Method for detecting web page Trojan horse based on program execution characteristics

Abstract

The invention belongs to the field of computer security, and relates to a method for detecting web page Trojan horse based on program execution characteristics, which comprises the following steps: using web crawlers to capture source codes of a web page; then obtaining a recognizable script program through multilevel decoding; carrying out disassembling processing on the script program to obtainassembled source codes while reserving the script program; then, judging whether a large number of filled invalid instructions, calling system level functions and obvious URL links exist in the sourcecodes; and finally detecting whether the Trojan horse exists in the web page through the assembled source codes in a deep level. Because most of the prior web pages with the Trojan horse are embeddedwith ShellCode, to execute the ShellCode in the web pages in a local computer, system vulnerability is needed to realize buffer overflow and enable the program to skip onto the ShellCode code segment. Thus, only by analyzing the condition of executing the ShellCode, and analyzing the source codes according to the execution characteristics, whether the web page to be detected is the web page Trojan horse can be quickly detected.

Description

technical field [0001] The invention belongs to the field of computer security and relates to a method for detecting a web page Trojan horse. Background technique [0002] Computer viruses, Trojan horses, spyware and malicious codes are the most important security threats faced by computer networks in recent years. Among the transmission paths of computer viruses, Trojan horses, spyware and malicious codes, besides spam, there is another important way to spread viruses and Trojan horses to the computers of users who visit the webpages by constructing special webpages. This special webpage mainly uses various loopholes in the operating system, browser, plug-in, etc. to spread executable malicious code to the user's computer for execution, or use the parser in the system and the execution authority of the control to execute the malicious code in the webpage. Malicious code runs automatically. Because the configuration and coding of these special webpages are relatively compl...

AI Technical Summary

Problems solved by technology

[0008] (1) This detection method needs to continuously update the feature database. However, as the feature database becomes larger and larger, the detection speed of the system will decrease.

[0009] (2) Because this detection method just carries out matching detection to webpage, does not analyze from Trojan horse operating mechanism angle, so when Trojan horse virus writer carries out random replacement to the characteristic string in the webpage of hanging horse, this detection method just can't Detect whether the webpage is a webpage that hangs horses, resulting in missed detection

For this case, this detection method will cause false detection

Images