摘要
文章提出了一种基于网络数据包捕获分析的DGA算法破解方法,首先捕获僵尸程序发出的DNS域名解析请求报文,通过分析恶意域名的结构特征对DGA算法形成一个初步的认识,再利用静态分析工具在恶意程序中搜索顶级域名字符串,定位DGA核心算法汇编代码,之后将汇编程序转化为高级语言程序,运行程序、计算得到未来所有可用域名信息。经过测试,发现应用这种方法可以快速、准确定位"僵木蠕"恶意程序中的DGA核心代码,提高取证分析效率。
This paper presents a DGA algorithm crack method based on network packet capture, First capture the DNS resolution request sent by the zombie program, By analyzing the structural features of malicious domain names, Forensic staff can form a preliminary understanding of the DGA algorithm, and then use the static analysis tool in the malicious program search top-level domain name string positioning DGA core algorithm assembly code, The assembler is then converted to a high-level language program, Run the program, calculate the future of all available domain name information. After testing, we found that the application of this method can quickly and accurately locate the malicious program in the DGA core code, improve the efficiency of forensic analysis.
出处
《信息网络安全》
CSCD
2017年第9期26-29,共4页
Netinfo Security
基金
辽宁省自然科学基金[2015020091]
辽宁省教育科学"十二五"规划课题[JG14db440]
公安理论及软科学研究计划课题[2016LLYJXJXY013]
公安部技术研究计划课题[2016JSYJB06]
关键词
恶意程序
DGA
破解
malicious program
domain generation algorithm
crack