高混淆挂马网页的分析与检测系统

发布时间：2018-10-31 13:59

【摘要】：网页木马会利用操作系统、浏览器和相关的应用程序中存在的漏洞来进行传播和破坏。为了躲避检测，网页木马的恶意代码往往经过了一定程度的混淆。随着互联网的普及，网页木马传播越来越迅速，混淆手段日渐复杂，造成的危害也越来越大，一直是信息安全领域中的一个重点课题。面对网页木马日益增多，混淆和躲避检测手段层出不穷的现状，目前的检测手段已经凸显许多不足之处。本文首先叙述了高混淆网页木马的机制，即它的构成、来源和详细的攻击过程。然后从JavaScript混淆、VBScript混淆和Java混淆三个方面总结了其混淆手段，包括常用的混淆方法和最新的混淆技术。随后本文叙述了高混淆网页木马的反检测技术，如操作系统指纹识别、域名利用和反蜜罐技术。本文还描述了高混淆网页木马的漏洞利用以及其载荷的成分。通过对高混淆网页木马机制和特征的研究，本文提出了一种基于浏览器关键函数挂钩的反混淆方法，能够不在系统中真正执行恶意代码而获取到其源码，随后采用动态检测和静态检测方法反混淆后的源码进行检测。动态方法主要是检测源码中是否含有Shellcode；静态检测方法包括代码特征统计、代码特征匹配和URL特征匹配；最后综合得到网页木马的检测结果。在此基础上本文建立了一套动态检测和静态检测相结合的网页木马检测系统，，检测系统搭建在Linux平台上，使用了VirtualBox虚拟机并在其中运行了Sanboxie沙盘。这种双重虚拟架构的好处是恢复快、开销小并且安全性高。最后我们进行了实验，并和同类的网页木马检测系统进行了比较。实验结果表明，该系统能够更有效地检测各种类型的高混淆网页木马，具有更高的准确性、通用性和性能优越性。
[Abstract]:Web Trojans exploit vulnerabilities in operating systems, browsers and related applications to spread and destroy. In order to avoid detection, the malicious code of web Trojan often goes through a certain degree of confusion. With the popularity of the Internet, the spread of web Trojan horse is becoming more and more rapid, the means of confusion is becoming more and more complex, and the harm caused by it is becoming more and more serious. It has been a key topic in the field of information security. In the face of the increasing number of web Trojan horses, confusion and avoidance of detection means emerge in endlessly, the current detection methods have highlighted many shortcomings. This paper first describes the mechanism of high confusion web Trojan horse, that is, its composition, source and detailed attack process. Then the methods of JavaScript confusion, VBScript obfuscation and Java obfuscation are summarized, including the common obfuscation methods and the latest obfuscation techniques. Then this paper describes the anti-detection techniques of high-confusion web Trojan horse, such as operating system fingerprint identification, domain name utilization and anti-honeypot technology. This paper also describes the vulnerability exploitation and load components of high-confusion web-horse. Through the study of the mechanism and characteristics of the highly obfuscated web Trojan, this paper proposes an anti-obfuscation method based on the key function hook of browser, which can obtain the source code without actually executing malicious code in the system. Then use dynamic detection and static detection methods to detect the source code after anti-confusion. Dynamic method is mainly to detect whether the source code contains Shellcode; static detection methods, including code feature statistics, code feature matching and URL feature matching; finally, get the detection results of web Trojan horse. On this basis, this paper establishes a web page Trojan detection system which combines dynamic detection and static detection. The detection system is built on Linux platform, using VirtualBox virtual machine and running Sanboxie sand table in it. The benefits of this dual virtual architecture are fast recovery, low overhead and high security. Finally, we have carried on the experiment, and has carried on the comparison with the similar web page Trojan detection system. The experimental results show that the system can detect various types of highly confusing web Trojan more effectively, and has higher accuracy, versatility and performance superiority.
【学位授予单位】：上海交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【共引文献】