JP5667957B2 - Malware detection device and program - Google Patents

Description

  The present invention relates to a malware detection device that detects malware. The present invention also relates to a program for causing a computer to function as the malware detection apparatus.

  Portable information terminals called smartphones that use an open platform using a general-purpose OS (operating system) have become widespread. It is possible to flexibly and easily expand various functions of a smartphone by introducing an application available via a network to the smartphone. However, among applications, there is a malicious application that operates as malware that collects personal information stored in a terminal and transmits it to the outside without the user's permission. In particular, an application that impersonates a legitimate application and performs such illegal behavior is called a Trojan horse, and it is difficult to notice its threat.

  When comparing smartphones and PCs (personal computers), smartphones are devices that have a closer connection to users than PCs, such as name, phone number, email address, address book, email transmission / reception history, and Internet browsing history. Such as personal information. In addition, since the terminal is highly functional and always carried, information such as location information that has not been collected by a conventional PC can be easily acquired, and the threat of misuse of information is faced. Therefore, it is necessary to protect the smartphone user from the threat of misuse of personal information in an environment where the application can be easily obtained.

  As a malware detection technology commonly used for PCs, disassemble programs that contain executable code, analyze API (Application Program Interface) calls and data control flow in the code, and extract malware characteristics There is a static detection method (for example, see Non-Patent Document 1). However, because it requires a lot of computing power to disassemble the program and extract features, a smartphone with less CPU processing capacity and memory capacity compared to a PC may take longer to detect and consume. Increasing power is a problem.

  Therefore, a technique that can be realized with a smaller processing amount than the static detection technique is used for malware detection of the smartphone. Specifically, when the application is inspected using a black list in which the names of the files that make up the application (file names) are registered in advance, and a file name that matches the file name registered in the black list is found A technique for detecting malware is used.

Masamune Izumida, Masami Hashimoto, Akira Mori, “Analysis Method of Binary Code Using Dynamic Emulation and Static Analysis”, Information Processing Society of Japan Research Report. Multimedia Communication and Distributed Processing Study Group Report, February 25, 2010

  However, since the malware authors escape the detection of malware by matching the file names of the files that make up the application with the file names registered in the blacklist, the malware creator must specify the file names registered in the blacklist. There is a case where all or a part (for example, extension) of a malicious file is changed and added to an application file. For this reason, it was possible to avoid malware detection, and there was a problem that accurate malware detection could not be realized. In addition, there is a problem that new malware that is not registered in the blacklist cannot be detected.

  The present invention has been made in view of the above-described problems, and an object of the present invention is to provide a malware detection apparatus and a program that can more accurately detect malware that cannot be detected by a malware detection method using a blacklist. To do.

  The present invention has been made to solve the above-described problem, and a file compressed in a predetermined compression format from the plurality of files included in a package file including a plurality of files that are components of an application. An extraction unit to extract, and a determination unit that determines whether the file name of the file obtained by expanding the file extracted by the extraction unit matches the file name of a file that is essential as a component of the application; , A malware detection device characterized by comprising:

  In the malware detection apparatus of the present invention, the predetermined compression format is a ZIP format.

  In the malware detection device of the present invention, the determination unit further determines whether the extension of the file extracted by the extraction unit is “.zip” or “.apk”. .

  In the malware detection device of the present invention, the determination unit further determines whether or not the executable file is included in the file extracted by the extraction unit.

  Moreover, this invention is a program for functioning a computer as said malware detection apparatus.

  According to the present invention, a file name obtained by extracting a file compressed in a predetermined compression format from a plurality of files included in a package file and expanding the extracted file is a component of the application. It is possible to more accurately detect malware that cannot be detected by the malware detection method using the blacklist by determining whether or not the file name of the file that is essential as the file name matches.

It is a block diagram which shows the structure of the malware detection apparatus by one Embodiment of this invention. It is a flowchart which shows the procedure of the operation | movement of the malware detection apparatus by one Embodiment of this invention. It is a reference figure for demonstrating the malware detection method in one Embodiment of this invention. It is a flowchart which shows the procedure until the damage such as information leakage occurs after the malware is executed.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In this embodiment, as an example, a malware detection method for an application that operates on Android (registered trademark), which is one of OSs installed in a smartphone, will be described. In the malware detection method of the present embodiment, malware is detected based on the file name of a file obtained by expanding a file compressed in a predetermined compression format among files constituting the application. In the present specification and drawings, for convenience, the character string “Android (registered trademark)” is substituted with the character string “* andrd *” as necessary. That is, the character string * andrd * is equivalent to the character string Android (registered trademark).

  Hereinafter, the malware detection method of this embodiment will be described. An apk file (package file) that is an application execution file is a file with the extension “.apk”, a manifest file (extension is .xml) that defines the functions and permissions used by the application, and an instruction string. This is a compressed file of various resource files such as executable code (extension “.dex”) and image files used by the application in ZIP format. As shown in FIG. 3, the regular application 300 includes a manifest file 310, an execution code 320, and other files (such as an image file 330).

  The manifest file 310 and the execution code 320 are essential files as components of the apk file. In addition, the manifest file 310 and the execution code 320 are files necessary for proper installation and execution as a legitimate application, and the file name (including the extension) is changed for normal operation. Don't be a file. The file name (including the extension) of the manifest file 310 is always “* andrd * Manifest.xml”, and the file name (including the extension) of the execution code 320 is always “classes.dex”.

  On the other hand, as shown in FIG. 3, the malware 400 includes a manifest file 410, an execution code 420, an exploit code 430, and a ZIP file 440. Although the manifest file 410 and the execution code 420 are also included in a legitimate application, the exploit code 430 and the file 440 are files specific to malware. The exploit code 430 is an executable binary file. When the exploit code 430 is executed, the application deprives the root authority, which is the administrator authority, and exhibits malicious behavior such as information leakage. The file 440 is a file compressed in the ZIP format.

  When the file 440 is expanded, a manifest file 441, an execution code 442, and other files (image file 443) are obtained. The manifest file 441 and the execution code 442 are essential files as components of the apk file, and the file 440 itself is also an apk file. That is, the malware 400 includes a file 440 that is an apk file as a malicious application. To escape from blacklisted malware detection, the malware author changes the filename and extension of the malicious apk file. In the example of FIG. 3, the extension of the file 440 is changed from “.apk” to “.png”. By configuring the malware 400 as described above, it is prevented from being detected as malware in the malware detection comparing the names (file names) of the files constituting the application with the file names registered in the black list.

  The malware 400 is executed as follows. FIG. 4 shows a procedure from when the malware 400 is executed until damage such as information leakage occurs. When the user of the terminal installs the malware 400 on the terminal (step S200) and starts the malware 400 (step S210), the execution code 420 executes the exploit code 430 (step S220). Although the authority that can be used by the malware 400 is limited by the manifest file 410, the execution of the exploit code 430 allows the malware 400 to obtain root authority.

  By obtaining root authority, the execution code 420 installs the file 440 (malicious application) having a configuration as an apk file (step S230), and starts the malignant application (step S240). The activated malicious application performs operations such as information leakage, and damage occurs (step S250).

  As shown in FIG. 3, the malware 400 has a file 440 compressed in a predetermined compression format (ZIP format in the example of FIG. 3), and the file obtained by expanding the file 440 includes an application configuration. There is a feature that a manifest file 410 and an execution code 420 which are essential elements are included. In the present embodiment, a method of determining the presence or absence of malware by inspecting the presence or absence of this feature is taken.

  Next, the configuration and operation of a malware detection apparatus (application analysis apparatus) to which the malware detection method of this embodiment is applied will be described. FIG. 1 shows the configuration of the malware detection apparatus according to the present embodiment. As shown in FIG. 1, the malware detection apparatus includes a storage unit 10, an extraction unit 11, and a determination unit 12.

  The storage unit 10 stores an apk file of an application that is a target of malware detection, a result of malware detection, and the like. The extraction unit 11 extracts a ZIP format file (file 440 in FIG. 3) from the apk file. Whether the file name of the file (manifest file 441 in FIG. 3) obtained by expanding the file extracted by the extraction unit 11 matches the file name of a file that is essential as a component of the application. Determine whether or not.

  FIG. 2 shows the operation of the malware detection apparatus. Hereinafter, the operation of the malware detection device will be described. First, the extraction unit 11 reads an apk file of an application that is a target of malware detection from the storage unit 10. The apk file is compressed in the ZIP format, and the extraction unit 11 expands (decompresses) the apk file (step S100). Subsequently, the extraction unit 11 refers to the header of each file obtained by expanding the apk file, and extracts a file in which information indicating that the file is in the ZIP format is stored in the header (step S110). Specifically, a ZIP format file in which the first 4 bytes of the header of the file are “0x04034b50” in little endian or “PK \ 003 \ 004” in big endian is extracted.

  Subsequently, the determination unit 12 expands (decompresses) the ZIP format file extracted by the extraction unit 11, confirms the name (file name) of each obtained file, and apk of the application that is the target of malware detection It is determined whether or not the file is malware (step S120). Specifically, if both a file with the file name "* andrd * Manifest.xml" and a file with the file name "classes.dex" are confirmed, the ZIP file is a malicious application Therefore, the determination unit 12 determines that the apk file of the application that is the target of malware detection is malware, and stores the determination result in the storage unit 10.

  If at least one of the file with the file name "* andrd * Manifest.xml" and the file with the file name "classes.dex" is not confirmed, the ZIP file is not a malicious application. The determination unit 12 determines that the apk file of the application that is the target of malware detection is not malware, and stores the determination result in the storage unit 10. Even when the ZIP file is not extracted in step S110, the determination unit 12 determines that the apk file of the application that is the target of malware detection is not malware, and stores the determination result in the storage unit 10. Although the determination result is stored in the storage unit 10 in the above, the determination result may be displayed on a display unit (not shown).

  Although malware can be detected as described above, the following may be performed. As mentioned above, in order to escape from malware detection using the black list, the file name and extension of the malicious apk file (file 440 in FIG. 3) included in the apk file that is malware are changed. Accompanying information about a malicious apk file may be obtained. For example, the determination unit 12 determines whether the extension of the ZIP format file extracted by the extraction unit 11 is “.zip” or “.apk”.

  When the extension of the ZIP format file extracted by the extraction unit 11 is neither “.zip” nor “.apk”, the determination unit 12 determines that the malignancy is high, and accompanying information indicating that the malignancy is high. Is stored in the storage unit 10 in association with the determination result obtained in step S120. Alternatively, in step S120, both the file whose file name is “* andrd * Manifest.xml” and the file whose file name is “classes.dex” are confirmed, and the ZIP format file as described above is used. When the extension is neither “.zip” nor “.apk”, it may be determined that the apk file of the application that is the target of malware detection is malware.

  Further, it may be determined whether or not an executable apk file such as an exploit code is included in an apk file of an application that is a target of malware detection, and accompanying information regarding a malignant apk file may be obtained. For example, the determination unit 12 refers to the header of each file obtained by expanding the apk file in step S100, and whether there is a file in which information indicating that it is an executable binary file is stored in the header Determine whether or not. Specifically, the determination unit 12 determines whether or not there is a file in which the first 4 bytes of the file header are little endian “0X464C457F” or big endian “0x7F454C46”.

  If there is a file in which information indicating that it is an executable binary file is stored in the header, the determination unit 12 determines that the malignancy is high, and adds accompanying information indicating that the malignancy is high in step S120. Are stored in the storage unit 10 in association with the determination result obtained in the above. Alternatively, in step S120, both the file whose file name is “* andrd * Manifest.xml” and the file whose file name is “classes.dex” are confirmed, and can be executed on the apk file as described above. When a binary file of the format is included, it may be determined that the apk file of the application that is the target of malware detection is malware.

  As described above, according to the present embodiment, the ZIP file is extracted from the plurality of files included in the apk file, and the file name of the file obtained by expanding the extracted file is the component of the application. By determining whether the file name matches the required manifest file or executable code, it is possible to more accurately detect malware that cannot be detected by the malware detection method using the blacklist.

  Also, determine whether the extension of the ZIP file is “.zip” or “.apk”, and determine whether the apk file contains an executable binary file. By this, it is possible to obtain accompanying information regarding whether or not the apk file of the application that is the target of malware detection has more malware-like characteristics.

  The malware detection method of the present embodiment can be applied to application pre-screening at a sales site that sells, for example, smartphone applications on a communication network. It is also possible to apply the malware detection method of this embodiment to anti-virus software.

  The malware detection device described above is realized by recording a program for realizing the operation and function in a computer-readable recording medium, causing the computer to read and execute the program recorded in the recording medium. The Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

  DESCRIPTION OF SYMBOLS 10 ... Memory | storage part, 11 ... Extraction part, 12 ... Determination part

Claims (5)

An extraction unit that extracts a file compressed in a predetermined compression format from the plurality of files included in a package file including a plurality of files that are components of the application;
A determination unit that determines whether a file name of a file obtained by expanding the file extracted by the extraction unit matches a file name of a file that is essential as a component of the application;
A malware detection device characterized by comprising:   The malware detection apparatus according to claim 1, wherein the predetermined compression format is a ZIP format.   The said determination part further determines whether the extension of the file extracted by the said extraction part is ".zip" or ".apk", The Claim 1 or Claim 2 characterized by the above-mentioned. Malware detection device.   The said determination part further determines whether the binary file of the executable format is contained in the file extracted by the said extraction part, The Claim 1 characterized by the above-mentioned. The malware detection device described.   A program for causing a computer to function as the malware detection device according to claim 1.

Images