Research and Implementation of Webpage Trojan Detection Model Based on Obfuscation Mechanisms

doi:10.3969/j.issn.1671-1122.2015.10.001

Abstract

Abstract:

Webpage trojan is a malicious program that uses the Webpage to carry out the destruction. When the user visits the Website that contains some Webpage trojans, the trojan program will be silently downloaded through the link embedded in the Webpage. Once the trojans are downloaded and activated, they will use resources in the system to destroy the computer system. Currently, Webpage trojan detection includes static detection based on feature codes and dynamic detection based on honeypot client, but the two detection schemes can’t well solved the problems of growing number of Webpage trojans, confusion and avoiding detection means. This paper combines the advantages of the two detection schemes, putting forward an anti-obfuscation technology based on Webpage content analysis and shellcode location and recognition, which can solve the omission problem caused by interaction conditions not existing while verifying dynamically embedded links. On this basis, combined with the static and dynamic detection mechanisms, the paper establishes a Webpage trojan detection model. The experimental results show that the model can accurately detect various types of shell, encryption, deformation Webpage trojans, improving the detection efficiency of trojans.

Key words: Webpage trojan, content analysis, Shellcode orientation, anti-obfuscation, encryption

CLC Number:

TP309

DU Chun-lai, SUN Hui-zhong, WANG Jing-zhong, WANG Bao-cheng. Research and Implementation of Webpage Trojan Detection Model Based on Obfuscation Mechanisms[J]. Netinfo Security, 2015, 15(10): 1-7.

Figures/Tables 9

References 16

[1]	兰芸,李宝林. 木马恶意软件的电子数据勘查与取证分析初探[J]. 信息网络安全,2014,(5):87-91.
[2]	Day O, Palmen B, Greenstadt R.Reinterpreting the disclosure debate for web infections[C]//Proc Seventh Workshop on the Economics of Information Security (WEIS2008) . Hanover , New Hampshire , June 2008.
[3]	王海峰,段友祥,刘仁宁. 基于行为分析的病毒检测引擎的改良研究[J]. 计算机应用,2004,(24):109-110.
[4]	郝增帅,郭荣华,文伟平,等. 基于特征分析和行为监控的未知木马检测系统研究与实现[J]. 信息网络安全,2015,(2):57-65.
[5]	胡卫,张昌宏,马明田. 基于动态行为检测的木马检测系统设计[J].火力与指挥控制,2010,35(2):128-132.
[6]	张慧琳,诸葛建伟,宋程昱,等.基于页面动态视图的网页木马检测方法[J].清华大学学报(自然科学版),2009,49(S2):2126-2132.
[7]	徐国天. 远程控制木马通信协议及线索调查方法研究[J]. 信息网络安全,2014,(3):52-56.
[8]	PhantomJS.Cloud[EB/OL].,2013-08-13.
[9]	ProjectShelloce.ShellocdeTutorials [EB/OL].,2012-04-08.
[10]	李焕洲,陈婧婧,钟明全,等.基于行为特征库的木马检测模型设计[J]. 四川师范大学学报(自然科学版),2011,34(1):123-127.
[11]	韩万军,王振宇,等.Windows平台下地址空间分布随机变化技术研究及实现[J].计算机应用与软件,2011,28(4):117-120.
[12]	许一震,王永成,沈洲. 一种快速的多模式字符串匹配算法[J]. 上海交通大学学报,2002,36(4):516-520.
[13]	Thomas J,Hughes R.Implicit-explicit finite elements in nonlinear transient analysis[J].Computer methods in Applied Mechanics and Engineering,1987,(45):371-378.
[14]	BOYER R S,MOORE J S.A fast string searching algorithm[J].Communications of ACM,1977,20(10):762-772.
[15]	杨明,王轶骏,薛质.高混淆网页木马的研究与检测实现[J].计算机工程与设计,2014,35(8):2663-2639.
[16]	开源社区.The Honeynet Project[EB/OL].,2009-10-08.