可以用Google网页翻译下
CWSandbox -基于行为的恶意软件分析 http://eureka.cyber-ta.org/
Short summary简短的摘要
Malicious software artifacts like viruses, worms and bots are currently one of the largest threats to the security of the Internet.恶意软件伪像病毒,蠕虫和僵尸目前最大的一个威胁安全的互联网。 Upon discovery, such malware must be analyzed to determine the danger which it poses.一经发现,这种恶意软件必须进行分析,以决定它构成危险。 Because of the speed in which malware spreads and the large number of new malware samples which appear every day, malware analysis calls for automation . CWSandbox is an approach to automatically analyze malware which is based on behavior analysis: malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored.由于速度,其中恶意软件的传播和大量的新的恶意软件样本,每天都出现,恶意软件分析呼吁自动化 。 CWSandbox是一种恶意软件自动分析是基于行为分析:恶意软件的样本将被执行的有限时间在模拟环境下,所有的系统调用的密切监测。 From these observations, CWSandbox is able to automatically generate a detailed report which greatly simplifies the task of a malware analyst.从这些意见, CWSandbox能够自动生成一份详细报告,从而大大简化了任务的恶意软件分析师。
Motivation动机
Software artifacts that serve malicious purposes are usually termed malware .软件服务文物恶意目的通常称为恶意软件 。 Particularly menacing is malware that spreads automatically over the network from machine to machine by exploiting known or unknown vulnerabilities.特别危险的是传播恶意软件自动在网络上机器利用已知或未知的漏洞。 Such malware is not only a constant threat to the integrity of individual computers on the Internet.这种恶意软件不仅是一个不断威胁的完整的个人电脑在互联网上。 In the form of botnets for example that can bring down almost any server through distributed denial of service, the combined power of many compromised machines is a constant danger even to uninfected sites.的形式,僵尸网络,例如,可以把几乎所有的服务器下,通过分布式拒绝服务,合并后的许多权力的计算机是一个不断的危险甚至感染的网站。
Malware is notoriously difficult to combat.恶意软件很难打击。 Usually, security products such as virus scanners look for characteristic byte sequences ( signatures ) to identify malicious code.通常情况下,安全产品,如病毒扫描寻找特征字节序列( 签字 )查明恶意代码。 However, malware has become more and more adept to avoid detection by changing its appearance, for example in the form of poly- or metamorphic worms.但是,恶意软件已经越来越善于以逃避侦查通过改变其外观,例如,在形式的聚或变质蠕虫。 The rate at which new malware appears on the Internet is also still very high.率,新的恶意软件出现在互联网上也仍然很高。 Furthermore, flash worms pose a novel threat in that they stealthily perform reconaissance for vulnerable machinces for a long time without infecting them, and then all of a sudden pursue a strategic and coordinated spreading plan by infecting thousands of vulnerable machines within seconds.此外, 闪存构成一种新型蠕虫病毒的威胁,他们悄悄地执行侦察的脆弱machinces了很长一段时间没有感染,然后突然奉行的战略和协调传播计划易受感染成千上万的电脑在几秒钟内。
In the face of such automated threats, security researchers cannot combat malicious software using traditional methods of decompilation and reverse engineering by hand.面对这样的自动化的威胁,安全研究人员不能打击恶意软件使用的传统方法解析和逆向工程技术的手。
Automated malware must be analyzed:自动的恶意软件必须分析:
Automatically自动
Effectively有效
Correctly正确
Automation means that the analysis tool should create a detailed analysis report of a malware sample quickly and without user intervention.自动化意味着分析工具应建立一个详细的分析报告中的恶意软件样本迅速无需用户干预。 A machine readable report can in turn be used to initiate automated response procedures like updating signatures in an intrusion detection system, thus protecting networks from new malware samples on the fly.甲机器可读的报告可以反过来用于启动自动回复程序,例如更新签名的入侵检测系统,从而保护网络免受新的恶意软件样本的飞行。 Effectiveness of a tool means that all relevant behavior of the malware should be logged, no executed functionality of the malware should be overlooked.效力的工具意味着所有相关的恶意软件行为应当记录,没有执行的功能,恶意软件应该被忽视。 This is important to realistically assess the threat posed by the malware sample.这是非常重要的现实地评估所构成的威胁的恶意软件样本。 Finally, a tool should produce a correct analysis of the malware, ie, every logged action should in fact have been initiated by the malware sample to avoid false claims about it.最后,生产工具,应正确分析了恶意软件,即每一个记录的行动应当在事实上已经开始了由恶意软件样本,以避免虚假声明的。
CWSandbox is a tool for malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 familiy of operating systems: CWSandbox是一个工具,供软件分析,实现了三个设计标准的自动化,有效性和正确性的Win32 familiy的操作系统:
Automation is achieved by performing a dynamic analysis of the malware.自动化是实现执行动态分析软件。 This means that malware is analysed by executing it within a simulated environment (sandbox), which works for any type of malware in almost all circumstances.这意味着,恶意软件分析运行它在一个模拟环境(沙) ,其中工程的任何类型的恶意软件在几乎所有的情况。 A drawback of dynamic analysis is that it only analyses a single execution of the malware.一个缺点动态分析是,它不仅分析了单一执行恶意代码。 This is in contrast to static analysis in which the source code is analysed, thereby allowing to observe all executions of the malware at once.这与静态分析中,对源代码进行分析,从而使遵守所有处决的恶意一次。 Static analysis of malware, however, is rather difficult since the source code is commonly not available.静态分析的恶意软件,但是,是相当困难的,因为源代码通常是无法使用。 Even if the source code were available, one could never be sure that no modifications of the binary executable happened, which were not documented by the source.即使提供了源代码,一个永远不能相信,任何修改的二进制可执行发生,这是没有记录的来源。 Static analysis at the machine code level is often extremely cumbersome since malware often uses code-obfuscation techniques like compression, encryption or self-modification to evade decompilation and analysis.静态分析的机器代码级往往是极其繁琐的,因为恶意软件经常使用的代码混淆技术像压缩,加密或自我改造以逃避解析和分析。
Effectiveness is achieved by using the technique of API hooking . API hooking means that calls to the Win32 application programmers' interface (API) are re-routed to the monitoring software before the actual API code is called, thereby creating insight into the sequence of system operations performed by the malware sample.所取得的成效是使用该技术的 API 挂接 。 API的连接意味着调用Win32应用程序程序员接口( API )是改为监控软件在实际的API代码被调用,从而深入了解系统的顺序操作的恶意软件样本。 API hooking ensures that all those aspects of the malware behavior are monitored for which the API calls are hooked. API的挂接确保所有这些方面的恶意软件的行为进行监督,而API调用的连接。 API hooking therefore guarantees that system level behavior (which at some point in time must use an API call) is not overlooked unless the corresponding API call is not hooked. API的连接保证,因此,系统级行为(这在某个时候必须使用API调用)是不被忽视,除非相应的API调用不上瘾。
API hooking can be bypassed by programs which directly call kernel code in order to avoid using the Windows API. API的连接可被绕过,程序直接调用内核代码,以避免使用Windows的API 。 However, this is rather uncommon in malware, as the malware author needs to know the target operating system, its service pack level and some other information in advance.然而,这是相当少见的恶意软件,恶意软件作者的需要知道目标的操作系统,它的Service Pack级别和其他一些信息提前。 Our empirical results show that most autonomous spreading malware is designed to attack a large user base and thus commonly uses the Windows API.我们的实证结果显示,最自主的目的是传播恶意软件的攻击庞大的用户群体,因此通常使用的Windows API 。
Correctness of the tool is achieved through the technique of DLL code injection .正确的工具,是通过技术的 DLL 代码注入 。 Roughly speaking, DLL code injection allows API hooking to be implemented in a modular and reusable way, thereby raising confidence in the implementation and the correctness of the reported analysis results.一般来说, DLL的代码注入允许的API挂接实施中的模块化和可重复使用的方式,从而提高执行的信心和正确的分析结果报告。
The combination of these three techniques within the CWSandbox allows to trace and monitor all relevant system calls and generate an automated, machine-readable report that describes for example的结合,这三个技术允许范围内CWSandbox跟踪和监测所有有关的系统调用,并生成一个自动的,机器可读的报告,介绍了例如
which files the malware sample has created or modified,该文件的恶意软件样本已经创建或修改,
which changes the malware sample performed on the Windows registry,这改变了恶意软件的样本上进行Windows注册表,
which dynamic link libraries (DLLs) were loaded before executing,该动态链接库( DLL )被装在执行,
which virtual memory areas were accessed,该地区的虚拟内存访问,
which processes were created, or该进程是建立,或
which network connections were opened and what information was sent over such connections.其中的网络连接被打开,哪些信息是发送这种联系。
Obviously, the reporting features of the CWSandbox cannot be perfect, ie, they can only report on the visible behavior of the malware and not on how the malware is programmed.显然,报告功能的CWSandbox不能完美的,也就是说,它们只能在可见的报告行为的恶意软件,而不是如何恶意软件程序。 Using the CWSandbox also entails some danger which arises from executing dangerous malware on a machine which is connected to a network.使用CWSandbox还需要一些危险源自执行危险的恶意软件的机器上是连接到网络。 However, the information derived from executing malware for even very short periods of time in the CWSandbox is surprisingly rich and in most cases sufficient to assess the danger originating from the malware.然而,信息来源于执行恶意代码,甚至很短的一段时间内的CWSandbox是令人惊讶的丰富,在大多数情况下足以评估危险来自恶意软件。
------------------------------------------------------------------------------------------------------------------
尤里卡! http://eureka.cyber-ta.org/
An Automated Malware Binary A nalysis Service 自动恶意软件二进制甲 分析服务
Download our Technical Report / Visit mtc.sri.com 下载我们的技术报告 /访问mtc.sri.com
last updated: 22:30:00 PT: Wed Feb 2009 上次更新时间: 22点三十○分00秒印尼:星期三2009年2月
Contact Us/Feedback 联系我们/意见反馈
Welcome to the EUREKA Malware Analysis Internet Service : 欢迎尤利卡 恶意软件分析互联网服务 :
Eureka is a binary static analysis preparation framework. 尤里卡是二进制静态分析编写框架。 It implements a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. 它实现了一种新的二进制拆包战略基于统计bigram分析和粗粒度执行追踪。 Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. For each uploaded binary, the Eureka service will attempt to unpack and disassemble the binary, and will produce an annotated callgraph, subroutine/data index page, strings summary, and list of embedded DNS entries. 尤里卡集成了先进的空气污染指数deobfuscation能力,以促进结构分析软件的基本逻辑。对于每一个上载二进制的尤里卡服务将尝试解压和拆卸的二进制,将产生附加callgraph ,副程式/数据索引页,字符串总之,并列出嵌入式DNS条目。
_____________________________________________________________________________
Recent Malware 最近恶意软件
Binaries 二进制文件
d9cb288f31... d9cb288f31 ...
2b28798d88... 2b28798d88 ...
5c15d4b98a... 5c15d4b98a ...
f929210fcd... f929210fcd ...
73f1082158... 73f1082158 ...
53bfe15e91... 53bfe15e91 ...
410ab4a3f4... 410ab4a3f4 ...
9d6fcaea1c... 9d6fcaea1c ...
15717cd327... 15717cd327 ...
f0b004fd42... f0b004fd42 ...
7f96fc78e1... 7f96fc78e1 ...
b27d73bfcb... b27d73bfcb ...
e48cb72b16... e48cb72b16 ...
fc77b9394f... fc77b9394f ...
d21c6d5b3a... d21c6d5b3a ...
7d99b0e910... 7d99b0e910 ...
5818023061... 5818023061 ...
c7279bc7d2... c7279bc7d2 ...
f0506f007a... f0506f007a ...
a54de1d46f... a54de1d46f ...
bdc3f99c21... bdc3f99c21 ...
e1be8952be... e1be8952be ...
b118708437... b118708437 ...
366f5198d3... 366f5198d3 ...
ead12a6c02... ead12a6c02 ...
and more... 和更多...
Notice : The data on this website is for research purposes only. It is provided for your personal use only and is supplied AS IS, without warranty of any kind. Use or reliance on this data is at your own risk. 注意 :本网站上的数据是仅用于研究目的。这是为您提供个人使用,并提供按原样,不附带任何形式的保证。使用或依赖这些数据,是需要您自担风险。
_____________________________________________________________________________
Submit a Malware Binary: 提交恶意软件二进制:
Thank you for not uploading more than 10 binaries per day. 感谢您没有上载超过10二进制每天。
Upload packed executable 上传便携可执行
Attacker source IP (optional) 攻击源IP (可选) (where did this binary come from?) (谁知道这个二进制从何而来? )
Your email address (optional) 您的电子邮件地址(可选)
_____________________________________________________________________________ _____________________________________________________________________________
Development Team : Monirul Sharif (Georgia-Tech), Vinod Yegneswaran (SRI), 开发团队 : Monirul谢里夫(格鲁吉亚科技) ,维诺德Yegneswaran (斯里兰卡) ,
Hassen Saidi (SRI), Phillip Porras (SRI), Arvind Naryanan (UTexas Austin) Hassen赛(斯里兰卡) ,菲利普波拉斯(斯里兰卡) ,阿文Naryanan ( UTexas奥斯汀)
_____________________________________________________________________________
Acknowledgements : Special thanks to Cliff Wang at Army Research Office (ARO) and Karl Levitt at the National Science Foundation for their sponsorship of this research. 鸣谢 :特别感谢王克里夫在陆军研究办公室(到货)和卡尔莱维特在美国国家科学基金会的赞助这项研究。
[ 本帖最后由 lima668 于 2009-2-12 14:47 编辑 ] |
发表于 2009-2-12 14:18:06
楼主
