Research On Tracking Technology Of Specific Malicious Code For Removable Storage Devices

There is a problem that U disk has been becoming a major way of transmission of Trojan and viruses, through monitoring the internet. Some of malicious codes have caused significant impact and serious losses. Among these, there is a large portion of them spread or steal data via the removable storage devices.At the present stage, there is a problem on detecting malicious code:Primarily, the antivirus software is designed for public users. Detecting the specific malicious codes which spread or steal data via the removable storage devices is mainly based on the feature of the known malicious codes. Ability to detect against the specific unknown malicious codes which spread or steal something via the removable storage devices is weak. The problem existing in tracking the malicious code and investigating them is:the major technology of tracking malicious code depends on analyzing the network packets, so it has great limitations.In this thesis, the techniques of attack principles and detection of the malicious codes which using removable storage devices to steal data or to spread are studied. By analyzing the case of tracking a malicious code, propose a way which has the ability tracking malicious code by automatically extracting the feature information and associating with the tracking database. In this thesis, firstly in-depth analyzed the "Stuxnet" virus, "Flame" virus, the "U disk killer" and a series of malicious code and the case of Kaspersky tracking and investigating the reasons of Winnti, then proposed a complete defense system platform formed by kernel monitoring, in-depth analyzed of PE file and tracking database combining with each other, the system has the ability of detecting, analyzing and tracking the specific malicious code which spread malicious code or steal data via the removable storage devices. The experiments show that the system is able to detect all the file operations behavior of the specific Trojan which spread malicious code or steal data via the removable storage devices. At the present stage, compared with anti-virus software the system can effectively detect unknown specific malicious code. Also it can automatically extract information which has traceable reference value.