Definition and Classification of Malware|恶意软件的定义与分类
恶意软件是任何旨在破坏、渗透、窃取、破坏或控制计算机系统的软件。Malicious software, or malware, is any software intentionally designed to cause damage, infiltrate, steal, disrupt, or control computer systems.
Classification by Propagation|按传播方式分类:
感染机制(Infection Mechanisms):通过感染现有的可执行程序或解释性内容来传播。A virus spreads by infecting existing executable or interpreted content, which is then propagated to other systems.
漏洞利用(Exploiting Vulnerabilities):蠕虫(Worms)利用软件漏洞通过本地或网络扩展复制自己。 Worms exploit software vulnerabilities to replicate themselves either locally or across a network.
社会工程攻击(Social Engineering Attacks):利用欺骗手段诱导用户绕过安全机制,安装木马或响应钓鱼攻击。Social engineering attacks deceive users into bypassing security mechanisms to install trojans or respond to phishing attacks.
Classification by Payload|按功能(Payload)分类:
数据或系统破坏(Data or System Corruption):恶意软件通过删除或篡改文件、操作系统等资源来破坏目标系统。Malware can damage system or data files by deleting or modifying them.
资源窃取(Theft of Service):使系统成为僵尸网络一部分的僵尸攻击代理。Theft of service in order to make the system a zombie agent of attack as part of a botnet.
信息盗窃(Theft of Information):通过间谍软件或键盘记录器等手段窃取个人信息,尤其是登录名、密码等敏感数据。Malware steals information, such as login credentials or personal details, often through keylogging or spyware.
隐身(Stealthing):如Rootkit类恶意软件,它会通过修改系统进程或文件,隐藏其在系统中的存在。Stealthing involves hiding the presence of malware, as seen with rootkits that alter system processes or files to remain undetected.
Blended attack|混合攻击:
使用多种感染或传播方法,以最大限度地提高传染速度和攻击的严重性。 Uses multiple methods of infection or propagation to maximize the speed of contagion and the severity of the attack.
区别(复制和不复制):
Attack Kits and Sources|攻击工具与攻击来源
Attack Kits / Crimeware|攻击工具包
最初,恶意软件的开发需要攻击者具备一定的技术技能。但是,随着1990年代病毒生成工具包(Virus Creation Toolkits)以及2000年代更为广泛的攻击工具包(Crimeware)的出现,这一现象发生了变化。Initially, creating and deploying malware required significant technical skills from the software authors. However, this changed with the development of virus-creation toolkits in the early 1990s and general attack kits in the 2000s, commonly referred to as crimeware.
这些工具包包括多种传播机制和有效负载模块,甚至非技术人员也能够组合、选择并部署恶意软件。These toolkits include a variety of propagation mechanisms and payload modules, allowing even novices to combine, select, and deploy malware.
攻击工具包还可以根据最新的漏洞来定制,以利用从漏洞发布到修补之间的时间窗口。These kits can be easily customized with the latest discovered vulnerabilities to exploit the window of opportunity between the discovery of a weakness and the deployment of patches to close it.攻击者类型演变(Attack Sources)
从个人黑客发展为组织化黑客团体、犯罪集团、国家支持的攻击机构。From individual hackers to organized crime groups and government agencies.
Attack Sources|攻击来源
随着恶意软件的发展,攻击者从个人黑客转变为组织化的更具威胁的攻击来源。这些新的攻击来源包括:
政治动机攻击者
犯罪集团
专业攻击服务的提供商
国家政府机构
随着攻击者资源的增加和动机的复杂化,恶意软件的开发以及地下经济也得到了扩展。This shift in attack sources has led to the growth of a large underground economy, where attack kits, access to compromised hosts, and stolen information are traded.
Advanced Persistent Threat|高级持续性威胁 APT
APT 是一种持久性攻击,目标明确,执行时间长,隐蔽性强。An APT is a targeted, long-term, stealthy attack using multiple vectors to infiltrate high-value targets.
典型案例: Stuxnet, Aurora, APT1 等。Examples include Stuxnet, Aurora, APT1.
APT的三个特点(The Three Characteristics of APTs)
高级(Advanced)
攻击的各个组成部分并不总是技术上非常先进,但它们是经过精心选择的,以符合目标需求。
The individual components may not necessarily be technically advanced, but are carefully selected to suit the chosen target.持久性(Persistent)
长时间、坚决地针对特定目标进行攻击,以最大化攻击成功的概率。
The determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success.威胁(Threat)
通过组织化且资源充足的攻击者来对目标进行有计划的威胁。
Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets.
Viruses|病毒
计算机病毒是一种寄生型软件代码片段,它附着在现有的可执行内容上。
A computer virus is a parasitic software fragment that attaches itself to existing executable content.
病毒可以感染其他程序或任何类型的可执行内容,并对其进行修改,使病毒代码可以复制并传播到更多文件或系统中。
Viruses can “infect” other programs or any type of executable content by modifying them to include a routine that replicates the virus code to further spread the infection.
病毒之所以在早期广泛传播,是因为个人计算机系统中缺乏用户认证和访问控制。
One reason viruses dominated the malware scene in earlier years was the lack of user authentication and access controls on personal computer systems.
Virus Structure|病毒结构
感染机制(Infection Mechanism)
病毒传播并自我复制的方式,也称为感染向量(infection vector)。
The means by which a virus spreads or propagates, also known as the infection vector.触发器(Trigger)
决定病毒何时激活或释放负载的事件或条件,也常被称为逻辑炸弹(logic bomb)。
The event or condition that determines when the payload is activated or delivered; also known as a logic bomb.负载(Payload)
病毒执行传播之外所做的操作,可以是破坏性的,也可以是非破坏但明显的行为。
What the virus does besides spreading — this may involve destructive or benign but noticeable activity.
Virus Phases|病毒生命周期
一个典型病毒在其生命周期中会经历四个阶段:
A typical virus goes through the following four phases in its lifetime:潜伏阶段(Dormant Phase)
病毒处于静止状态,等待某种触发事件启动其活动。并非所有病毒都包含此阶段。
The virus is idle and awaits activation by some event. Not all viruses have this phase.传播阶段(Propagation Phase)
病毒复制自身到其他程序或磁盘的特定系统区域中。
The virus places a copy of itself onto other programs or into specific areas on the disk.触发阶段(Triggering Phase)
当满足特定条件或事件时,病毒被激活并开始执行其功能。
The virus is activated by a specific condition or event and begins its intended function.执行阶段(Execution Phase)
病毒的实际负载被执行,如破坏文件、显示信息等。
The payload is performed, which may include file deletion, displaying messages, or other effects.
By Target|按目标分类
病毒根据它们感染的目标可以分为以下几类:
Viruses can be classified by the target they infect into the following categories:引导区病毒(Boot Sector Infector)
感染主引导记录(MBR)或启动记录,并在系统启动时传播。
Infects the master boot record or boot sector, and spreads when the system is booted from the infected disk.文件感染病毒(File Infector)
感染操作系统或shell认为可执行的文件。
Infects files that the operating system or shell considers to be executable.宏病毒(Macro Virus)
感染使用宏或脚本代码的文件,这些代码由应用程序解释。
Infects files with macro or scripting code that is interpreted by an application.复合型病毒(Multipartite Virus)
以多种方式感染文件。
Infects files in multiple ways.按隐藏策略分类(By Concealment)
By Concealment Strategy|按隐藏策略分类
病毒还可以根据它们如何隐藏自身的方式进行分类:
Viruses can also be classified based on how they conceal themselves:
加密病毒(Encrypted Virus)
病毒的部分代码会创建一个随机加密密钥来加密病毒的其余部分。每次感染时,病毒会选择不同的密钥来进行加密。
A portion of the virus creates a random encryption key and encrypts the remainder of the virus. When the virus replicates, a different random key is selected.隐匿病毒(Stealth Virus)
这类病毒专门设计用于隐藏其存在,避开杀毒软件的检测。
A form of virus explicitly designed to hide itself from detection by antivirus software.多态病毒(Polymorphic Virus)
这种病毒每次感染时会改变自身的代码,使得通过病毒“签名”检测变得不可能。
A virus that mutates with every infection, making detection by the “signature” of the virus impossible.变形病毒(Metamorphic Virus)
每次感染时完全重写病毒代码,增加了检测的难度,甚至改变病毒的行为和外观。
A virus that rewrites itself completely at each iteration, increasing the difficulty of detection. It may change its behavior as well as its appearance.
Macro and Scripting Viruses|宏病毒与脚本病毒
宏病毒感染支持活动内容的多种用户文档类型中的脚本代码。它们的传播特点包括:
Macro viruses infect scripting code used in various user document types that support active content. They have the following characteristics:
平台无关性:宏病毒不依赖于特定平台。
Platform Independent: Macro viruses are not dependent on a specific platform.易于传播:它们感染的是文档,而不是代码执行文件。
Easy to Spread: Macro viruses infect documents rather than executable files.共享性强:文档在日常使用中频繁共享,使得宏病毒容易传播。
Easy to Spread: Documents, which are commonly shared, allow macro viruses to spread easily.传统的文件系统访问控制对它们的传播影响有限:由于它们感染的是用户文档,而非系统程序,传统的文件系统访问控制对它们的传播起到的限制作用有限。
Limited Control by File System Access: Since macro viruses infect user documents rather than system programs, traditional file system access controls have limited impact in preventing their spread.
Worms|蠕虫
蠕虫是一种主动搜索其他计算机以进行感染的程序。
A worm is a program that actively seeks out more machines to infect.
与病毒不同,蠕虫是独立的可执行实体,不依赖其他宿主文件。Unlike viruses, worms are self-contained and do not need to attach themselves to existing files.
一旦被激活,蠕虫可能会:
Upon activation, a worm may:
自我复制并再次传播
Replicate itself and propagate again使用网络手段访问远程系统
Use various means to access remote systems
蠕虫常用的传播方式包括:
The worm typically uses these mechanisms to replicate:
电子邮件或即时通信(Email or Instant Messenger)
文件共享(File Sharing)
远程执行能力(Remote Execution Capability)
远程文件访问或传输(Remote File Access or Transfer)
远程登录(Remote Login Capability)
Worm Phases|蠕虫的生命周期阶段
蠕虫通常也经历病毒相似的生命周期阶段:
Like viruses, worms typically pass through the following phases:
Dormant(潜伏):蠕虫处于空闲状态,尚未启动。
Propagation(传播):搜索并感染远程主机。
Triggering(触发):在某个事件或时间点被激活。
Execution(执行):执行其负载(payload),可能是破坏性或数据盗取。
在传播阶段,蠕虫可能执行以下操作:
During the propagation phase, the worm typically performs:
搜索合适的远程访问机制:如扫描主机表、地址簿、信任列表等。
Search for access mechanisms such as host tables, address books, trusted peers.复制自身到远程系统并启动执行:通过找到的机制传输自身并运行。
Transfer a copy of itself to remote systems and cause it to execute.
Target Discovery|目标发现
蠕虫在传播过程中需要定位新的感染目标,这一过程称为扫描(scanning)或指纹识别(fingerprinting)。
Worms use scanning or fingerprinting during propagation to discover new vulnerable systems.
网络扫描策略包括:
Network scanning strategies include:
随机扫描(Random Scanning)
每个被感染主机在IP地址空间中随机选择目标进行探测。
Each infected host probes random addresses with different seeds.优点:简单、高速传播
缺点:容易被检测,造成大规模网络拥堵
Drawback: Creates high traffic volume, may disrupt the network
命中列表扫描(Hit List Scanning)
攻击者事先准备一个易受攻击主机的清单,并分发给感染主机。
Attacker prepares a list of vulnerable machines and distributes it to infected systems for rapid propagation.拓扑扫描(Topological Scanning)
使用当前被感染主机中已有的信息,如浏览器缓存、联系人列表等,寻找更多目标。
Uses information on the infected host to find related systems to infect (e.g., browser cache, buddy list).本地子网扫描(Local Subnet Scanning)
被感染主机会扫描本地网络中的其他主机,绕过防火墙保护。
Infected hosts behind a firewall scan their own local network for targets using subnet addressing.
The Morris Worm|Morris 蠕虫
Morris 蠕虫是历史上第一个在互联网上引起广泛影响的蠕虫程序,由罗伯特·莫里斯(Robert Morris)于1988年发布。
The Morris Worm was the first worm to gain significant notoriety on the Internet. It was released by Robert Morris in 1988.
它的目标是 UNIX 系统,使用多种方式在网络中传播。
It was designed to spread on UNIX systems and used several techniques to propagate across networks.
工作原理(How it worked):
当蠕虫开始执行时,它首先会查找与当前主机通信的其他主机。
When the worm began execution, it would first discover other hosts known to the infected system.对于每个发现的主机,它尝试以下几种方法获得访问权限:
For each discovered host, it tried multiple methods to gain access:尝试以合法用户身份登录(猜密码)
Attempted to log in as a legitimate user using password guessing利用 UNIX finger 协议中的漏洞
Exploited a bug in the UNIXfingerprotocol利用 sendmail 服务中的调试后门(trapdoor)
Exploited a trapdoor in the debug option of thesendmailservice
Morris 蠕虫导致了约6000台计算机中断,占当时互联网总量的10%左右。
It ended up infecting around 6,000 machines, which was roughly 10% of the Internet at the time.
Worm Technology|网络蠕虫技术特征
随着网络与操作系统的发展,蠕虫也演化出许多新的高级特性。
Modern worms have evolved with advanced techniques to increase infection speed, coverage, and stealth.
关键特性(Key Features):
多平台(Multiplatform)
可以攻击多种操作系统和硬件平台。
Able to attack various platforms (e.g., Windows, Linux, macOS).多漏洞利用(Multi-Exploit)
使用多种漏洞利用方式,包括浏览器、电子邮件、文件共享等。
Uses multiple types of exploits (web, email, file sharing, etc.) to infect systems.极速传播(Ultrafast Spreading)
利用高速扫描与并发传播技术,在短时间内感染尽可能多的系统。
Uses techniques to spread rapidly, infecting many systems in a short period.多态(Polymorphic)
每一份复制体都有不同的代码表现,用加密和等价代码混淆检测。
Each copy mutates using encryption and functionally equivalent instructions to evade detection.变形(Metamorphic)
在行为上也会变化,不仅外观不同,还会适应环境调整传播策略。
The worm can change its behavior and structure to avoid pattern-based detection.运输载体(Transport Vehicles)
蠕虫可以作为恶意负载的载体,例如:勒索软件、后门、间谍程序。
Worms serve as effective delivery mechanisms for malicious payloads such as ransomware or backdoors.零日攻击(Zero-Day Exploits)
使用未被公开的漏洞,在安全社区察觉前完成大规模传播。
Exploits unknown vulnerabilities ("zero-day") for surprise attacks before patches are available.
Mobile Code|移动代码
移动代码指的是能够在不同平台上执行的程序,它们可以在不经用户明确指令的情况下,从远程系统传送到本地系统并执行。
Mobile code refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
移动代码通常是病毒、蠕虫或木马的传播载体。它通过以下途径传播:
Mobile code often acts as a mechanism for transmitting viruses, worms, or trojan horses. It is commonly transmitted via:
交互式和动态网站(Interactive and dynamic websites)
电子邮件附件(Email Attachments)
从不信任站点下载(Downloads from untrusted sites)
常见的移动代码类型:
Common types of mobile code include:
Java Applets
ActiveX
JavaScript
VBScript
这些代码可以执行恶意行为,如安装恶意软件、窃取数据、或控制系统。
These mobile code types can perform malicious actions, such as installing malware, stealing data, or taking control of the system.
Web-Based Threats|基于网页的威胁
驱动下载(Drive-By-Download)
驱动下载利用浏览器漏洞,当用户访问攻击者控制的网页时,恶意代码会在用户不知情的情况下下载并安装。
Drive-by-downloads exploit browser vulnerabilities so that when the user visits a page controlled by the attacker, the malicious code is downloaded and installed without the user's knowledge.
这种攻击不会像蠕虫那样主动传播,而是等待用户访问恶意网页后进行传播。
This attack does not actively propagate like a worm but waits for unsuspecting users to visit the malicious website and then spreads to their systems.
水坑攻击(Watering-Hole Attacks)
水坑攻击是通过对目标的研究,攻击者识别出目标通常访问的网页,并扫描这些网页的漏洞,利用漏洞将恶意代码植入其中。
Watering-hole attacks are a variant of drive-by-downloads. The attacker researches the intended victim to identify websites they are likely to visit and then scans these sites for vulnerabilities that allow compromise through a drive-by-download attack.
恶意广告(Malvertising)
攻击者通过支付广告费用,确保恶意广告出现在目标网页上,进而传播恶意软件。
Malvertising is when an attacker pays for advertisements that are highly likely to appear on targeted websites, with the goal of spreading malware through those ads.
即使目标网站未被攻击者直接控制,广告本身也可能成为恶意软件的传播载体。
Even if the target website is not directly compromised, the ad itself can be a vehicle for malware.
Clickjacking|点击劫持
点击劫持是一种攻击方法,攻击者诱导用户点击隐藏的页面元素,从而执行未经授权的操作,如访问恶意链接或授权未经请求的操作。
Clickjacking is an attack method where an attacker tricks the user into clicking on a hidden page element, thereby executing unauthorized actions, such as visiting a malicious link or granting unwanted permissions.
这种攻击通常通过使用透明的层或嵌套的网页来伪装,以使用户无意中点击到恶意按钮。
This attack often involves using transparent layers or nested web pages to disguise the malicious elements, causing the user to unknowingly click on them.
Spam|垃圾邮件
垃圾邮件是未请求的大宗电子邮件,通常带有广告、恶意链接或恶意附件。
Spam refers to unsolicited bulk emails, often containing advertisements, malicious links, or attachments.
垃圾邮件是恶意软件传播的重要载体之一。
Spam is one of the major vehicles for distributing malware.
垃圾邮件的危险性(Risks of Spam)
通过僵尸网络发送(Sent by Botnets)
携带恶意附件(Contain Malicious Attachments)
用作钓鱼攻击(Used for Phishing Attacks)
垃圾邮件的高频率和广泛传播使其成为恶意软件和社会工程攻击的理想载体。
The high frequency and widespread nature of spam make it an ideal vehicle for malware and social engineering attacks.
Trojan Horses|特洛伊木马
特洛伊木马程序是指看似合法、正常或有用的程序,实际内部隐藏着恶意代码,一旦运行就会执行破坏性或隐私侵犯行为。
A Trojan horse is a seemingly useful or legitimate program or utility that contains hidden malicious code which performs unwanted or harmful actions when executed.
攻击者通过特洛伊木马,可以间接完成他们无法直接实现的攻击目标。
Trojans are often used to indirectly accomplish tasks that the attacker could not directly perform.
特洛伊木马的三种行为模型(Three Behavioral Models):
继续执行原有功能,同时附带恶意行为
Continues to perform the original program’s function while also performing a separate malicious activity.继续原功能,但在过程中悄悄修改以隐藏其他恶意操作
Continues to perform its original function but modifies behavior to hide or assist malicious activity.完全替换原功能,仅执行恶意代码
Completely replaces the original functionality with malicious activity.
Payload – System Corruption|恶意负载:系统破坏
一旦恶意软件在目标系统上被激活,接下来最重要的就是它在系统上执行哪些破坏性动作。
Once malware is active on the target system, the next concern is what actions it will take.
常见的系统破坏行为包括(Examples of System Corruption):
数据销毁(Data Destruction):在满足特定触发条件后,删除或破坏本地数据。
Destroying data on the infected system when certain trigger conditions are met.显示干扰信息(Display Disruption):弹出或显示不良信息、广告、假警告等。
Displaying unwanted messages or content on the user’s system.勒索软件(Ransomware):加密用户数据,并索要赎金以提供解密密钥。
Encrypting user data and demanding payment to provide the decryption key.真实系统损害(Real-World Damage):破坏硬件、BIOS 或工业控制系统。
Inflicting real-world damage on physical systems, such as modifying BIOS or industrial software.逻辑炸弹(Logic Bomb):恶意代码在触发某一特定条件后“爆发”,执行破坏行为。
A logic bomb is embedded code that “explodes” when specific conditions are met, performing malicious acts.
这些破坏性的负载通常具有极强的影响力和隐蔽性,是系统安全防护中的重点防范对象。
These destructive payloads are highly impactful and often stealthy, making them a serious concern for system security.
Botnets|僵尸网络
僵尸网络是由多个被恶意软件感染并受攻击者控制的计算机(通常被称为“僵尸”或“机器人”)组成的网络。
A botnet is a network of computers, typically referred to as “bots” or “zombies,” that have been infected and are under the control of an attacker.
这些被感染的计算机通常会被用来执行各种任务,这些任务由攻击者远程控制。
The infected computers are typically used to perform tasks that are controlled remotely by the attacker.
僵尸网络的用途(Uses of Botnets):
分布式拒绝服务攻击(DDoS)
Launching Distributed Denial-of-Service (DDoS) attacks, flooding a system with traffic to make it unavailable to legitimate users.垃圾邮件(Spamming)
Sending unsolicited bulk emails, often used to spread more malware or carry out phishing attacks.嗅探流量(Sniffing Traffic)
Capturing sensitive information such as passwords or credit card numbers from network traffic.键盘记录(Keylogging)
Logging keystrokes to steal sensitive personal information like login credentials.传播新恶意软件(Spreading New Malware)
Using botnets to deploy or spread other types of malware.攻击IRC网络(Attacking IRC Networks)
Conducting clone attacks or disrupting Internet Relay Chat (IRC) networks.操控在线投票或游戏(Manipulating Online Polls/Games)
Manipulating the results of online polls or games by using botnets.
僵尸网络的控制方式(Remote Control Facility)
与蠕虫不同,僵尸网络的机器人是由中央控制设施管理的。
Unlike worms, bots in a botnet are controlled from a central facility.
常见的控制方式包括通过IRC(Internet Relay Chat)服务器来管理这些受感染的主机。
Common control methods include using IRC (Internet Relay Chat) servers to manage infected hosts.
近年来,部分僵尸网络采用隐蔽通信通道(如HTTP)进行控制。
More recent botnets use covert communication channels, such as HTTP, to control bots.
此外,分布式控制机制(如P2P协议)被用来避免单点故障。
Distributed control mechanisms, such as P2P protocols, are also used to avoid single points of failure.
信息窃取型负载|Payload – Information Theft
恶意软件的一个常见目标是窃取用户的敏感信息,包括登录凭证、财务数据、个人资料等。
A common payload in malware is information theft, where sensitive user data such as login credentials, financial data, and personal details are stolen.
常见的信息窃取手段(Common Information Theft Techniques):
键盘记录器(Keyloggers)
Keyloggers capture keystrokes to allow the attacker to monitor user login credentials and other sensitive information.间谍软件(Spyware)
Spyware is designed to monitor and record user activity on the infected machine, including browsing habits and personal details.社会工程学攻击(Social Engineering Attacks)
通过伪装成可信的来源,诱使用户暴露敏感信息。
Phishing is a form of social engineering where attackers disguise themselves as trustworthy sources to trick users into revealing sensitive information.钓鱼(Phishing)
通过伪装成受信任的通信源(如银行、社交媒体)诱使用户提交敏感信息。
Phishing is an attack where the attacker masquerades as a trusted entity, such as a bank or social media platform, to trick the user into submitting sensitive information.定向钓鱼(Spear Phishing)
Spear-phishing is a more targeted version of phishing, where attackers carefully craft emails to a specific individual or group based on gathered information.
这些技术都旨在窃取用户的个人信息,通常用于身份盗窃、金融欺诈等恶意活动。
These techniques are aimed at stealing personal information and are commonly used in identity theft, financial fraud, and other malicious activities.Rootkit 分类
Payload – Stealthing|隐蔽性负载
一些恶意软件设计为隐藏其存在,以便绕过检测和防御机制。
Some malware is designed to conceal its presence to avoid detection and thwart security mechanisms.
常见的隐蔽性负载类型(Common Stealthing Techniques):
后门(Backdoor)
后门,也叫陷阱门,是一个秘密的入口,使攻击者可以绕过常规的安全访问程序。
Backdoors, also known as trapdoors, are secret entry points that allow attackers to bypass normal security procedures.Rootkit
Rootkits 是一组安装在目标系统上的程序,旨在维持对系统的隐蔽访问,并尽可能隐藏其存在。
Rootkits are a set of programs installed on a system to maintain covert access with administrator (root) privileges, while hiding evidence of its presence.
Rootkit的分类(Rootkit Classification)
持久型(Persistent)
每次系统启动时都会激活,保持不间断的隐蔽访问。
Persistent: Activates every time the system boots, maintaining constant covert access.基于内存型(Memory-Based)
没有持久代码,因此在重启后无法存活。
Memory-Based: Lacks persistent code and thus cannot survive a reboot.用户模式(User Mode)
截取应用程序接口(API)调用并修改返回结果。
User Mode: Intercepts calls to application program interfaces (APIs) and modifies returned results.内核模式(Kernel Mode)
截取原生API调用,干扰操作系统内核层的功能。
Kernel Mode: Intercepts calls to native APIs and modifies system-level behavior.虚拟机型(Virtual Machine-Based)
通过安装虚拟机监控程序,运行系统于虚拟机之上。
Virtual Machine-Based: Installs a lightweight virtual machine monitor and runs the operating system in a virtual machine above it.防御与反制措施
Malware Countermeasures|恶意软件反制措施
为了有效应对恶意软件的威胁,网络安全防护需要采取一系列预防、检测、识别和移除的措施。
To effectively counter the threats posed by malware, a variety of preventative, detection, identification, and removal measures must be implemented.
预防措施(Prevention)
最初的防御措施是确保系统尽可能更新并修补所有已知的漏洞。
The first line of defense is to ensure that systems are kept up to date with all patches applied to mitigate known vulnerabilities.
接下来的防御措施包括设置适当的访问控制,以限制对系统和数据的访问,从而减少恶意软件感染的机会。
The next measure is setting appropriate access controls on the applications and data stored on the system to reduce the potential for infection.
还应通过用户意识教育和培训,防止用户通过社会工程学攻击(如钓鱼邮件)感染恶意软件。
Additionally, appropriate user awareness training can help mitigate risks from social engineering attacks like phishing.
恶意软件反制技术(Malware Mitigation Technologies)
如果预防措施失败,可以采用技术手段来实现以下几种威胁缓解方法:
If prevention fails, technical measures can be used to support the following threat mitigation options:
检测(Detection)
使用实时监控、扫描工具和行为分析来检测恶意软件活动。
Using real-time monitoring, scanning tools, and behavioral analysis to detect malicious activities.识别(Identification)
确定恶意软件的种类、传播方式以及潜在影响,以便采取针对性对策。
Identifying the type of malware, its propagation methods, and its potential impact, in order to take targeted actions.移除(Removal)
一旦检测到恶意软件,需要采取措施将其从受感染的系统中清除。
Once detected, steps must be taken to remove the malware from the infected systems.
有效的恶意软件反制要求(Requirements for Effective Malware Countermeasures)
通用性(Generality)
反制措施应能应对各种恶意软件和变种,而不仅仅是针对某一特定类型的恶意软件。
Countermeasures must be applicable to a wide range of malware and its variants, not just a specific type.及时性(Timeliness)
检测和响应必须迅速,以防止恶意软件造成严重损害。
Detection and response must be timely to prevent significant damage from malware.弹性(Resiliency)
系统和反制措施应能够承受攻击并继续有效运行。
Systems and countermeasures should be resilient enough to withstand attacks and continue functioning effectively.透明性(Transparency)
反制措施应清晰易懂,能有效操作且不干扰正常业务。
Countermeasures should be transparent, easy to implement, and not interfere with normal business operations.全球和本地覆盖(Global and Local Coverage)
防御体系应具有全球和本地两层覆盖,确保所有系统都得到保护。
Countermeasures should provide both global and local coverage to ensure all systems are protected.
主机级扫描器(Host-Based Scanners)
主机级扫描器是指安装在受保护主机上的反病毒软件,它通常分为几个世代,每个世代都包含不同的检测技术。
Host-based scanners are antivirus software installed on the protected host. They typically evolve in four generations, each with different detection techniques.
反病毒软件的四代演变(The Four Generations of Antivirus Software)
第一代:简单扫描器(First Generation: Simple Scanners)
依赖病毒签名来检测恶意软件。
Simple scanners that require malware signatures to identify malicious software.第二代:启发式扫描器(Second Generation: Heuristic Scanners)
使用启发式规则来搜索可能的恶意软件实例。
Heuristic scanners that use heuristic rules to search for probable malware instances.第三代:活动陷阱(Third Generation: Activity Traps)
内存驻留的程序,通过监测恶意软件的活动来进行识别。
Memory-resident programs that identify malware based on its behavior rather than its structure in an infected program.第四代:全功能保护(Fourth Generation: Full-Feature Protection)
集成了多种反病毒技术的完整保护套件。
Full-featured protection that combines a variety of antivirus techniques.
主机级行为阻断软件(Host-Based Behavior-Blocking Software)
主机级行为阻断软件与操作系统集成,实时监控程序行为,阻止潜在的恶意行为。
Host-based behavior-blocking software integrates with the host computer's operating system and monitors program behavior in real-time to block potentially malicious actions.
该软件能够在恶意代码执行之前阻止其影响,因此在实时防护中优于传统的病毒签名检测。
It can block suspicious software in real-time, giving it an advantage over traditional detection methods such as signature-based scanning.
限制(Limitations)
由于恶意代码必须在目标机器上运行一段时间才可能被识别,因此它可能会在检测到之前造成伤害。
Since the malicious code must run on the target machine before its behavior can be identified, it may cause harm before detection.
Perimeter Scanning Approaches|边界扫描方法
为了防止恶意软件在组织网络中传播,通常会在网络边界部署杀毒软件和检测系统(如防火墙和入侵检测系统)。
To prevent malware from spreading within an organization’s network, antivirus and detection systems are commonly deployed at the network perimeter, including firewalls and intrusion detection systems (IDS).
常见部署方式包括(Common Deployment Includes):
电子邮件网关和 Web 代理上的杀毒引擎
Antivirus engines are embedded in email gateways and web proxy servers to scan incoming and outgoing content.IDS 系统的流量分析模块中
Antivirus modules may also be integrated into IDS traffic analysis components to detect suspicious behavior in network traffic.
两种类型的边界监控工具(Two Types of Monitoring Software):
入口监控器(Ingress Monitors)
位于企业网络与互联网之间的边界上,用于阻止外部攻击流量进入内部网络。
Located at the border between the enterprise network and the Internet to block incoming attack traffic.可以部署在边界路由器、防火墙的入口过滤模块,或作为独立的被动监控设备。
These can be part of the ingress-filtering software on border routers or firewalls, or standalone passive monitors.
出口监控器(Egress Monitors)
位于局域网出口或企业网络出口处,用于检测来自内部被感染主机的恶意流量。
Located at LAN or enterprise network egress points to detect malware-related traffic from inside hosts.监控出站流量中的扫描行为或其他异常通信,用于发现感染源。
They monitor outbound traffic for signs of scanning or other suspicious behavior, helping identify compromised systems.
蠕虫防御措施(Worm Countermeasures)
针对蠕虫的传播特点,研究人员提出了多种不同类别的防御机制。这些机制通常用于边界设备上,如防火墙、IDS 或代理服务器。
六类主要的蠕虫防御技术(Six Classes of Worm Defense Techniques):
A类:基于签名的蠕虫扫描过滤(Signature-Based Worm Scan Filtering)
利用蠕虫特征签名来阻止扫描行为进入或离开网络/主机。
Uses worm scan signatures to block scanning traffic at network or host boundaries.
B类:基于过滤的蠕虫遏制(Filter-Based Worm Containment)
与A类类似,但更关注蠕虫内容本身,而非扫描行为的特征。
Similar to A but focuses on filtering the worm’s content rather than scan patterns.
C类:基于负载分类的蠕虫遏制(Payload-Classification-Based Containment)
网络级检测机制,检查网络包中是否包含蠕虫有效负载。
Examines packets to determine if they contain worm payloads and blocks accordingly.
D类:随机游走(TRW)扫描检测(Threshold Random Walk Scan Detection)
通过检测连接目标地址的“随机性”,识别是否有扫描程序运行。
Detects scanners by analyzing the randomness in target address selection behavior.
E类:速率限制(Rate Limiting)
限制主机发出的类似扫描的网络流量速率,以减缓蠕虫传播速度。
Limits the rate of scan-like traffic from a host to slow down worm propagation.
F类:速率阻断(Rate Halting)
一旦出站连接速率或目标地址多样性超出阈值,立即阻断流量。
Immediately blocks outgoing traffic when thresholds of connection rate or address diversity are exceeded.
DDoS|分布式拒绝服务攻击
Distributed Denial of Service Attacks (DDoS)
分布式拒绝服务攻击(DDoS)是通过大量的恶意流量,使目标计算机、服务或网络无法向合法用户提供服务。
DDoS attacks overwhelm a system by flooding it with malicious traffic, rendering it inaccessible to legitimate users.
攻击者通过控制多个受感染的主机(即僵尸网络)发起攻击。这些受感染的主机会向目标系统发送大量请求,导致目标无法响应合法用户的请求。
Attackers initiate DDoS attacks by controlling a botnet of compromised machines. These machines then send an overwhelming number of requests to the target system, causing it to become unavailable to legitimate users.
DDoS的分类(Classification of DDoS Attacks)
DDoS攻击可以根据消耗的资源类型分为两类:
DDoS attacks can be classified based on the type of resource they consume:
内部主机资源消耗(Internal Host Resource Consumption)
攻击通过消耗目标系统的内部计算资源(如CPU、内存)来使系统无法响应。
The attack consumes the target system’s internal resources (e.g., CPU, memory) to render it unresponsive.数据传输容量消耗(Data Transmission Capacity Consumption)
攻击通过消耗目标网络的数据传输带宽,阻止合法流量的传输。
The attack consumes the network’s data transmission capacity, preventing legitimate traffic from getting through.
DDoS防御策略(DDoS Countermeasures)
防御DDoS攻击通常可以分为三个阶段:
DDoS defense can generally be classified into three stages:
攻击前预防(Before the Attack: Prevention and Preemption)
通过部署防火墙、流量分析设备、负载均衡等技术,提前为DDoS攻击做防御准备,防止攻击开始时造成过大影响。
Deploying firewalls, traffic analysis tools, load balancers, and other technologies to prepare defenses before the attack starts, preventing major impact at the onset.攻击中检测与过滤(During the Attack: Detection and Filtering)
在DDoS攻击发生时,通过实时检测流量异常,快速识别恶意流量并进行过滤,确保不影响正常服务。
During an attack, real-time monitoring detects abnormal traffic patterns, allowing malicious traffic to be filtered out while ensuring legitimate traffic continues.攻击源追踪与识别(After the Attack: Source Traceback and Identification)
通过追踪攻击源的IP地址、检测流量路径,识别攻击者的真实位置,为未来的防御做好准备。
After the attack, tracing the source IPs and analyzing the traffic path helps identify the attacker’s location, preparing defenses for future incidents.
DDoS防御的三条防线(Three Lines of Defense Against DDoS)
攻击前预防和预置(Prevention and Preemption Before the Attack)
这些机制使目标能够承受攻击尝试,而不影响合法客户的服务。
These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients.攻击中检测与过滤(Attack Detection and Filtering During the Attack)
这些机制尽早检测到攻击并做出响应,阻止恶意流量进一步损害系统。
These mechanisms detect the attack as it begins and respond immediately to stop the malicious traffic from further harming the system.攻击源追踪和识别(Attack Source Traceback and Identification During and After the Attack)
尝试识别攻击源,并为未来的攻击防范做好准备。
Attempts to identify the source of the attack as a first step in preventing future attacks.
