本帖最后由 冲冲 于 2010.10.6 20:23 编辑
高二水平且英语一直学得不怎么地,哪里翻得不对尽管批评。
Symantec Maximum Repair (SMR) is a brand new security engine that drives our new Norton Power Eraser recovery tool. It combines aggressive heuristics and advanced removal capabilities to combat the newest and toughest threats. I thought I would share with you some of the background on why we developed this new engine.
“赛门铁克极限修复引擎”(简称SMR)是一个驱动我们的“诺顿强力擦除器”的安全引擎,它结合了积极主动的启发式检测和高级的删除功能以对抗最新且最难对付的威胁。我将与大家分享关于我们为什么要开发这个新引擎的一些背景。
Why the need?
The threat landscape has radically changed over the last few years and that has driven the need for new approaches to protection. Most notable are the following trends:
为何需要开发这个新引擎?
近年来互联网威胁情况发生了根本性的改变使得需要有新的保护方法出现,最显著的是下列的威胁发展趋势:
- A new micro distribution model for malicious threats. A couple of years ago, the norm was to see relatively few threat variants distributed to millions of users. Today, hackers have moved to a micro-distribution model where millions of variants are created and distributed far and wide to very small numbers of victims. In fact it is not unusual today for most victims to get an infection that is unique to their machine. Last year alone, Symantec identified 240 million new threat variants but less than 200 actual new threat families. Hackers are generating these variants in high volume by taking pre-existing threats and packing or encrypting them by using packer kits and custom encryptors, sometimes as often as on a per-download basis. Fake AVs are also being rapidly rebranded with minor cosmetic changes in order to avoid recognition.
- 新的恶意威胁分布情况: 两三年前,威胁分布情况是相对较少的威胁变种分布在数以百万计的用户中,而在当今,黑客们以转变为使数以百万计的威胁变种散布在非常少的受害者中。事实上,现在在大多数受害者中每个人的计算机被一个独一无二的威胁所感染的情况并不少见。仅去年一年,赛门铁克截获了2.4亿个新的威胁变种但实际上却只有不到200个威胁家族。黑客们以使用加壳工具和加密工具将原有威胁加壳和加密等方式大规模生成这些变种,有时多到每次下载的都有改变。仿冒反病毒软件也经常更名变换以避免被识别。
- Advanced Rootkits. Another major change in the threat space is the increased use of advanced rootkit techniques. With profit as an incentive, more and more hackers are willing to push the difficult boundaries of rootkit development and deployment. This can be seen most recently in the spread and evolution of Backdoor.Tidserv and W32.Stuxnet.
- 高级Rootkit:互联网威胁另一个主要的改变是高级Rootkit技术应用的发展。为了从中获取利益,越来越多的黑客愿意克服rootkit开发的困难,这从最近的Backdoor.Tidserv 和 W32.Stuxnet等威胁的传播与演化中可以看到。
- Fake Antivirus. The last few years have seen a proliferation of Fake Antivirus scams. Stealthily installing a Fake AV on an unsuspecting user’s machine has become a highly lucrative “business”, and hackers are using every tool at their disposal to avoid detection in order to maximize profits. Successful distributors can make an average of $130 a day so it’s no wonder that the threat space has moved to infections involving the installation of Fake AVs. These infections are often multi-layered and difficult to remove as a whole. They often consist of Fake AV components, Trojans that download the Fake AVs, and rootkits that keep the Trojans hidden. While some components are easy to spot and remove, such as the Fake AV GUI, leaving any infection components behind leaves the system vulnerable to be re-infected.
- 仿冒反病毒软件: 近年来仿冒反病毒软件的诈骗不断增加,悄悄在用户的计算机上安装仿冒反病毒软件骗取用户信任是一笔 很划算的“生意” ,而黑客们为了获取最大的利益而使用每个他们能够使用的工具来避免被侦测到。成功的“经销商”平均每天可以获取130美金的利益,因此威胁发展方向转移到感染并涉及仿冒反病毒软件的安装便不足为奇了。这些威胁感染往往是多层的且难以被完全清除。它们往往由仿冒反病毒软件、下载仿冒反病毒软件的木马以及用于隐藏木马的Rootkit所组成。在一些组件(例如仿冒反病毒软件的主界面)容易被识别且清除的同时,残留任何感染组件都使系统变得脆弱且将被再次感染。
This new and evolving landscape has created a window of opportunity where extremely aggressive threats can infect customers before antivirus suites can provide full protection.
这个新的演变为极具侵略性的威胁在反病毒软件提供完整的保护前感染用户的计算机打开了一个机会之窗。
Meeting the challenge
We designed the new heuristic based SMR engine to close this window and stay abreast of the ever-changing threat space. Key design elements of SMR include:
面对挑战
我们设计了一个基于SMR引擎的新的启发式检测引擎来关闭这扇“窗”并紧随千变万化的威胁。SMR的关键元素包括:
- A nimble and easily updatable engine. Since the threat space is always changing in order to evade security suites like our own Norton products, we wanted to provide a tool that can be easily updated as well. We started by gathering attributes and data points from thousands of threat families in order to build and tune a broad detection net. This is net is constantly tuned using data gathered from the field so that when the threatspace moves away from Fake AVs, SMR will evolve and be in position to protect against the next scam. Changing trends in the threat space such as rebranding Fake AVs are easily handled with a definitions update, and having a rapid development cycle means we can react to major changes in infection and rootkit vectors like the .lnk exploit used by the Stuxnet family.
- 一个轻巧快捷且易于更新的引擎:. 从威胁为了逃避安全套装(如我们的诺顿系列产品)的侦测而不断改变开始,我们也想推出一个易于更新的工具。为了建立及调整一个广阔的侦测网络,我们从在成千上万的威胁家族中收集特征及数据点开始。这个网络根据从第一线收集的数据不断调整,所以当威胁发展到离开仿冒反病毒软件时,SMR也将演变而能够与新的花招对抗。威胁的变化趋势(例如将仿冒反病毒软件更名)很容易通过威胁定义更新来应付,而有一个迅速的发展周期意味着我们可以对感染和rootkit载体(例如Stuxnet家族病毒对微软lnk自动文件执行漏洞 的利用)的主要改变做出迅速响应。
- Able to target infections in their entirety. From the downloaders to the payloads and the rootkits that hide them, today’s infections are complex, utilizing multiple components to orchestrate a profitable outcome for the hackers. SMR is tuned to detect and remove these risks by looking for behavioral patterns such as displaying scareware messaging. More importantly, SMR is tuned to detect the Trojan that got the Fake AV on your system in the first place, as well as the rootkit that’s hiding it. We do this by looking at the evasion techniques modern malware use, such as distributing threats in small numbers, utilizing packers and encryptors, and hiding files and registry keys by using rootkits.
- 能够把矛头指向整个感染:从下载器到特定的功能及隐藏它们的rootkit,如今的病毒感染是错综复杂的,利用多种复杂的组件来创造一个对黑客有利可图的结果。SMR进行调整,根据文件的行为模式(例如发送恐吓信息等)来侦测和移除这些威胁。最重要的是,SMR调整为首先检测在你的计算机安装仿冒反病毒软件的木马以及隐藏它的rootkit。我们通过观察现代恶意代码使用的隐藏技术(例如只在小范围散布、加壳工具和加密工具,还有通过rootkit隐藏文件及注册表等)来达到这一点。
- Aggressive detection techniques: One of the challenges that security companies face as threats evolve is the risk of false positive detections. For this reason, sometimes the most aggressive detection techniques cannot always be used. Because SMR is used in a standalone tool reserved for those situations where a machine is very infected it allows us to be more aggressive in our detection and repair actions. SMR utilizes multiple new heuristic engines and data analysis points in order to detect a broad range of threats. These include packer heuristics, load point analysis, rootkit heuristics, behavioral analysis, distribution analysis, and system configurations monitors. Data-driven algorithms use this information to detect zero-day threats and once found, the SMR engine removes the threats early in reboot so they don’t have a chance to protect or repopulate themselves.
- 积极主动的检测技术: 随着互联网威胁的演变,安全厂商面对的一个挑战是误报的危害,因此,有时最积极主动的检测技术不能总是被使用。因为SMR作为一个独立的备用工具使用,只有在计算机被严重感染时才允许我们在检测及修复过程中更为积极主动。为了检测范围广阔的威胁,SMR利用复杂的新启发式检测引擎和数据分析点。其中包括加壳启发式侦测、信息起始点分析、rootkit启发式侦测、行为分析、分布情况分析以及系统配置监测。数据驱动算法使用这些数据以监测零日威胁,一旦发现,SMR引擎将在系统重新启动时先移除这些威胁使它们不能保护自己或将自己重新写入。
So, if you are infected with a threat, Fake AV or otherwise, give Norton Power Eraser(which is powered by the SMR engine) a shot and let us know what you think. Your feedback is welcome and will help make this free tool more effective against today’s toughest malware.
所以,如果您被仿冒反病毒软件或其它威胁感染了,试试诺顿强力擦除器(由SMR引擎提供技术支持)并让我们知道您对它是怎么看的,您的反馈将受到欢迎且将帮助这个免费的工具有效对抗当今的最难对付的恶意代码。 |
[复制链接]
发表于 2010-10-6 16:09:05
楼主
发表于 2010-10-6 16:18:59
