Anti-Trojans cannot be collected only by malicious URLs

Transferred from: the anti-virus circle of tiejun

 

Yesterday, many media reported that rising's false positive Google analysis site was a malicious website.

Link: http://security.ccidnet.com/art/1099/20090429/1753569_1.html

At runtime, the trojan group will perform browsing and analysis like commercial websites, and analyze traffic using pages such as Google, cnzz, and vdoing. As a coincidence, these statistical codes are submitted together with malicious URLs, and the system makes an error in this case.

When using Google search, Google will determine the security of the link. It is also based on whether the link has been accused of malicious code for a period of time (usually one week, this usually requires maintaining a large library of malicious URLs. When the website infected with Trojans has deleted the malicious code implanted by attackers, the malicious website library will not be updated in a timely manner and will still prevent users from accessing the website that has been infected with Trojans.

Kingsoft security lab believes that the cost of maintaining such a malicious website library is too high, and attackers only need to constantly change the use of new URLs to break through malicious website interception at a very low cost. Although Alibaba Cloud security also collects malicious websites, it only needs to maintain a very small library of malicious websites, rather than including all websites infected with Trojans.

Malicious behavior interception: Mainly intercepts the shellcode of the vulnerability, which has a good effect on the buffer overflow vulnerability attacks.

Abnormal parameter detection: analyzes about 30 most popular Web vulnerability Trojans

Malicious Script interception: Only a few simple features can be used to identify 90% of malicious scripts.

View the protection effect from the perspective of Web browsing:

When Google or Firefox detects a malicious website, it will block access and remind the user to leave. Rising reminds the webpage that there is a risk and it is recommended to leave; and Kingsoft network security's approach is, the contents of the page are browsed normally, and harmful code is automatically filtered out.

Alibaba Cloud security has entered the alpha2 testing stage. According to feedback from various parties, the interception effect is satisfactory.

When trojans on webpages completely bypass Kingsoft network security, the following conditions are met:
New Web Vulnerabilities
And new domain name
And the new shellcode
Heap spray is not required.
New script Deformation
Cannot be used together with old Vulnerabilities