信息网络安全 ›› 2017, Vol. 17 ›› Issue (9): 26-29.doi: 10.3969/j.issn.1671-1122.2017.09.006

• • 上一篇    下一篇

基于DGA的恶意程序域名生成算法破解

徐国天()   

  1. 中国刑事警察学院,辽宁沈阳 110854
  • 收稿日期:2017-08-01 出版日期:2017-09-20 发布日期:2020-05-12
  • 作者简介:

    作者简介: 徐国天(1978—),男,辽宁,副教授,硕士,主要研究方向为网络安全和电子物证。

  • 基金资助:
    辽宁省自然科学基金[2015020091];辽宁省教育科学“十二五”规划课题[JG14db440];公安理论及软科学研究计划课题[2016LLYJXJXY013];公安部技术研究计划课题[2016JSYJB06]

Generation Algorithm Crack Based on DGA Domain Name of Malicious Program

Guotian XU()   

  1. National Police University of China,Shenyang Liaoning 110854, China
  • Received:2017-08-01 Online:2017-09-20 Published:2020-05-12

摘要:

文章提出了一种基于网络数据包捕获分析的DGA算法破解方法,首先捕获僵尸程序发出的DNS域名解析请求报文,通过分析恶意域名的结构特征对DGA算法形成一个初步的认识,再利用静态分析工具在恶意程序中搜索顶级域名字符串,定位DGA核心算法汇编代码,之后将汇编程序转化为高级语言程序,运行程序、计算得到未来所有可用域名信息。经过测试,发现应用这种方法可以快速、准确定位“僵木蠕”恶意程序中的DGA核心代码,提高取证分析效率。

关键词: 恶意程序, DGA, 破解

Abstract:

This paper presents a DGA algorithm crack method based on network packet capture , First capture the DNS resolution request sent by the zombie program, By analyzing the structural features of malicious domain names, Forensic staff can form a preliminary understanding of the DGA algorithm, and then use the static analysis tool in the malicious program search top-level domain name string positioning DGA core algorithm assembly code, The assembler is then converted to a high-level language program, Run the program, calculate the future of all available domain name information. After testing, we found that the application of this method can quickly and accurately locate the malicious program in the DGA core code, improve the efficiency of forensic analysis.

Key words: malicious program, domain generation algorithm, crack

中图分类号: