| Bootkit is a kind of advanced rootkit and it is more damaging than traditional rootkit. One of the most dangerous Bootkit technology is MBR(Master Boot Record) Bootkit, it is easy to spread and very popular. MBR Bootkit hide themselves and control the system by infecting MBR(Master Boot Record) and run the rootkit before the kernel start. So it get easier to bypass different kinds of security strategy and the detection of security software. MBR Bootkit has evolved from the original “proof of concept” to combination of various injection and protection methods. it has shown great harmfulness. We have to protect our computer from the MBR Bootkit only by focusing on its new development and changes.This thesis is based on the study of the existing MBR Bootkit samples, and deeply summarized its technical features and harmfulness,then analyzed Bootkit detection methods against MBR Bootkits’ features. Considering the versatility, we detect the MBR Bootkit by signature mathching.In this thesis, a multi-dimensional signature extraction method which is based on MBR Bootkit’s phased implementation features is proposed to improve current signatures extraction methods.In this way, the phase and functional attributes are enhanced,which can improve the coverage of malicious activity.In consideration of MBR Bootkit bringing many difficulties for signature matching detection by using a lot of complicated hiding and protecting technology, we propose a new method of MBR Bootkit detection. Because MBR Bootkit remain in memory at real address mode, we scan the physical memory where the malicious code stays to detect the virus. For the difficulty of clearing after infected by MBR Bootkit, we combine static detecting and disk filter driver to defend the system. Our detection system is based on multi-dimensional signatures to scan memory and files, and to filter the content writed into disk.By this means,we only matched the code with strong characteristics rather than the code with useless characteristics. |
PDF Full Text Request