| As we entered the new millennium, the network infrastructure and application have been greatly developed. The popularity and user base of computer networks are increasing rapidly, with more and more serious network security problems accomplished. Among these network security threats, spyware is definitely the most dangerous and risky one. The researching and development in this area is becoming the focus of network security. Especially on the Windows platform, which has the biggest user base, spyware is leading the security technology development. This essay sets the spyware based on Windows platform as my research target.The reason why spyware is the most threatening is that new spywares are equipped with some special hiding technologies, which can prevent themselves from been discovered by system administrators or scanners, then spyware can reside in target hosts for a long time. After attackers breakthrough into the target network, usually they will use spyware to penetrate into their Intranet and steal useful information. Therefore, this essay analyzes popular hiding technologies used by existing spywares. The hiding technologies for processes, network ports, registry entries and files are dissected, from both the principle and implementation perspectives.Spyware, besides computer virus, is subject to one kind of malicious codes. Their corresponding detecting technologies are beening researched and developed continuously. This essay concludes traditional detecting technologies used by commercial anti-virus softwares and spyware scanners, analyzing their strength and weakness. Meanwhile, the battle between hiding and detecting are is ongoing within network security area, so this essay introduces some special detecting technologies, which are designed to detect certain hiding behaviors, such as hidden process detection, hooked function detection and execution path analysis.Based on previous analysis of existing hiding and detecting technologies for spyware, this paper introduces a brand new detecting methodology with cross scanning. Using the principle of analyzing differences, this methodology compares trustable system information from low level scanning with untrustable system information from high level scanning. Hiding behaviors will be extracted and identified as existence of spyware. Later on, this essay also introduces the specific high level and low level scanning technologies for processes, network ports, registry entries and files.Finally, this essay designs and implements a spyware detecting system prototype based on the cross scanning methodology. Some important development technologies we use to implement the system are described in detail as well. After we perform detection testing on CrossScanner, it's apparent that CrossScanner are more capable than popular commercial anti-virus and scanning softwares in terms of hidden spyware detection. |
PDF Full Text Request