Research And Implementation Of Malware Design And Analysis

The network security technology is advancing in the battle between malware design and defense. It is groundwork of network security defense to research the technology of malware design and understand the behavior model of malwares. The analysis of malware can provide useful information for network emergency response and computer forensics. Furthermore, some governmental agencies also endeavor to design programs that have malware-like functions.for military and commercial purpose.Motivated by the increasing threats of malwares, in this thesis, the technologies of malware design and analysis were discussed, and the useful tools for malware analysis were also reviewed. By designing and analyzing malicious code under windows platform, four principal achievements were obtained as follows:1.A prototype malware system was designed and implemented based on client/server model. The system has four functions including network attack, self- propagation, behavior disguise and remote control. A method to improve the performance of attacking process was also proposed.2.The capabilities of different malware analysis technologies were evaluated, and a malware analyzing flow was designed based on the result of the evaluation. In addition, more than 30 practical malwares were analyzed by using this flow.3.A method for automatically analyzing malicious code was presented based on identifiable function vectors. Two models were built as the foundation of the method: information gathering model gathering function information from malicious code, and identification model seeking the defined function vectors from the code.4.A malware analysis system and a malware analysis database were designed based on the above analyzing model. This system is a static analysis software based on reverse engineering, which can automatically analyze the functions of malicious code. The malware analysis database is an aggregation of malware behavior character that was described by the malware analysis language designed by ourselves.Much practical work validates the effectivity of the approaches and systems presented in this thesis. The malware analysis flow is useful, and might act as a criterion of malware analysis. The malware analysis system could reduce the time of analysis process and improve the accuracy of analyzing result.