| As popularization of computers, internet is playing a more and more important role in our life, but malicious codes and network attacks are also becoming more frequent, and the harm they caused is much greater, so the research and analysis of malicious codes is becoming much significant. In face of the complexity and diversity of malicious codes, it is difficult for traditional signature-based static analysis method to detect unknown malicious codes. Because sandbox can dynamically analyse and detect malicious codes for executable program, it makes up for the inadequation of the static analysis method in some way.On the research of the analysis method based on traditional sandbox, this paper presents a dynamic malicious code analysis method based on sandbox and simulation. The method combines simulation with sandbox, which ensures the integrity of the detection and non-destruction of systems. In addition, the method classifies malicious levels of programs according to their dynamic behaviors and effects of computer, which lets users know the malicious level easily. Based on the method, I have designed and realized a detection tool—MCDT_Sandbox.Compared with preceding tools, this tool has four advantages: firstly, it can detect unknown malicious codes; secondly, it can targetedly intercept API so that reduce the scope and enhance the efficiency of detecting to a certain extent; thirdly, the use of simulation and sandbox ensures integrity of the detecting and non-destruction of the system; fourthly, the tool can analyse and report the malicious level of programs automatically. In addition, the Component-Oriented design reduces the coupling degree between different components, and improves the readability and scalability.Finally, I use the tool to detect the Worm.YadBlack.a and Worm.Nimaya. The result fully shows the feasibility of the method and the effectiveness of the tool. |
PDF Full Text Request