Intelligent defense against unknown computer viruses

Intelligent defense against unknown computer viruses

Jinzhou [est_vip] 2006.8.21

I. Introduction.
2. Basic Structure of Viruses
Iii. Intelligence
4. Intelligent implementation
V. Thanks and references

Overview.
With the popularization of the Internet, viruses will become more and more harmful to individual users. The main harm of the Jinzhou sensory virus is: 1. Its harm to the system. Some launch models are infected with viruses, causing the system to fail to start. Some file Viruses cause system performance degradation and so on. 2. Its harm to file data. Files and data will be deleted during virus attacks. (Golden State Note: files and materials are the most valuable things on a hard disk .) For a large number of public users, the most direct way to prevent viruses is to use anti-virus software. Today's Anti-Virus Software generally relies on virus code scanning to determine the core of the virus. The advantage of this method is that it is accurate, rarely mistaken, and so on. (Golden State note: the biggest problem with virus removal has always been its discovery .) The biggest drawback is that the premise for extracting a signature from a virus sample must be that the virus has been captured. In an inappropriate way, this is like a final battle. Anti-virus software companies are advanced in capturing systems and rewarding a large number of users to provide virus samples. To some extent, there is a relative time difference. Anti-virus software can protect the public. But with the development of the network and the increasing progress of virus Programming Technology (Jinzhou notes, anti-virus technology is also a use of virus technology from another perspective .) Especially the development of propagation speed and variation. Two or three years ago, Xie Zhengyu, Wu zongshan, and Yang Junjie jointly proposed the idea of "computer virus operation mode constructed by genetic algorithm, although this method is limited to the volume of viruses and some technical restrictions, it has not been found to be widely used, however, the feasibility of the three students is enough to break the pattern-based sample virus scanning and removal technology. After that, all major anti-virus manufacturers have invested a lot of energy in the intelligent detection and removal of viruses. However, the core of virus detection and removal still fails to be intelligent, and the core is still relying on virus signatures and sample libraries. From one perspective, this may be the attitude of being responsible to users. This article will try to make full use of what kingju knows to discuss how to intelligently prevent viruses. List the virus codes that are considered to be highly harmful for comparative analysis. (Golden State note, the following discussions are rooted in 32-bit windows platforms. In addition, some valuable materials cannot be obtained. Some discussions may not be thorough. Shame .)

2. Basic Structure of viruses.
The virus structure mentioned here is not a theoretical structure that is common on the Internet. There are a lot of online documents about the structure of common-sense viruses, which will not be discussed here. This section describes the structure of a virus based on smart anti-virus.
The anti-virus Fund thinks that the virus should be started. The following analysis focuses on the virus structure.
We know that illegal malicious programs such as viruses must implant their own bodies into the memory. That is, it runs on the computer of the victim. No program has its own meaning when it is not running. Computer viruses must run to produce viruses. (Note: The operation mentioned here refers to the operation in the computer of the victim, rather than the process of embedding the computer of the victim in the network and other external ways. So it does not involve bundling, deception, and social engineering .) There are many ways to run viruses. Each type must be written into the memory. The following describes common virus running methods. (Golden State notes are not necessarily comprehensive for reference only .)
1. Run the process directly.
This refers to the process of creating files during running. That is, the result generated during running. It mainly refers to calling functions such as CreateFile (), OpenFile (), and GetFile. Many viruses use these functions to read and write files. A simple example.
I LOVE YOU,

Set c = fso. GetFile (WScript. ScriptFullName)
C. Copy (dirsystem & "MSKernel32.vbs ")
C. Copy (dirwin & "Win32DLL. vbs ")
C. Copy (dirsystem & "LOVE-LETTER-FOR-YOU.TXT.vbs ")


Mydoom virus,

HANDLE h = CreateFile (argv [1], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0,
OPEN_EXISTING, 0, 0 );
If (h = INVALID_HANDLE_VALUE ){
Printf ("% s: cannot open" % s ", argv [0], argv [1]);
Return;
}

If (GetFileSize (h, 0) <0 x100 ){
Printf ("% s: invalid size", argv [0]);
CloseHandle (h );
Return;
}

DWORD dwPeOffs, dwRead, dwWritten;
SetFilePointer (h, 0x3C, 0, FILE_BEGIN );
ReadFile (h, & dwPeOffs, 4, & dwRead, 0 );

2. Write to the Registry to start the project.
Most viruses use the RegCreateKey function to add a new registry Value. You can also use the RegWriteKey function to write the modified value. You can use RegOpenKey to open and obtain the Registry. In short, you can change the Registry to achieve your goal.
For example, I LOVE YOU,
Dim num, downread
Regcreate "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersio
NRunMSKernel32 ", dirsystem &" MSKernel32.vbs"
Regcreate "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersio
NRunServicesWin32DLL ", dirwin &" Win32DLL. vbs"
Downread = ""
Downread = regget ("HKEY_CURRENT_USERSoftwareMicrosoftInternet between E
RDownload Directory ")
Although the virus is very old, it is a typical script virus. This virus uses the regcreatekey function to add a startup project. Add value values under run and runsrvices. To run the virus.
Such as happy time, medium
Dim R
On Error Resume Next
Set R = CreateObject ("WScript. Shell ")
R. RegWrite k, v
End Sub

Rw Ks & "HelpwallPaper", n3
Rw "HKEY_CURRENT_USERControl panel1_topwallpaper", n3

Oeid = Rg ("HKEY_CURRENT_USERIdentitiesDefault User ID ")
Oe = "HKEY_CURRENT_USERIdentities" & oeid & "SoftwareMicrosoftOutlook Express5.0Mail"

For example, in mydoom:

For (I = 0; I <2; I ++)
If (RegOpenKeyEx (I = 0 )? HKEY_LOCAL_MACHINE: HKEY_CURRENT_USER,
Tmp, 0, KEY_READ, & k) = 0 ){
RegCloseKey (k );
Return;
}

Sync-> first_run = 1;
For (I = 0; I <2; I ++)
If (RegCreateKeyEx (I = 0 )? HKEY_LOCAL_MACHINE: HKEY_CURRENT_USER,
Tmp, 0, NULL, 0, KEY_WRITE, NULL, & k, & disp) = 0)
RegCloseKey (k );
}
Void sync_startup (struct sync_t * sync)
{
HKEY k;
Char regpath [128];
Char valname [32];

/* "Software \ Microsoft \ Windows \ CurrentVersion \ Run "*/
Rot13 (regpath, "Fbsgjner \ Zvpebfbsg \ Jvaqbjf \ PheeragIrefvba \ Eha ");
Rot13 (valname, "GnfxZba");/* "TaskMon "*/

If (RegOpenKeyEx (HKEY_LOCAL_MACHINE, regpath, 0, KEY_WRITE, & k )! = 0)
If (RegOpenKeyEx (HKEY_CURRENT_USER, regpath, 0, KEY_WRITE, & k )! = 0)
Return;
RegSetValueEx (k, valname, 0, REG_SZ, sync-> sync_instpath, lstrlen (sync-> sync_instpath) + 1 );

There are also many Trojans and Malware associated with the startup of the Registry and related projects that have modified the registry. We will not list them here. In short, this method has been widely used. (Golden State note: the virus mentioned in this article is a widely used virus. Including all programs that endanger or potentially harm users .)

3. Register as a service
Mostly called, CreateService, OpenService, RegisterServiceCtrlHandler, SetServiceStatus, and so on. The general code is as follows,
// Create a service
SC _HANDLE hService =: CreateService (
HSCM, szServiceName, szServiceName,
SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
SzFilePath, NULL, NULL, _ T (""), NULL, NULL );

If (hService = NULL)
{
: CloseServiceHandle (hSCM );
MessageBox (NULL, _ T ("Couldn