar to almost all Linux worms today — it is fully automatic, requires no user innovation and uses known vulnerabilities of the host operating system for its replication.[2]Table 1 相似文献19.
恶意代码常常使用一些隐形技术来躲避反病毒软件的检测。然而,采用加密和多态技术的恶意代码已经难以躲避基于特征码和代码仿真技术的检测,而变形技术却呈现出较强的反检测能力。通过对变形技术作深入的分析,详细介绍了变形引擎及其所采用的代码混淆技术,以及当前的变形恶意代码检测技术,并简要分析了变形技术在软件防护领域的应用。 相似文献