Implicit-Flow-Sensitive Method for Detection of Trojan-Spy Programs

Abstract

提出了一种隐式流敏感的木马间谍程序检测方法.采用静态分析方式,具有更高的代码覆盖率;同时结合了数据流分析对间接跳转的目标进行计算;并且基于分支条件的操作语义,使用了针对木马间谍程序检测的改进的污点标记规则.应用该方法分析了103个真实的恶意代码样本和7个合法软件,并与现有方法进行了对比.实验结果表明,在进行木马间谍软件检测时该方法比显示流敏感的方法具有较低的漏报率,并且能够有效地发现需要特定条件触发的信息窃取行为.同时,该方法能够区分木马间谍程序和合法软件中的隐式流,显著消减对合法软件中的隐式流跟踪.;In this paper, a novel method is presented to solve these problems. This method processes the X86 executable programs statically, so it has a higher code coverage than dynamic methods. Besides, it employs a data flow analysis method to identify the jump targets for indirect jumps. It also utilizes optimized tainting mark rules based on the operation semantic of branch conditions. Experiments on 103 real malwares and 7 benign softwares show that the proposed method has the following advantages: For Trojan-spy program detection, it can reduce the false negatives caused by the explicit-flow-sensitive method, and it is effective in dealing with information steal behaviors triggered by some particular conditions. For benign program analysis, it can reduce most of the tainted branches that should be tracked in the original implicit-flow-sensitive method without optimization.