KR101685014B1 - Detection and blocking method of ransome ware of computer system and device thereof - Google Patents

Abstract

The present invention relates to a method and an apparatus for preemptively searching and blocking on a ransomware behavior of a computer system. The present invention is to search and block a ransomware behavior performing a change attempt of encryption or the like by generating a trap file(s) on a path unavoidable to initially access on an operation system, and accessing the trap file.

Description

TECHNICAL FIELD [0001] The present invention relates to a preemptive detection blocking method and apparatus for a computer system,

The present invention relates to a preemptive detection blocking method and apparatus for a Ransomware behavior of a computer system.

In particular, the present invention relates to a method of creating a trap file (s) using a file name that can not be accessed for the first time on an operating system, attempting to change the trap file by encrypting it and accessing the trap file, The present invention relates to a detection device and method for detecting and preventing a random software activity.

Ransomware is a combination of 'Ransom', which means 'ransom' in English, and 'Ware', which is 'software'. Such Ransomware is a kind of malicious program, and it is generally installed on a computer without user's consent.

Ransomware encrypts important files such as user's documents, making the files unusable, and then asking for money in exchange for releasing the password. Thereafter, the infection spreads to the user's cloud or file server.

The existing approach to Ransomware is to detect the Ransomware file itself through the Anti-Virus solution, data redundancy method using the backup solution, and data restoration through studying decryption method using Ransomware analysis. It is common.

However, these conventional countermeasures have limitations.

In other words, when various variant files and new types of Ransomware come out, there is a limit to apply the detection method using the existing Anti-Virus solution. In case of the backup solution, the burden on the backup storage system and the risk of Ransomware infection before backup There is no countermeasure against.

In addition, the probability of finding a decoding method through analysis is very low, and even if a method is found, even if a victim is victimized by the same Ransomware in applying this method, the same restoration effect can not be guaranteed.

Accordingly, it is the motive of the present invention that if the behavior of Ransomware is detected and blocked in advance, it can compensate the limit of the conventional method.

It is an object of the present invention to create a trap file (s) using a file name that can not be accessed for the first time on an operating system, And to provide a method and a device for preemptively preventing detection of a Ransomware action of a computer system, which is capable of preemptively detecting and blocking an operation of deleting a system restore file .

Other objects of the present invention will be apparent from the following detailed description.

According to an aspect of the present invention, there is provided a preemptive detection blocking method for a Ransomware action of a computer system, comprising: a first step of generating a trap file using a file name first accessed by a malicious process in a computer system operating system; A second step of monitoring an injection behavior of a malicious process for a normal process; A third step of detecting and blocking an attempt to change the malicious process to the trap file and an attempt to delete the system restore file; And a fourth step of tracking the subject of creation of the blocked malicious thread using a database. And an attempt to change the malicious process to the trap file is implemented by encryption.

The injection is characterized by thread injection and DLL injection.

If the process for creating a thread does not match the process for creating a thread, it is determined that the thread is a thread injection and stored and managed in the thread injection list.

When a thread existing in the thread injection list loads the DLL, it is determined that the DLL is a DLL injection, and is stored and managed in the DLL injection list.

If the malicious malicious thread exists in the thread injection list, the malicious file is regarded as the process file that created the thread.

A DLL file existing in both the thread injection list and the DLL injection list is regarded as a malicious file.

If the malicious malicious thread does not exist in the injection list, the malicious file is regarded as a malicious file.

If a detection attempt in the third step detects an attempt to change the malicious process to the trap file and an attempt to delete the system restoration file, it detects and blocks a thread that has performed the action.

According to an aspect of the present invention, there is provided a preemptive detection / blocking device for a Ransomware action of a computer system, comprising: a trap file generated using a file name first accessed by a malicious process in an operating system of a computer system; A CPU for monitoring and detecting whether an attempt to access and change a trap file and an operation for deleting a system restoration file are performed and to control the overall operation to block the detection; A monitoring unit for monitoring whether or not the malicious process is injected into the normal process; A detection blocking unit for detecting whether or not a malicious process attempts to change a trap file and a deletion behavior of a system restore file; A tracking unit for tracking the subject of the malicious thread detected and blocked by the detection blocking unit using a database; And a database for storing the injection into a thread injection and a DLL injection, respectively.

And the modification to the trap file of the malicious process is implemented by encryption.

The CPU intercepts the attempt to change the trap file and the deletion attempt to the system restore file at the time of detection monitoring, and if the thread exists in the thread injection list, judges the process file that created the thread as a malicious file, A DLL file present in the injection list and present in the DLL injection list is determined to be a malicious file, and when the detected thread does not exist in the injection list, a process file that has performed the action is determined to be a malicious file, Judges the case where the thread generation process does not coincide with the thread injection, judges the case where the thread existing in the thread injection list loads the DLL, as the malicious DLL file, and judges that the process that created the thread, If it does not exist in the list, And a source file, characterized in that it comprises a program for determining a malicious.

According to the preemptive detection blocking method and apparatus for the Ransomware behavior of the computer system of the present invention, the following excellent effects are obtained.

First, it can search for a file to encrypt the attacked file, change (encrypt) it if it is a desired file, and delete the system restore point in order to disable the restoration. .

Second, it is possible to detect and block new Ransomware activities without additional updates as well as existing Ransomware actions.

Third, by collecting the files by tracing the subject of the Ransomware act as well as simple detection and blocking of the Ransomware behavior, it is possible to provide information that can detect the malicious code through the examination of the files in the future.

FIG. 1 is a preemptive detection blocking diagram for a Ransomware behavior of a computer system according to an embodiment of the present invention; FIG.
2 is a block diagram of a preemptive detection and blocking device for a Ransomware behavior of a computer system according to an embodiment of the present invention;
3 is a diagram illustrating an example of a basic operation flow of preemptive detection blocking for a Ransomware behavior of a computer system according to an embodiment of the present invention;
4 illustrates an exemplary flow of a preemptive detection and blocking of a Ransomware behavior of a computer system in accordance with an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.

1. Overview

Although the present invention has been practiced and implemented in the Windows operating system, the concept itself can be used universally in all platforms.

Ransomware is a file that takes a monetary gain in return for encrypting important files that are not for various purposes like other malicious codes. Therefore, we have invented this application to detect and block Ransomware 's behavior in advance through research on this point.

However, since Ransomware can not know where the important files are located in the operating system, it is necessary to search the storage of attack target first. This means that it is possible to change the start path of the search but it is limited in that it can only perform sequential search according to the operating system mechanism.

Therefore, in the present invention, this limitation of Ransomware is reversed. That is, a trap file (s) using a file name which is accessed first in the operating system mechanism at a position that can be a search start path for searching an attack target is generated, If there is a process that attempts to access the trap file and change the encryption during the monitoring of the trap file, it is judged as the Ransomware activity.

For example, when you run an exe file, a process is created, and this process can contain multiple threads, which are usually created by the process itself. A DLL is a file that a thread loads to use external functions during execution.

Thus, thread injection is a process in which a process creates a thread to another process, and DLL injection is an operation in which a thread generated through thread injection as described above loads a DLL.

The reason why the process performs the injection to another process is to make it difficult for the malicious process to be detected by performing a malicious action (Ransomware action) using the normal process, thereby making it difficult to find the actual malicious file. Although it is possible to execute malicious action by thread injection alone, DLL injection is performed because it is easy to implement from the viewpoint of an attacker.

The malicious behavior may be as follows.

First, malicious files are executed and malicious processes are created. In this case, the malicious process's exe file is regarded as a malicious file.

Second, a malicious process injects a malicious thread into a normal process, causing malicious behavior. In this case, an exe file of a malicious process that injected into a normal process is regarded as a malicious file.

Third, a malicious process injects a malicious thread into a normal process, and a malicious thread loads a malicious DLL file to commit malicious behavior. In this case, the exe file of the malicious process that injected into the normal process and the loaded malicious DLL file are regarded as malicious files, respectively.

2. Example

Fig. 1 shows a basic technique of the present invention.

As shown in FIG. 1, a trap file (s) is generated by using a file name that a malicious process (Rangumware) can not approach first, and a change attempt operation and a system restore file delete action are performed on a trap file Injection monitoring is performed to detect whether malicious process injection behavior occurs in the normal process. When the injection is monitored, it is determined whether the injection is a thread injection or a DLL injection, and the injecting list is stored and managed according to the determination result.

In this state, an operation for detecting and blocking a change attempting operation such as encryption of a malicious process for the trap file and an operation for detecting and blocking the system restore file delete operation are performed.

After the blocking operation is performed, the subject who has created a thread having malicious behavior is traced through each injection list stored and managed.

FIG. 2 is a block diagram of a detection and blocking device for a Ransomware action according to an embodiment of the present invention.

In one embodiment, the CPU 100 is a means for controlling the overall operation of the present invention so as to monitor the accessing and changing attempt of the malicious process to the trap file 10 and to block the malicious process.

To this end, the CPU 100 may include a program for monitoring access to malicious processes for a normal process, a program for driving to detect and prevent an attempt to change the trap file 10, and the like.

The CPU 100 blocks the malicious thread in which the change attempting action is detected and the malicious process file is judged as a malicious file when the thread exists in the thread injection list.

The CPU 100 also judges the DLL files in both the thread injection list and the DLL injection list as malicious files. If the detected thread is not in the injection list, it determines that the process file that caused the change attempt is a malicious file.

The CPU 100 also detects a malicious thread that deletes the system restore file, and if it exists in the injection list, it judges it as a malicious file and blocks it.

In one embodiment, the monitoring unit 200 monitors whether or not the malicious process is injected. Here, as described above, the injection can be classified into thread injection, which is a case where a process of creating a thread and a process in which a thread is created are inconsistent, and DLL injection, which is a case where a thread existing in a thread injection list loads a DLL have. Therefore, if the monitoring unit 200 monitors these injections, the CPU 100 processes them, and then lists them as thread injection and DLL injection, and stores and manages them as a database.

In one embodiment, the detection interception unit 300 is a unit for detecting and deleting an attempt to change a trap file of a malicious thread and an operation to delete a system restore file.

In one embodiment, the database 400 is a means for dividing an injection action performed by a malicious process in accessing a normal process into a thread injection and a DLL injection, respectively.

In one embodiment, the tracking unit 500 is a means for tracking the subject of the malicious thread detected and blocked by the detection blocking unit 300 using the database 400. [

Ransomware behavior detection and blocking by the system of the present invention thus configured is enabled by the basic operational flow as illustrated in FIG.

(S100), monitoring whether an injection action of a malicious process for a normal process is performed (S200), and further checking whether an attempt to change encryption or the like is made on the generated trap file (S300). The system restoration file is monitored to detect whether or not the restoration file is deleted (S400), and the subject file that generated the interrupted thread is tracked (S500).

Steps S300 and S400 are performed substantially simultaneously.

Monitoring and blocking in steps S300 and S400 prevent the Ransomware action and collect basic malicious files of the Ransomware activity through monitoring information and tracking in steps S200 and S500.

FIG. 4 illustrates this basic operation flow in more detail.

First, the trap file (s) is created using the file name that the malicious process accesses first (S100). In addition, an injection monitor is installed (S100).

The malicious process accesses the volume drive C: ~ Z: and the user's desktop, my documents, etc. in order to retrieve the files to be changed by the encryption method. . Normally, the volume drive is searched first.

Also, as mentioned above, the malicious process is intended to take a monetary gain by using a certain file as a hostage, rather than destroying the system. Therefore, instead of accessing all files and encrypting them all, it accesses files that have their own values, such as doc, pdf, cpp, zip, xls, hwp, without affecting the computer system itself.

However, the operating system mechanism searches for the first file to be accessed when searching for a file. . Therefore, we create files and folders with random names that start with "!" As trap files. In this case, the files are created with files of doc, pdf, cpp, zip, xls . However, the present invention is not limited thereto.

When the trap file is generated as described above, the malicious process for the normal process is monitored and blocked.

However, a malicious process can directly commit malicious behavior to a specific file, but it can also cause malicious behavior through injection into a normal process.

Accordingly, in the present invention, monitoring is performed to prevent malicious activity from being detected through various injection actions (S200).

In the case of generic thread creation, the process that creates the thread matches the process that the thread is created in, but in the case of thread injection, these processes do not match. Therefore, in this case, the thread injection is regarded as malicious action and the thread injection is included in the list (S300).

In addition, DLL injection generally causes a thread created through thread injection to load a DLL (S400). Accordingly, when the thread in the thread injection list loads the DLL using this point, it is determined that the DLL is a DLL injection and included in the DLL injection list (S500).

In operation S600, when the thread injection and the DLL injection list are respectively stored and managed in the database, the operation proceeds to an operation of detecting or preventing an attempt to change (encrypt or decrypt) the trap file and the system restore file.

The trap file generated in the above is not a user's file but is generated as a hidden attribute, so that it can be considered that the trap file is rarely accessed unless it is intentionally accessed. Therefore, it is necessary to monitor whether or not the malicious thread accesses the trap file, but simply accessing and reading it can not be malicious and can not be determined. Therefore, it is necessary to check whether the attempt to change the trap file Detect.

In addition, the operating system provides a function to create and restore a system restore point. However, since Ransomware is intended to request a certain amount of money by encrypting a specific file, the system restore point file is deleted in order to prevent an attack target from using the function to restore the previous point. Therefore, it monitors the case to delete the restored file.

If there is a thread that detects an attempt to change a trap file or an attempt to delete a restore file during the detection monitoring, the thread information is acquired (S700) and the thread is blocked (S1200) It is determined whether the thread is included in the managed thread injection list (S800).

As a result of the determination, if the thread is in the thread injection list, the process file that created the thread is regarded as a malicious file (S900), and it is determined whether or not the process file is included in the DLL injection list (S1000) (S1200). That is, if both the thread injection list and the DLL injection list are included, the corresponding DLL file is regarded as a malicious file.

On the other hand, if it is determined in step S800 that the detected thread is not in the thread injection list, the process file is regarded as a malicious file (S1100). That is, if the detected thread is not in the injection list, it treats the process file as a malicious file.

Although the present invention has been described by way of specific embodiments, it is not limited thereto. Detection and blocking order for Ransomware behavior under the basic concept of the present invention can be modified and modified within the scope of the technical idea of the present invention.

100: CPU 200:
300: detection / prevention unit 400:
500:

Claims (12)

A first step of generating a trap file using a file name first accessed by a malicious process in a computer system operating system;
A second step of monitoring an injection behavior of a malicious process for a normal process;
The injection action may be a thread injection or a DLL injection,
A third step of detecting and blocking an attempt to change the trap file of the malicious process to encryption and an attempt to delete the system restore file; And
And a fourth step of tracing a subject of creation of the blocked malicious thread through a thread injection list and a DLL injection list. The preemptive detection blocking method of the computer system according to claim 1, delete delete The method according to claim 1,
If the process of creating the thread does not match the process of creating the thread, it is judged as a thread injection and stored and managed in the thread injection list, thereby preemptively blocking the detection of the Ransomware action in the computer system. 5. The method of claim 4,
When a thread existing in the thread injection list loads a DLL, determines that the DLL is a DLL injection, and stores and manages the DLL in the DLL injection list, thereby preemptively blocking the detection of the Ransomware action. The method according to claim 1,
And if the thread is present in the thread injection list, the process file that created the thread is regarded as a malicious file, and the detection is blocked, and the preemptive detection blocking method of the computer system. The method according to claim 1,
Wherein the DLL file existing in both the thread injection list and the DLL injection list is regarded as a malicious file and is prevented from being detected, and a preemptive detection blocking method for the Ransomware action of the computer system. The method according to claim 1,
And if the malicious thread does not exist in the injection list, the malicious file is regarded as a malicious file and the malicious file is detected and blocked, thereby preventing a preemptive detection of the malicious file. The method according to claim 1,
Wherein when the attempt to delete the system restore file is detected as a result of the monitoring in the third step, if the thread exists in the injection list, the process file is regarded as a malicious file and the detection is blocked. Preemptive detection blocking method. A trap file generated by using a filename that is accessed first by a malicious process in the operating system of a computer system;
A CPU for monitoring and detecting whether access to and modification of the trap file is performed and deletion of the system restoration file is performed and controlling the overall operation to block the shutdown;
A monitoring unit for monitoring whether or not the malicious process is injected into the normal process;
A detection blocking unit for detecting whether or not the malicious process attempts to change the trap file and the deletion behavior of the system restore file;
The modification to the trap file of the malicious process is implemented by encryption,
A tracking unit for tracking the subject of the malicious thread detected and blocked by the detection blocking unit using a database; And
And a database for storing the injection into the thread injection and the DLL injection, respectively, and storing the injected injection and the DLL injection, respectively. delete 11. The method of claim 10,
The CPU
When a thread is detected in the thread injection list, it is determined that the process file that created the thread is a malicious file. If the thread is found in the thread injection list,
The DLL file existing in the thread injection list and also present in the DLL injection list is determined as a malicious file,
If the detected thread does not exist in the injection list, it judges the process file that has performed the action as a malicious file,
Detects a case where the system restore file is deleted, judges that the process file is a malicious file when it exists in the injection list,
When the process of creating a thread and the process of creating a thread do not coincide with each other, it is determined as a thread injection,
A case where a thread existing in the thread injection list loads a DLL is determined as a malicious DLL file,
A process for creating a thread and a program for judging a process file that has performed a corresponding action as a malicious file if the detected thread does not exist in the injection list. Device.

Images