摘要: 主引导记录(MBR)型Rootkit是一种新型Rootkit,其隐蔽性强难以检测。针对该问题,分析MBR型Rootkit的关键技术及总体工作流程,扩展木马协同隐藏模型,给出多级协同隐藏的概念并将其应用于MBR型Rootkit隐藏机制的形式化描述中。针对MBR型Rootkit的静态特征提出一种静态检测方法,通过对隐蔽扇区空间数据进行模式匹配寻找该类恶意代码的磁盘驻留数据,通过分析计算机MBR数据格式,设计并实现模式匹配算法。实验结果表明,该方法在针对系列样本的检测中取得了良好效果,并且可以从磁盘驻留数据中获得原始MBR备份数据以恢复系统。
关键词:
主引导记录,
形式化描述,
协同隐藏,
静态特征,
静态检测,
模式匹配
Abstract: Main Boot Record(MBR) Rootkit is a new kind of Rootkit which is much harder to detect.This paper analyzes the key technical points and the workflow of MBR Rootkit and develops cooperative concealment model.Two-level cooperative concealment and multiple-level cooperative concealment are proposed.It applies these concealment models to the formal description of concealing mechanism of MBR Rootkit.A new static detection method is presented and corresponding MBR matching algorithm is designed and implemented based on the analysis of MBR data format.The static method focuses on searching MBR backup data in some hidden disk areas.Experimental results show that the method gains a high detection accuracy,and the found MBR backup data can be used to restore the system.
Key words:
Main Boot Record(MBR),
formal description,
cooperative concealment,
static feature,
static detection,
pattern matching
中图分类号: