郭斯彥臺灣大學:資訊網路與多媒體研究所李遠濤Li, Yuan-TaoYuan-TaoLi2010-05-052018-07-052010-05-052018-07-052008U0001-2107200820572100http://ntur.lib.ntu.edu.tw//handle/246246/180604在網路蓬勃發展的今日，病毒傳播愈來愈快速，大量的新興與變種病毒不斷的產生，而且技術越來越精良：使用Rootkit方式執行的病毒，偽裝網路活動、註冊機碼、處理程序等所有可能警示使用者系統中潛伏著惡意程式的項目，隱藏在系統之中，一般人不易察覺；MSN病毒利用社群關係，降低使用者警戒心，達成以等比級數快速散播的驚人速度。因此，病毒研究員急需快速與大量的取得各種的病毒樣本，尤其是正在網路上散播的新型病毒，來進行分析，才能應付與日遽增病毒的威脅。篇論文提出了Proactive Malware Collects Tool，一個可以主動連接遭受感染的網站，自動擷取出受感染的樣本的工具。簡而言之，我們取得受感染網站的列表，並在模擬的作業系統環境下一一瀏覽這些網站，擷取出瀏覽該網站後新增、異動的檔案，再進行篩選，找出可能遭受感染的檔案，提供後續分析使用。們的工具利用比對虛擬機器底層檔案活動的差異，以未修改Windows環境的方式來偵測病毒活動產生的檔案，不易被病毒發現。此外，我們的工具從取得連結、瀏覽、篩選皆是自動化的。因此，Proactive Malware Collects Tool是一個自動化收集大量病毒的的理想工具。Internet services are increasingly becoming an essential part of our everyday life. But the viruses spread more and more fast. Large numbers of new risen and new sophisticated viruses are constantly expanding, and their techniques are more and more compact. In the form of Trojan for example that aims to perform its tasks with user consent, and usually is disguised as a legitimate program – apparently it greatly compromises the integrity of the system. Users infected with Trojans cannot be aware of having infected. Another MSN worms use the social relationship to reduce the alert of users and spread at a amazing speed of doubling the number each square. Therefore, malware researcher urgently needs all kinds of malware samples for investigating, especially the new kinds of worms in the Internet. The better and more we know about what malware is currently spreading in the wild, the better can our defenses are.n this thesis, we describe a Proactive Malware Collector, a tool that connects the compromised websites, and automates to get the infected samples. In brief, we get the list of the compromised websites, and browse each site in an unmodified Windows environment, which leads to excellent emulation accuracy. We capture the created and modified files after browsing the sites and filter those files that could be infected for further in-depth analysis. To this end, our tool uses the technique that is comparing the difference of virtual hardware file activity for obtaining the infected samples. It is invisible to malware. Furthermore, our tool automates to get links, browse, and filter. These factors make The Proactive Malware Collector an ideal tool for automatically collecting the large numbers of malware.口試委員會審定書 #謝 i文摘要 iiBSTRACT iiiONTENTS vIST OF FIGURES viiIST OF TABLES viiihapter 1 Introduction 1hapter 2 Related Works 5hapter 3 System Description 8.1 System Environment 8.1.1 Emulation Environment 8.1.2 System architecture 10.2 Obtaining Malicious URL List and Browsing 13.2.1 Obtaining Malicious URL List 13.2.2 Browsing 14.3 Extracting the Changed Files of Malicious Websites 20.3.1 Virtual Disk Format 20.3.2 The Descriptor File of the Virtual Disk 22.3.3 Accessing a Sector in a Flat Extent 26.3.4 The FAT32 File System 26.3.5 Comparing Approach 46.4 Determining the Suspicious Infected Files 48.4.1 Auto-Start Extensibility Points (ASEP ) 48.4.2 Other Behavior of Malware 50.4.3 Detection of ASEP Technique 51hapter 4 Evaluation 53.1 The Purpose of Evaluation 53.2 Evaluation Environment 53.3 Experiments 54.3.1 Performance 54.3.2 Capability 54.3.3 The Rate of Accuracy 58.3.4 Experiment Discussion 59hapter 5 Conclusion and Future Work 60EFERENCES 62ppendix 65application/pdf345479 bytesapplication/pdfen-US安全病毒蠕蟲惡意軟體蒐集SecurityVirus wormMalware Collectionthesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/180604/1/ntu-97-R95944019-1.pdf