Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

A method and device for automatically collecting malicious software

A malicious software and automatic collection technology, applied in the field of computer security, can solve the problems of low reliability and detection rate, high difficulty and cost, easy failure of malware, etc., and achieve the goal of improving reliability and detection rate and improving efficiency Effect

Active Publication Date: 2015-09-02
BEIJING BAIDU NETCOM SCI & TECH CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Although this method realizes the automatic collection of malware, it needs to deploy a large-scale client, which is very difficult and costly, and the method based on static features is prone to failure for malware that uses deformation methods, and its reliability and detection rate are relatively low. Low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and device for automatically collecting malicious software
  • A method and device for automatically collecting malicious software
  • A method and device for automatically collecting malicious software

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0058] figure 1 The flow chart of the method for automatically collecting malware provided by Embodiment 1 of the present invention, such as figure 1 As shown, the method includes:

[0059] Step 101: Scanning a webpage by simulating a browser, identifying and capturing malicious codes of the scanned webpage.

[0060] In this step, the webpage is actively scanned by simulating the browser, and the malicious code is identified and captured from the scanned webpage in combination with malicious code identification technology. The specific malicious code identification method may include: firstly, analyze the scanned webpage script, if the corresponding function is obtained in the memory through pre-installed function hooks for writing shellcode during the analysis process For binary data, one or any combination of blacklist matching, disassembly detection, and high-risk bytecode statistics is used to identify malicious code. The specific process will be described in detail in ...

Embodiment 2

[0064] figure 2 The flow chart of the method for identifying malicious codes provided by Embodiment 2 of the present invention, such as figure 2 As shown, the method may include the following steps:

[0065] Step 201: pre-hooking a preset function for writing shellcode.

[0066] Usually, webpage scripts write shellcode through a series of script functions, so that controllable malicious data can be generated in memory for attack, that is, these functions used to write shellcode can generate binary data in a specified format in memory. These preset functions for writing shellcode may include, but are not limited to: the \u function for escaping in javascript-type scripts, the unescape function for string decoding, or string for returning a string represented by an ASCII value. at least one of the fromcharcode function, the unescape function of the vbscript type script, the string.fromcharcode function, or the chrw function for returning the character associated with the spe...

Embodiment 3

[0093] image 3 The flow chart of the method for obtaining malicious software provided by Embodiment 3 of the present invention, such as image 3 As shown, the method may include the following steps:

[0094] Step 301: By hooking the function hook of the file creation function, when it is determined that the captured malicious code executes the file creation operation, replace the path parameter of the file creation operation with the specified path.

[0095] The file creation function here may include but not limited to: functions such as NtCreateFile, ZwCreateFile, etc. Function hooks are hung on the bottom layer of the system in advance to monitor whether the malicious code executes the file creation operation.

[0096] The replacement of the path parameter is to enable the malicious code to transfer the malicious software to the specified path, that is, to the specified directory when creating the malicious software.

[0097] Step 302: Cover the address space of any norm...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a method and a device for collecting malicious software automatically, wherein the method comprises the following steps: S1, scanning web pages through a simulative browser, identifying and capturing a malicious code of the scanned web pages; and S2, constructing a malicious code executing environment to capture the malicious code so as to obtain the malicious software. The method can realize to collect the malicious software automatically without manual identification; therefore, efficiency is increased greatly; in addition, the method starts to identify the malicious code so as to obtain the malicious software without a method of collecting the static characteristics of the malicious software; the malicious software including the malicious code can be collected no matter the malicious software uses deformation methods; and reliability and relevance ratio are improved greatly.

Description

【Technical field】 [0001] The invention relates to the technical field of computer security, in particular to a method and device for automatically collecting malicious software. 【Background technique】 [0002] With the continuous development of computer technology, computer network has become the main tool for people to obtain information, followed by the continuous improvement of the demand for computer security technology. Computer viruses, Trojan horses, malicious software and malicious codes are the main security threats faced by computer networks in recent years. Users often install some malicious software automatically after browsing webpages linked to horses. In order to facilitate the prevention and analysis of malicious software, and Further application to the malware detection system and malware distribution research needs to solve the problem of malware collection. [0003] The existing collection of malware is mainly realized in the following two ways: [0004]...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
Inventor 唐海黄正
Owner BEIJING BAIDU NETCOM SCI & TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products