JP2014085772A - Illegal program execution system, illegal program execution method, and illegal program execution program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To identify a malicious communication destination.SOLUTION: A disclosed embodiment, in one aspect, includes an execution unit, a recording unit, a detection unit, and an identification unit. The execution unit executes an illegal program under an environment in which connection information used for connection to a terminal is set in advance. The recording unit records communication destinations for communication involved in execution of the illegal program. The detection unit detects communication to a terminal which is performed using the connection information. The identification unit identifies a communication destination of the illegal program that is executed under an environment in which the connection information for the communication detected by the detection unit is set, out of the communication destinations that are recorded by the recording unit.

Description

  The present invention relates to an unauthorized program execution system, an unauthorized program execution method, and an unauthorized program execution program.

  Conventionally, various methods for dealing with a malicious program (hereinafter referred to as “malware”) causing threats such as information leakage and unauthorized access have been proposed. As one of countermeasures, for example, a user terminal infected with malware is detected, and communication with a communication destination with which the malware communicates at the time of infection is detected and blocked on the network side.

  In the above countermeasure, for example, information on a malicious communication destination such as a C & C (Command and Control) server to which a user terminal connects when malware is infected or an information leakage destination server is acquired in advance as a black list. . The information on the malicious communication destination includes, for example, a URL (Uniform Resource Locator), an FQDN (Fully Qualified Domain Name), an IP (Internet Protocol) address, and the like. Then, communication to a malicious communication destination included in the black list is detected, and communication to the detected communication destination is blocked. For example, a method called dynamic analysis in which malware is actually operated to acquire an analysis result is used as information on a malicious communication destination posted on the black list. In this dynamic analysis, for example, by actually operating the malware and recording the operation, information on a communication destination where the malware has attempted communication is acquired.

JP 2009-181335 A

  However, in the conventional technology described above, there are cases where a malignant communication destination cannot be specified. For example, malware is known that communicates with a general communication destination that is not malignant in order to confirm that the malware itself is operating on the Internet. For such malware, even if the above dynamic analysis is performed, the obtained communication destination is not always malignant, and there is a case where the malignant communication destination cannot be specified.

  An embodiment of the disclosure has been made in view of the above, and an object thereof is to provide an unauthorized program execution system, an unauthorized program execution method, and an unauthorized program execution program capable of specifying a malicious communication destination.

  In one aspect, the disclosed embodiment includes an execution unit, a recording unit, a detection unit, and a specifying unit. The execution unit executes the unauthorized program in an environment in which connection information used for connection to the terminal is set in advance. The recording unit records a communication destination of communication due to execution of the malicious program. The detection unit detects communication performed to the terminal using the connection information. The identification unit identifies a communication destination of an unauthorized program executed in an environment in which connection information of communication detected by the detection unit is set from among communication destinations recorded by the recording unit.

  According to one aspect of the technology disclosed in the present application, there is an effect that a malignant communication destination can be specified.

FIG. 1 is a diagram illustrating an example of the configuration of a malicious program execution system according to the first embodiment. FIG. 2 is a sequence diagram showing a flow of processing by the malicious program execution system according to the first embodiment. FIG. 3 is a sequence diagram showing a flow of processing by the malicious program execution system according to the second embodiment. FIG. 4 is a diagram illustrating an example of an analysis result acquired by the specifying unit. FIG. 5 is a diagram illustrating that the information processing by the malicious program execution program according to the disclosed embodiment is specifically realized using a computer.

  Hereinafter, embodiments of a malicious program execution system, a malicious program execution method, and a malicious program execution program disclosed in the present application will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Each embodiment can be appropriately combined as long as the processing contents do not contradict each other.

(First embodiment)
The malicious program execution system 1 according to the first embodiment executes the following process in order to identify whether the communication destination of the malicious program obtained by dynamic analysis is malignant. The malicious program execution system 1 executes the malicious program after setting connection information used for connection to a terminal as information leaked to a malicious communication destination in an environment where the malicious program is operated, for example. Then, the malicious program execution system 1 monitors the terminal, and when the connection attempt to the terminal is successful, identifies the communication destination corresponding to the leaked information as malignant. The malicious program is, for example, a computer virus or spyware. In the following, a malicious program may be described as malware.

  The configuration of the malicious program execution system 1 according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of the configuration of a malicious program execution system 1 according to the first embodiment. As illustrated in FIG. 1, the unauthorized program execution system 1 according to the first embodiment includes a connection information management unit 10, a dynamic analysis unit 20, a detection unit 30, and a specification unit 40. Among these, the dynamic analysis unit 20 includes a malware execution unit 21 and an external communication recording unit 22. The external communication recording unit 22 and the detection unit 30 are connected to the Internet 5. The connection information management unit 10, the malware execution unit 21, the detection unit 30, and the specification unit 40 each correspond to, for example, a personal computer or a workstation, and the external communication recording unit 22 corresponds to a proxy server. In addition, the connection information management unit 10, the malware execution unit 21, the external communication recording unit 22, the detection unit 30, and the specification unit 40 are not limited to personal computers, workstations, and the like. For example, an ASIC (Application that functions in these devices) It may be realized by an integrated circuit such as a specific integrated circuit (FPGA) or a field programmable gate array (FPGA) or an electronic circuit such as a CPU (central processing unit). In other words, for example, the malware execution unit 21, the external communication recording unit 22, the detection unit 30, and the specifying unit 40 can be realized in one computer. The external communication recording unit 22 may be realized as a virtual network processing unit that determines a communication protocol and generates a server response according to the determined protocol, for example.

  In addition, the unauthorized program execution system 1 according to the first embodiment includes, for example, a terminal that accepts communication using connection information. In the first embodiment, a case will be described in which the detection unit 30 also functions as the terminal. However, the embodiment is not limited to this, and the terminal may be connected to the Internet 5 separately from the detection unit 30.

  The connection information management unit 10 manages connection information used for connection to a terminal. For example, the connection information management unit 10 generates, as connection information, a combination of an FTP server address, a login ID, and a password used for logging in to an FTP (File Transfer Protocol) server. The connection information generated here is information leaked when the malware operates. That is, the connection information management unit 10 generates connection information for each malware to be analyzed, and stores the generated connection information and malware identification information for identifying the malware in association with each other. Then, the connection information management unit 10 transmits the generated connection information to the dynamic analysis unit 20 and the detection unit 30. The connection information may be information that can control connection from an external network. For example, the connection information management unit 10 may use a mail address as connection information.

  The dynamic analysis unit 20 collects malware communication destination information by actually operating the malware and monitoring its state. The communication destination information obtained here includes, for example, URL (Uniform Resource Locator), FQDN (Fully Qualified Domain Name), IP (Internet Protocol) address, and the like.

  The malware execution unit 21 executes the malicious program in an environment in which connection information used for connection to the terminal is set in advance. For example, the malware execution unit 21 receives connection information from the connection information management unit 10 and sets the received connection information in a predetermined storage location. For example, the malware execution unit 21 performs processing such as registering the FTP server address, login ID, and password in the registry, or placing a file that describes the FTP server address, login ID, and password in a specific directory. To do. As a result, the registered connection information is leaked by the malware executed by the malware execution unit 21. The malware execution unit 21 executes the malware. Note that the malware executed by the malware execution unit 21 is set in the malware execution unit 21 in advance as one malware to be analyzed by a user using the unauthorized program execution system 1, for example. The process of registering the connection information in the predetermined storage location does not necessarily need to be executed by the malware execution unit 21. For example, the connection information created manually by the user is manually executed by the user. The unit 21 may be set.

  The external communication recording unit 22 records a communication destination of communication due to execution of malware. In addition, the external communication recording unit 22 terminates communication from the malware execution unit 21, records communication contents, and transmits / receives communication from the malware execution unit 21 to a host on the Internet 5 by proxy.

  The detection unit 30 detects communication performed to the terminal using the connection information. For example, the detection unit 30 performs setting to control connection from the Internet 5 so as to permit communication using the setting information to the request source of the connection request using the setting information. When a connection request using the setting information is made from the external network to the terminal, the detection unit 30 permits communication using the setting information to the request source of the connection request. Note that the detection unit 30 does not necessarily need to permit communication limited to the request destination port of the connection request using the connection information. For example, the detection unit 30 may detect communication performed using the connection information. In addition, when the above terminal is installed separately from the detection unit 30, the detection unit 30 connects from the Internet 5 so as to permit communication to the request destination port of the connection request using the connection information. Setting for controlling the terminal. Then, the detection unit 30 accepts a connection request using the connection information from the terminal, and permits communication for communication from the request destination port of the connection request. In this case, the detection unit 30 detects that the terminal has permitted communication, and acquires connection information used for the communication.

  The identifying unit 40 identifies a communication destination of malware executed in an environment in which connection information of communication detected by the detecting unit 30 is set from among communication destinations recorded by the external communication recording unit 22. For example, when the detecting unit 30 confirms that the connection request is permitted, the specifying unit 40 specifies the malware communication destination that leaked the connection information used for the connection request as a malicious communication destination. .

  Next, processing performed by the malicious program execution system 1 according to the first embodiment will be described with reference to FIG. FIG. 2 is a sequence diagram showing a flow of processing by the malicious program execution system according to the first embodiment. The process shown in FIG. 2 is executed when, for example, the connection information management unit 10 receives a start request from a user who uses the malicious program execution system 1.

  As shown in FIG. 2, the connection information management unit 10 generates connection information (S101). For example, the connection information management unit 10 generates, as connection information, a combination of an FTP server address, a login ID, and a password used for logging in to an FTP (File Transfer Protocol) server. Here, the connection information management unit 10 stores the generated connection information and the malware identification information of the malware to be analyzed in association with each other. The connection information management unit 10 transmits the generated connection information to the detection unit 30 (S102).

  When receiving the connection information from the connection information management unit 10, the detection unit 30 sets the connection information (S103). For example, the detection unit 30 performs setting for controlling the connection from the Internet 5 so as to permit communication to the request destination port of the connection request using the connection information. And the detection part 30 notifies the information to the effect that the connection information was set to the connection information management part 10 (S104).

  When the connection information management unit 10 receives information indicating that the connection information has been set from the detection unit 30, the connection information management unit 10 transmits the connection information to the malware execution unit 21 (S105). When the malware execution unit 21 receives the connection information from the connection information management unit 10, the malware execution unit 21 registers the connection information in a predetermined storage location (S106). For example, the malware execution unit 21 performs processing such as registering the FTP server address, login ID, and password in the registry, or placing a file that describes the FTP server address, login ID, and password in a specific directory. To do. Then, the malware execution unit 21 executes the malware (S107). Thereby, the malware generates communication for acquiring the connection information set in the malware execution unit 21 and transmitting the acquired connection information to a malicious communication destination.

  When communication to the Internet 5 occurs due to malware (S108), the external communication recording unit 22 analyzes and records communication from the malware (S109). At this time, for example, the external communication recording unit 22 is transmitted from the malware identification information for identifying the malware, information indicating the communication destination from the malware, information indicating that there was a communication attempt to the communication destination, and the malware. Record the amount of data sent. Hereinafter, such information is referred to as “communication record”. Then, the external communication recording unit 22 transmits the communication content from the malware to the communication destination on the Internet 5 (S110).

  When the external communication recording unit 22 receives a response from the Internet 5 for communication from malware (S111), it records a communication record (S112). At this time, for example, the external communication recording unit 22 records information indicating that there is a response to communication from malware. Then, the external communication recording unit 22 transmits a response from the Internet 5 to the malware execution unit 21 (S113).

  As described above, when the malware is executed by the malware execution unit 21, the processing from step S108 to step S113 shown in 2a of FIG. 2 is repeatedly executed for a predetermined time.

  The malware execution unit 21 performs communication via the Internet to the detection unit 30 using the connection information during execution of the malware (S114). This is because when a terminal infected with malware communicates, there is malware that intercepts the contents of the communication and transmits the contents to a malicious host. For example, the malware execution unit 21 communicates with the detection unit 30 using the connection information after a predetermined time has elapsed after execution of the malware. As a result, when the content of the communication is acquired by the malware and transmitted to a malicious communication destination, the processing from step S108 to step S113 described above is executed. Note that the above-described predetermined time is used for the executed malware to acquire the connection information set in the malware execution unit 21 or to generate communication for transmitting the acquired connection information to a malicious communication destination. The time that is considered sufficient is set by the user.

  After executing the malware, when detecting the connection request using the connection information (S115), the detection unit 30 records the content of the detected connection request (S116). For example, when a connection request using the connection information is made, the detection unit 30 permits communication with the request destination port of the connection request. And the detection part 30 records the connection information used for the permitted connection request | requirement, and the frequency | count of the connection request | requirement as the content of a connection request | requirement. And the detection part 30 transmits the content of a connection request to the specific | specification part 40 (S117). However, the recording of the connection request performed in step S114 is excluded.

  When the content of the connection request is received from the detection unit 30, the specification unit 40 inquires of the connection information management unit 10 about malware identification information of malware executed in an environment in which the connection information used for the connection request is set ( S118), malware identification information is acquired (S119). And the specific | specification part 40 inquires the communication record corresponding to malware identification information to the external communication recording part 22 (S120), and acquires a communication record (S121).

  Then, the specifying unit 40 specifies a communication destination based on the acquired information (S122). For example, the specifying unit 40 specifies a communication destination in which the number of connection requests detected by the detection unit 30 is equal to or less than a threshold as a malignant communication destination. This threshold is, for example, “1”. This is because if the connection request using the connection information succeeds once, it is determined that the connection information is leaked by malware. On the other hand, for example, when a plurality of connection requests are required before the communication using the connection information succeeds, the connection information is not leaked by malware. This is because it is determined that the data has been decrypted by the decrypting software. Note that the threshold value set here is not limited to “1”. For example, in consideration of the possibility that the connection request may fail due to communication failure despite the connection information leaked by malware, the threshold may be set by the user to a number of “2” or more.

  Further, the specifying unit 40 specifies a communication destination in which the amount of transmission data transmitted from the malware is equal to or greater than a threshold as a malignant communication destination. For example, when malware is communicating with multiple communication destinations, the threshold is set when there is one communication destination where the amount of data transmitted from the malware is equal to or greater than a certain threshold, and there are multiple communications where the data is less than the threshold. The above communication destination is identified as a malicious communication destination. This threshold is set based on, for example, the data amount of connection information set in the connection information management unit 10. This is because if the connection information is leaked by malware, it is unlikely that the amount of transmitted data is extremely smaller than the amount of data in the connection information. This is because it is determined that the leakage has occurred. Note that the threshold set here may be set to an arbitrary value by the user.

  Of the processes of the specifying unit 40 described above, the process specified using the number of connection requests and the process specified using the data amount of transmission data may not necessarily be executed. For example, either one may be executed, or none may be executed.

  Further, the flow of processing by the malicious program execution system 1 described in FIG. 2 is not limited to the above order. For example, in the description of step S118 described above, it has been described that the specifying unit 40 inquires about the malware identification information every time the content of the connection request is received from the detection unit 30, but the present invention is not limited to this. The identification unit 40 may accumulate the content of the connection request received from the detection unit 30 for a certain period of time, and then inquire about malware identification information.

  As described above, the unauthorized program execution system 1 according to the first embodiment executes the unauthorized program in an environment in which connection information used for connection to the terminal is set in advance. Then, the unauthorized program execution system 1 records a communication destination of communication due to the execution of the unauthorized program. Then, the unauthorized program execution system 1 detects communication performed from the external network to the terminal using the connection information. Then, the malicious program execution system 1 identifies the communication destination of the malicious program executed under the environment in which the detected communication connection information is set from the recorded communication destinations. For this reason, the malicious program execution system 1 can identify a malicious communication destination. Specifically, the malicious program execution system 1 identifies the communication destination of the malware when it is determined that the connection information has been leaked by the malware, so that the malicious communication destination can be reliably identified.

  Further, for example, the unauthorized program execution system 1 specifies a communication destination in which the detected number of connection requests is equal to or less than a threshold value. For this reason, the unauthorized program execution system 1 can accurately identify a malicious communication destination. Specifically, the malicious program execution system 1 identifies the communication destination of the malware when it is determined that the connection information used for the connection request is leaked by the malware to be analyzed. A correct communication destination can be specified accurately.

  Further, for example, the malicious program execution system 1 identifies a communication destination in which the amount of transmission data transmitted from malware is equal to or greater than a threshold value. For this reason, the unauthorized program execution system 1 can accurately identify a malicious communication destination. Specifically, since the malicious program execution system 1 specifies a communication destination that is determined to include connection information in transmission data transmitted from malware, a malicious communication destination can be accurately specified.

(Second Embodiment)
When one communication destination is specified in the first embodiment, the communication destination is specified as a malignant communication destination. However, when a plurality of communication destinations are specified, it is determined that a malignant communication destination is included in those communication destinations. This analysis is required. For this reason, 2nd Embodiment demonstrates the further analysis performed when a some communication destination is specified in 1st Embodiment.

  The malicious program execution system 1 according to the second embodiment determines which communication destination is malignant when the malware is communicating with a plurality of communication destinations when performing dynamic analysis. In addition, in the malware execution environment in the dynamic analysis environment, a plurality of pieces of connection information that the same malware leaks to a malicious communication destination are prepared. And the malicious program execution system 1 which concerns on 2nd Embodiment performs the malware of a communication destination by repeatedly executing malware, changing the combination of the connection information to leak and the communication destination which permits the communication from malware. judge. As an example, the malicious program execution system 1 first permits communication from a specified communication destination to a certain communication destination alone, and executes the malware. At this time, if there is a connection request using the connection information from the external network, the communication destination that is permitted to communicate by itself is identified as a malicious communication destination. Therefore, the malicious program execution system 1 repeatedly executes the malware while changing each communication destination that permits communication from the malware alone. Depending on the malware, the information leakage destination server may refuse the connection when communication from the same source IP is repeatedly performed. Therefore, when the malware is repeatedly executed, the IP address of the dynamic analysis unit 20 when communicating from the dynamic analysis unit 20 to the Internet 5 may be set to be different each time it is repeatedly executed.

  In the above case, even if there is no connection request using the connection information from the external network, it is impossible to determine that the communication destination that is permitted to communicate alone is not a malicious communication destination. This is because communication with a malicious communication destination may be caused by communication with a certain communication destination. For this reason, the unauthorized program execution system 1 executes the malware using different connection information every time the communication destination is changed while changing a part of communication destinations that allow communication from the malware. For example, the malicious program execution system 1 executes the malware while permitting a part of communication destinations permitting communication from the malware two by two, three by three, or changing the combination thereof. Thereby, the unauthorized program execution system 1 can analyze the case where communication with a malicious communication destination is caused by communication with another communication destination.

  The malicious program execution system 1 according to the second embodiment has the same configuration as that of the malicious program execution system 1 according to the first embodiment shown in FIG. 1, except that the processing described below is further executed. Is different.

  When a plurality of communication destinations are specified by the specifying unit 40, the malware execution unit 21 according to the second embodiment further changes while changing some communication destinations that allow communication from malware. Execute malware using different connection information.

  The external communication recording unit 22 according to the second embodiment further records the presence / absence of a communication attempt from the malware to each communication destination each time the malware is executed by the malware execution unit 21.

  The detection unit 30 according to the second embodiment further detects communication performed using the connection information, which is communication to the terminal, every time the malware is executed by the malware execution unit 21.

  The specifying unit 40 according to the second embodiment further acquires the trial result for each execution recorded by the external communication recording unit 22 and the detection result detected by the detection unit 30.

  Next, processing performed by the unauthorized program execution system 1 according to the second embodiment will be described with reference to FIG. FIG. 3 is a sequence diagram showing a flow of processing by the malicious program execution system according to the second embodiment. The process illustrated in FIG. 3 is executed, for example, when a plurality of communication destinations are specified in step S121 illustrated in FIG.

  As shown in FIG. 3, when a plurality of communication destinations are specified, the specifying unit 40 transmits communication permission setting information to the external communication recording unit 22 (S201). This communication permission setting information is information in which whether or not communication from malware is permitted for each identified communication destination is set for each communication destination. When analyzing a plurality of malwares simultaneously, this communication permission setting information is set for each malware to be analyzed.

  When receiving the communication permission setting information from the specifying unit 40, the external communication recording unit 22 performs communication permission setting (S202). For example, when the external communication recording unit 22 receives the communication permission setting information, the external communication recording unit 22 performs communication from the malware execution unit 21 so as to permit communication from the malware to the communication destination permitted by the communication permission setting information. Make settings to control. Then, the external communication recording unit 22 notifies the specifying unit 40 that the setting has been completed (S203). Upon receiving from the external communication recording unit 22 that the setting has been completed, the specifying unit 40 transmits a connection information generation request to the connection information management unit 10 (S204). The connection information generation request includes information indicating a communication destination permitted to communicate with malware.

  When receiving the connection information generation request from the specifying unit 40, the connection information management unit 10 generates connection information (S205). Here, the connection information management unit 10 stores a connection information ID for identifying the generated connection information, information indicating a communication destination permitted to communicate with malware, and malware identification information in association with each other. Then, the connection information management unit 10 transmits the generated connection information to the detection unit 30 (S206).

  When receiving the connection information from the connection information management unit 10, the detection unit 30 sets the connection information (S207). Then, the detection unit 30 notifies the connection information management unit 10 of information indicating that the connection information has been set (S208).

  When the connection information management unit 10 receives information indicating that the connection information has been set from the detection unit 30, the connection information management unit 10 transmits the connection information to the malware execution unit 21 (S209). When the malware execution unit 21 receives the connection information from the connection information management unit 10, the malware execution unit 21 registers the connection information in a predetermined storage location (S210).

  The malware execution unit 21 executes malware (S211). Thereby, the communication from malware will generate | occur | produce with respect to each of the some communication destination specified in 1st Embodiment. When communication to the Internet 5 occurs due to malware (S212), the external communication recording unit 22 analyzes communication from the malware and records a communication record (S213). At this time, for example, the external communication recording unit 22 is transmitted from the malware identification information for identifying the malware, information indicating the communication destination from the malware, information indicating that there was a communication attempt to the communication destination, and the malware. Record the amount of data sent. Then, the external communication recording unit 22 determines whether or not the communication destination of the generated communication is a communication destination permitted to communicate with malware (S214).

  If the communication destination is permitted to communicate with the malware, the external communication recording unit 22 transmits the communication content from the malware to the communication destination on the Internet 5 (S215). And the external communication recording part 22 will record a communication record, if the response from the internet 5 is received about the communication from malware (S216) (S217). At this time, for example, the external communication recording unit 22 records information indicating that there is a response to communication from malware. And the external communication recording part 22 transmits the response from the internet 5 to the malware execution part 21 (S218).

  If the communication destination is not permitted to communicate with the malware, the external communication recording unit 22 notifies the malware execution unit 21 of information indicating that the communication has failed (S219).

  As described above, when the malware is executed by the malware execution unit 21, the processing from step S108 to step S113 shown in 3a of FIG. 3 is repeatedly executed for a predetermined time.

  The malware execution unit 21 communicates with the detection unit 30 using the connection information during execution of the malware (S220). As a result, when the content of this communication is acquired by the malware and transmitted to a malicious communication destination, the processing from step S212 to step S219 described above is executed.

  After executing the malware, the detection unit 30 waits for a predetermined time, for example, 1 hour (S221). Then, when detecting the connection request using the connection information during standby (S222), the detection unit 30 records the content of the detected connection request (S223). At this time, for example, the detection unit 30 records the connection information used for the connection request and the number of connection requests as the contents of the connection request. The predetermined time set here is set to a time that is considered sufficient for connection information to be leaked by malware and a connection request using the leaked connection information is made. Although the case where the waiting time is set and executed has been described here, the waiting time is not necessarily set. The malware execution unit 21 may execute malware in parallel by setting different connection information.

  And the detection part 30 transmits the content of a connection request to the specific | specification part 40 (S224). When receiving the content of the connection request from the detection unit 30, the specification unit 40 inquires of the connection information management unit 10 about malware identification information corresponding to the connection information used for the connection request (S225), and acquires the malware identification information ( S226). And the specific | specification part 40 inquires the communication record corresponding to malware identification information to the external communication recording part 22 (S227), and acquires a communication record (S228).

  And the specific | specification part 40 records the presence or absence of a communication trial, and the presence or absence of the connection request with respect to the detection part 30 as an analysis result (S229). Thereby, the specifying unit 40 records the presence / absence of a communication attempt and the presence / absence of a connection request to the detection unit 30 when a certain communication destination is allowed to communicate with malware.

  And the specific | specification part 40 uses different connection information for every change, changing the some communication destination which permits the communication from malware by further performing the process from step S201 to step S229 further. The malware is executed by the malware execution unit 21. For example, the malware execution unit 21 is a communication destination in which communication using the connection information is detected in the detection unit 30 by allowing communication from malware alone among the plurality of communication destinations specified by the specifying unit 40. For the communication destinations excluded from the plurality of communication destinations specified by the specifying unit 40, while changing some of the communication destinations that allow communication from the malware, each time the change is made, using different connection information, Run. This is because a communication destination in which communication using connection information is detected in the detection unit 30 by allowing communication from malware alone among a plurality of communication destinations specified by the specifying unit 40 is a malicious communication. It is because it is judged that it is ahead. And the malware execution unit 21 uses different connection information for each communication destination except for a malicious communication destination from a plurality of communication destinations while changing some communication destinations that allow communication from malware. Run the malware.

  And the specific | specification part 40 determines a malignant communication destination based on the recorded analysis result, after performing malware predetermined times (S230). Note that the process of determining a malicious communication destination does not necessarily have to be executed. For example, it may be determined by a user who uses the malicious program execution system 1 using an analysis result.

  Note that the flow of processing by the malicious program execution system 1 described in FIG. 3 is not limited to the above order. For example, in the description of step S225 described above, it has been described that the specifying unit 40 inquires for malware identification information every time the content of the connection request is received from the detection unit 30, but the present invention is not limited to this. The identification unit 40 may accumulate the content of the connection request received from the detection unit 30 for a certain period of time, and then inquire about malware identification information.

  Next, processing for determining a malicious communication destination based on the analysis result will be described. FIG. 4 is a diagram illustrating an example of an analysis result acquired by the specifying unit 40. As shown in FIG. 4, the analysis result includes “procedure”, “connection information ID”, “communication permission with each communication destination (left) and presence / absence of observation of communication trial (right)”, “detection unit” "Connection request for". Among these, “procedure” is information indicating how many times the corresponding record is the execution result of the malware, and is numbered in the order in which the malware is executed, for example. The “connection information ID” is identification information for identifying the connection information generated in the corresponding procedure. “Communication with each communication destination (left) and presence / absence of communication trial observation (right)” indicates that communication between each communication destination and malware is permitted on the left side of the slash (/) for each item. The right side indicates whether or not there has been a communication attempt to each communication destination. The “connection request to the detection unit” is information indicating whether or not a connection request using connection information has been made from the external network to the detection unit 30. The “procedure” is illustrated for convenience of explanation, and is not necessarily included in the analysis result.

  In the first record of FIG. 4, as the analysis result, the procedure “procedure 1”, connection information ID “connection information A”, communication destination A “O / O”, communication destination B “O / O”, communication destination C “O / O” is associated with the connection request “Yes” for the detection unit. In the first malware execution, the connection information of the connection information ID “connection information A” is set, the communication between the communication destination A and the malware is permitted, the communication between the communication destination B and the malware is permitted, This indicates that communication between the communication destination C and the malware is permitted. In addition, by the first malware execution, a communication attempt from the malware to the communication destination A is performed, a communication attempt from the malware to the communication destination B is performed, and a communication attempt from the malware to the communication destination C is performed. This indicates that a connection request using connection information has been made from the network to the detection unit 30. For example, the malware execution in this procedure 1 shows a state when the malicious program is analyzed in the first embodiment. Further, in the second record of FIG. 4, the procedure “procedure 2”, connection information ID “connection information B”, communication destination A “O / O”, communication destination B “− / O”, The communication destination C “− / ◯” is associated with the connection request “none” to the detection unit. In the second execution of the malware, the connection information of the connection information ID “connection information B” is set, communication between the communication destination A and the malware is permitted, and communication between the communication destination B and the malware is prohibited, This indicates that communication between the communication destination C and malware is prohibited. In addition, by the second malware execution, a communication attempt from the malware to the communication destination A is performed, a communication attempt from the malware to the communication destination B is performed, and a communication attempt from the malware to the communication destination C is performed. This indicates that a connection request using connection information has not been made from the network to the detection unit 30. Similarly, analysis results are shown for other records.

  In the procedure 1 of FIG. 4, communication between each of the communication destinations A to C and the malware is permitted. At this time, communication attempts from malware are made to any communication destination, and a connection request using connection information is also made from the external network to the detection unit 30. From this result, it is confirmed that at least one of the communication destinations A to C is malignant.

  In the procedure 2 of FIG. 4, only communication between the communication destination A and the malware is permitted. At this time, although the communication attempt from the malware is made to the communication destination A, the connection request using the connection information is not made from the external network to the detection unit 30. From this result, the communication destination A is not determined to be a malicious communication destination. However, there is a possibility that connection information may be leaked when communication with the communication destination A causes communication to another communication destination. For this reason, it cannot be determined that the communication destination A is not a malicious communication destination at this time.

  In the procedure 3 of FIG. 4, only communication between the communication destination B and the malware is permitted. At this time, no communication attempt from the malware is made to the communication destination B, and no connection request using the connection information is made from the external network to the detection unit 30. From this result, the communication destination B is not determined to be a malicious communication destination. However, because the communication destination B may acquire connection information from the malware by communicating with other communication destinations and malware, the communication destination B is not a malicious communication destination at this time. Cannot judge.

  In the procedure 4 of FIG. 4, only communication between the communication destination C and the malware is permitted. At this time, a communication attempt from malware is made to the communication destination C, and a connection request using connection information is made from the external network to the detection unit 30. From this result, it is determined that the communication destination C is a malicious communication destination.

  In the procedure 5 of FIG. 4, communication between the communication destination A and the malware and communication between the communication destination B and the malware are permitted. At this time, communication attempts from the malware are made to both the communication destination A and the communication destination B, and a connection request using connection information is also sent from the external network to the detection unit 30. Here, in the procedure 3, the communication trial to the communication destination B is performed in the procedure 2 even though the communication trial to the communication destination B has not been performed. In step 2, since communication to the communication destination A is permitted, it is determined that communication with the communication destination B is caused by communication with the communication destination A. As a result of the procedure 5, when communication with the communication destination B is performed, it is determined that a connection request using the connection information is made from the external network to the detection unit 30, so the communication destination B is a malicious communication destination. It is determined that

  According to the above analysis results, the user of the malicious program execution system 1 registers, for example, the communication destination B and the communication destination C in the blacklist as information on a malicious communication destination. The communication destination A is not registered in the black list because the possibility that the communication destination A is a non-malignant general communication destination cannot be wiped out. For example, in the case of malware that leaks information to a malicious communication destination triggered by communication with a general communication destination, the communication destination A may be a general communication destination. However, for example, when it is confirmed that the connection data is included in the transmission data transmitted from the malware to the communication destination A, or when the threat of leakage by malware is surely reduced, the communication destination A It may be registered in the black list.

  As described above, the unauthorized program execution system 1 according to the second embodiment changes a part of communication destinations that allow communication from an unauthorized program while changing a plurality of communication destinations. The malicious program is executed using different connection information for each. Then, each time the malicious program is executed, the malicious program execution system 1 records the presence or absence of a communication attempt from the malicious program to each communication destination. Then, each time the malicious program is executed, the unauthorized program execution system 1 detects communication performed from the external network to the terminal using the connection information. Then, the malicious program execution system 1 acquires the recorded trial results for each execution and the detected detection results. For this reason, the unauthorized program execution system 1 according to the second embodiment can accurately determine whether or not the plurality of communication destinations specified in the first embodiment are malignant.

  Further, for example, the unauthorized program execution system 1 according to the second embodiment detects communication using connection information by allowing communication from the unauthorized program alone among the plurality of identified communication destinations. While changing some communication destinations that allow communication from unauthorized programs for communication destinations that are excluded from the specified multiple communication destinations, each time the change is made, Run. For this reason, the unauthorized program execution system 1 can efficiently determine whether or not a plurality of communication destinations are malicious.

  Although several embodiments have been described so far, the technology disclosed in the present application is not limited to these embodiments. That is, these embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made.

  For example, in the above embodiment, the case of analyzing one malware has been described, but the embodiment is not limited to this. In other words, it is possible to perform analysis on a plurality of malware in parallel. In this case, for example, the malicious program execution system 1 includes a malware execution unit 21 that executes each malware for each of a plurality of malware to be analyzed. Then, the unauthorized program execution system 1 generates connection information for each malware, and sets the generated connection information in the malware execution unit 21 in which each malware is executed. And the unauthorized program execution system 1 performs the analysis about several malware in parallel by executing malware in each malware execution part 21. FIG.

  For example, the specific form of distribution / integration of each device (for example, the form shown in FIG. 1) is not limited to the one shown in the figure, and all or a part thereof can be changed in arbitrary units according to various loads and usage conditions. Functionally or physically distributed and integrated. For example, the detection unit 30 and the specifying unit 40 may be integrated as one processing unit, while the connection information management unit 10 includes a processing unit that generates connection information, connection information, and malware identification information. May be distributed to a storage unit that stores them in association with each other.

  Further, for example, in the above embodiment, the connection information management unit 10, the dynamic analysis unit 20, the detection unit 30, and the specification unit 40 included in the unauthorized program execution system 1 have been described as devices that operate independently. However, the embodiment is not limited to this. For example, the dynamic analysis unit 20, the detection unit 30, and the specification unit 40 may operate in one computer. In this case, for example, the malware execution unit 21, the external communication recording unit 22, the detection unit 30, and the specifying unit 40 are integrated circuits such as an ASIC (Application Specific Integrated Circuit) and an FPGA (Field Programmable Gate Array) that function in the computer, Alternatively, it is realized by an electronic circuit such as a CPU (Central Processing Unit).

  In addition, among the processes described in the embodiment, all or a part of the processes described as being automatically performed can be manually performed. For example, the process for generating the generation information in FIG. 2 may be performed manually. Alternatively, all or part of the processing described as being performed manually can be automatically performed by a known method. For example, the operation of registering the communication destination specified in FIG. 2 in the black list may be automatically performed.

  The processing procedure described in the above embodiment, specific names, information including various data and parameters can be arbitrarily updated unless otherwise specified. For example, the correspondence between the connection information stored in the connection information management unit 10 and the malware identification information can be stored in the specifying unit 40 in advance.

  These embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

[program]
FIG. 5 is a diagram illustrating that the information processing by the malicious program execution program according to the disclosed embodiment is specifically realized using a computer. As illustrated in FIG. 5, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, A network interface 1070, and these units are connected by a bus 1080.

  As illustrated in FIG. 5, the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031 as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1041 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. The serial port interface 1050 is connected to, for example, a mouse 1051 and a keyboard 1052 as illustrated in FIG. The video adapter 1060 is connected to a display 1061, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 5, the hard disk drive 1031 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the malicious program execution program according to the disclosed embodiment is stored in, for example, the hard disk drive 1031 as a program module in which a command to be executed by a computer is described. Specifically, the execution procedure for executing the same information processing as the malware execution unit 21 described in the above embodiment, the recording procedure for executing the same information processing as the external communication recording unit 22, and the same as the detection unit 30 A hard disk drive 1031 stores a program module 1093 in which a detection procedure for executing information processing and a specific procedure for executing information processing similar to that of the specifying unit 40 are described. Further, like the data stored in the storage unit 110 described in the above embodiment, data used for information processing by the unauthorized program execution program is stored as, for example, the hard disk drive 1031 as the program data 1094. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes the execution procedure, recording procedure, detection procedure, and specific procedure.

  Note that the program module 1093 and the program data 1094 related to the unauthorized program execution program are not limited to being stored in the hard disk drive 1031, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1041 or the like. May be. Alternatively, the program module 1093 and the program data 1094 related to the non-normal communication detection program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and the network interface It may be read by the CPU 1020 via 1070.

1 Malware Execution System 20 Dynamic Analysis Unit 21 Malware Execution Unit 22 External Communication Recording Unit 30 Detection Unit 40 Identification Unit

Claims (8)

An execution unit that executes an unauthorized program under an environment in which connection information used for connection to the terminal is set in advance;
A recording unit for recording a communication destination of communication by execution of the malicious program;
A detection unit that detects communication performed using the connection information, which is communication to the terminal;
A specifying unit for specifying a communication destination of an unauthorized program executed under an environment in which connection information of communication detected by the detection unit is set from among communication destinations recorded by the recording unit. A featured malicious program execution system. When a plurality of communication destinations are specified by the specifying unit, the execution unit further changes a part of communication destinations that allow communication from the unauthorized program, and uses different connection information every time the change is made. Execute the malicious program,
The recording unit further records the presence / absence of a communication attempt from the malicious program to each communication destination each time the malicious program is executed by the execution unit,
The detection unit further detects communication performed using the connection information, which is communication to the terminal each time the malicious program is executed by the execution unit,
The malicious program execution system according to claim 1, wherein the specifying unit further acquires a trial result for each execution recorded by the recording unit and a detection result detected by the detection unit.   The execution unit is a communication destination in which communication using the connection information is detected in the detection unit by allowing communication from the unauthorized program alone among a plurality of communication destinations specified by the specifying unit. For communication destinations excluded from a plurality of communication destinations specified by the specifying unit, while changing some communication destinations that allow communication from the unauthorized program, using different connection information, The malicious program execution system according to claim 2, wherein the malicious program is executed.   4. The malicious program execution system according to claim 1, wherein the execution unit performs communication using the connection information to the terminal while the malicious program is executed. 5.   The malicious program execution system according to claim 1, wherein the specifying unit specifies a communication destination in which the number of connection requests detected by the detection unit is equal to or less than a threshold value.   The unauthorized program execution system according to claim 1, wherein the identifying unit identifies a communication destination in which a data amount of transmission data transmitted from the unauthorized program is equal to or greater than a threshold value. A malicious program execution method executed on a computer,
The computer
An execution step of executing an unauthorized program under an environment in which connection information used for connection to the terminal is set in advance;
A recording step of recording a communication destination of communication by execution of the unauthorized program;
A detection step of detecting communication performed using the connection information, which is communication to the terminal;
A specifying step of specifying a communication destination of an unauthorized program executed in an environment in which connection information of communication detected in the detection step is set from among communication destinations recorded in the recording step. A malicious program execution method characterized by the above. An execution procedure for executing a malicious program under an environment in which connection information used for connection to a terminal is set in advance;
A recording procedure for recording a communication destination of communication by execution of the malicious program;
A detection procedure for detecting communication performed using the connection information, which is communication to the terminal;
A specific procedure for identifying a communication destination of a malicious program executed in an environment in which connection information of communication detected by the detection procedure is set from among communication destinations recorded by the recording procedure is executed on a computer An illegal program execution program characterized by causing the program to execute.

Images