目前掃毒引擎大多數是採用病毒碼(Virus Pattern)比對,針對電腦內的記錄逐一對己知行為特徵進行比對分析或網路行為。通常病毒碼是由多種特徵所形成,而變種病毒(Variant)利用變形(Self-modification),以多型(Polymorphic) 技術改變或隱藏部份的病毒行為特徵,可躲過部份防毒軟體的偵測,或造成錯誤偵測回報。一般市面上常見之防毒軟體,可協助感染病毒之電腦清除病毒檔案,但並不能完整修復遭病毒竄改的系統設定,感染嚴重時使用者常須重新安裝作業系統。為了改善此一困境,本研究開發一具有殭屍病毒預防、偵測及系統修復之防毒系統,命名為數位解藥(Digital Antidote, DA),可將電腦系統檔案會自動進行備份,達到系統對特定病毒終生免疫的情況。其特色是針對變種殭屍病毒進行數位解藥的研發,結合系統監控代理人之自動蒐集感染事件記錄(Log)送至監控中心,以供網路管理者分析及調閱;此研究成果在資安的病毒防護上,為一相當有效的設計,經測試發現可解除同類或變種病毒網路感染威脅,於校園網路內之電腦感染病毒時,可即時自動進行系統修復,大幅降低病毒對系統所造成對組織的破壞,提升電腦系統的安全性。
Available virus engines detect the bots by searching the known signatures of virus patterns or network behaviors. Virus behavior contained several signatures and variant is generally built by altering part of signatures, hinting them via self-modification or polymorphic techniques, so that variant can avoid detection. Antivirus software is capable of assisting users to detect and clear malwares, but can not set the victim computers fully back to initial settings. In some situations, operation system need be installed over again, if it has infected dangerously. To resolve this problem, we developed a digital antidote for bots in previous study for virus immune via backup of the archives of important system files. The feature of our works is to develop a new antidote using analysis of common signatures of bot samples by means of aggregating the attack events with the embedding monitor agents, and then sending them to virus monitoring center for further examinations. Experimental results show that the proposed approach is a useful design to reduce the bot threats as well as effectively provide the protection of information security on campus networks.