作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程

• 安全技术 • 上一篇    下一篇

主引导记录型Rootkit建模及其静态检测方法

金戈,薛质,齐开悦   

  1. (上海交通大学信息安全研究所,上海 200240)
  • 收稿日期:2014-06-18 出版日期:2015-07-15 发布日期:2015-07-15
  • 作者简介:金戈(1990-),男,硕士,主研方向:信息安全;薛质,教授;齐开悦,副教授。
  • 基金资助:
    国家自然科学基金资助项目“云计算环境下软件可靠性和安全性理论、技术与实证研究”(61332010)。

Main Boot Record Rootkit Modeling and Its Static Detection Method

JIN Ge,XUE Zhi,QI Kaiyue   

  1. (Institute of Information Security,Shanghai Jiaotong University,Shanghai 200240,China)
  • Received:2014-06-18 Online:2015-07-15 Published:2015-07-15

摘要: 主引导记录(MBR)型Rootkit是一种新型Rootkit,其隐蔽性强难以检测。针对该问题,分析MBR型Rootkit的关键技术及总体工作流程,扩展木马协同隐藏模型,给出多级协同隐藏的概念并将其应用于MBR型Rootkit隐藏机制的形式化描述中。针对MBR型Rootkit的静态特征提出一种静态检测方法,通过对隐蔽扇区空间数据进行模式匹配寻找该类恶意代码的磁盘驻留数据,通过分析计算机MBR数据格式,设计并实现模式匹配算法。实验结果表明,该方法在针对系列样本的检测中取得了良好效果,并且可以从磁盘驻留数据中获得原始MBR备份数据以恢复系统。

关键词: 主引导记录, 形式化描述, 协同隐藏, 静态特征, 静态检测, 模式匹配

Abstract: Main Boot Record(MBR) Rootkit is a new kind of Rootkit which is much harder to detect.This paper analyzes the key technical points and the workflow of MBR Rootkit and develops cooperative concealment model.Two-level cooperative concealment and multiple-level cooperative concealment are proposed.It applies these concealment models to the formal description of concealing mechanism of MBR Rootkit.A new static detection method is presented and corresponding MBR matching algorithm is designed and implemented based on the analysis of MBR data format.The static method focuses on searching MBR backup data in some hidden disk areas.Experimental results show that the method gains a high detection accuracy,and the found MBR backup data can be used to restore the system.

Key words: Main Boot Record(MBR), formal description, cooperative concealment, static feature, static detection, pattern matching

中图分类号: