| Nowadays, the computer-based network security and defense is widely concerned. Traditional malware analysis technologies face great challenges because lots of advanced technologies are applied to malicious software. Malware analysis by means of sandbox can help people quickly understand behaviors of unknown malware and form a supplement to traditional malware analysis technologies. The increasing number of malicious software, however, is anti-sandbox capable. On the other hand, it is under hot discussion that malicious software could be detected on basis of its behavioral characteristics identified by sandbox. Researchers tend to distinguish normal software from malicious one to the most extent, but behavioral characteristics of malicious software are often concealed by behavioral differences of immense normal software activities. Therefore, it is very urgent to build an independent sandbox and form an accurate and highly efficient model by detecting and obtaining behavioral characteristics of malicious software.In this regard, the paper presents a sandbox system, viz. Z-Monitor, to dynamically monitor and analyze behaviors of malicious software, capable of avoiding anti-sandbox. Through tracing and analyzing malicious software behavior by Z-Monitor, a sorted detection model can be formed, by which a precise judgment can be made to a small extent.The paper explores the injection and capture methods of API Hook, applying the CreateRemoteThread function injection and the inline code overwriting technology to create Z-Monitor sandbox system. Ubuntu, a Linux system, runs on destination computer. A virtual Windows XP system is supported by VirtualBox. Z-Monitor executes malicious software and captures all function calls made by API functions, then it creates log file for further research. Through analyzing results of a number of malicious software by Z-Monitor, the paper summarizes common behaviors of malicious software, which would help to prevent malicious software.The paper presents the approach of sorted detection, which is complementary to behavioral characteristic based check of malicious software. A number of cyberspace attacks result from vulnerability of analysis on PDF documents. The author monitors Adobe Reader through Z-Monitor, then establishes mathematical model by comparing the difference between PDF document with ShellCode and normal PDF document. To determine whether or not the PDF document contain ShellCode, the model applies the method of mean square error to select the feature function, uses frequency as the eigenvalue, creating optimal sorted hyper plane by means of SVM’s good generalization ability. The test achieves a good result. The model could serve as a reference for a broader sorted detection. As a dynamic detection model on PDF document, it will also play a very important role in practical applications. |
PDF Full Text Request