Nghin cu mt s k thut sinh m c t ng v Vt qua cc phn mm phng chng m c

Nghin cu mt s k thut sinh m c t ng v Vt qua cc phn mm phng chng m cCn b hng dn:Thng t, PGS Nguyn Hiu MinhTrung y, KS Nguyn Vn CngSinh vin thc hin:Nguyn Tun AnhNguyn Hong CngKHOA CNG NGH THNG TIN HC VIN K THUT QUN SBO CO NGHIN CU KHOA HC15/04/2015MSEC1

1

NI dungTng quan v M c.Tng quan v Phn mm phng chng m c.Cc k thut vt qua Phn mm phng chng m c.Kt lun.15/04/2015MSEC2

I. Tng quan v M cKhi nim phn loi.Cch thc ly nhim ca m c.Cc loi m c mi v d on xu hng m c trong tng lai.Cc cng c - k thut sinh m c t ng.15/04/2015MSEC3

3

II. Phn mm phng chng m c K thut pht hin m cGii thiu.Nguyn l pht hin m c.Cc k thut pht hin m c.15/04/2015MSEC4

4

III. Cc k thut vt qua Phn mm phng chng m cCu trc tp tin thc thi.Cc k thut vt qua phn mm phng chng m c.Demo.15/04/2015MSEC5

2. Cc k thut vt qua phn mm phng chng m cK thut m ha.K thut chn m rc.K thut r nhnh.S dng Stub gii m v thc thi trn b nh.K thut PRIDE (Pseudo-Random Index Decryption).Cc k thut chng phn tch m c.K thut che giu API (Application Programming Interface).K thut s dng ch k s.Khai thc l hng trn H iu hnh.

15/04/2015MSEC6

I. Tng quan v M cKhi nim phn loi.Cch thc ly nhim ca m c.Cc loi m c mi v d on xu hng m c trong tng lai.15/04/2015MSEC7

I. Tng quan v M cKhi nim, phn loi v mc ch ca m cKhi nim M c l mt thut ng dng m ch nhng phn mm c ci t vo my tnh, thc hin nhng nhim v khng mong mun ca ngi dng, thng nhm phc v li ch cho bn th ba no .b) Phn loi Virus, Worm, Trojan, Rootkit, Keylogger, Addware, Spyware, Browser Hijacker, Mobile Threats,c) Mc ch

8Tr a hoc khng nh bn thnPh hy d liu, h thng my tnhHc tp v nghin cuTheo di v nh cp thng tin

15/04/2015MSEC

I. Tng quan v M c2. Cch thc ly nhimLy nhim theo cch c in.Ly nhim qua th in t.Ly nhim qua truy cp trang web.Ly nhim qua cc phn mm ci t.Ly nhim qua khai thc li bo mt.Qua nhiu con ng khc,...15/04/2015MSEC9

Hnh 1: Minh ha cch thc ly nhim m c qua th in t

I. Tng quan v M c

15/04/2015MSEC10Hnh 2: S xut hin ca cc loi m c mi theo tng nm. Thng k ca AV-TEST.

Hnh 3: Vit Nam ng th 2 v lng ly nhim m c tn cng cc giao dch ngn hng trc tuyn (2013) - Theo TrendMicro.

10

I. Tng quan v M cM c s tip nhm vo h tng trng yu ca cc quc gia nh cp v ph hu d liu. Cc m c trn di ng tng nhanh v xut hin nhiu bin th phn mm m ho tng tin (ransomware) trn di ng. Quyn ring t ca ngi s dng tip tc l mc tiu ca hacker.Cc dch v lu tr d liu m my s gp nhiu vn v an ninh.Mng x hi nh Facebook s tr thnh con ng ch yu k la o hot ng.Cc cuc tn cng mng mang mu sc chnh tr gia tng gia hacker ca cc quc gia.Doanh nghip i u vi cc cuc tn cng nh cp d liu ngy cng tinh vi (APT).3. Cc loi m c mi v d on xu hng m c trong tng lai.15/04/2015MSEC11

I. Tng quan v M c15/04/2015MSEC12Cc cng c - k thut sinh m c t ng.

Hnh 4: JPS (Virus Maker 3.0)

Hnh 5: TeraBIT Virus Maker 3.1

Hnh 6: Sonic Bat

I. Tng quan v M cBc 1: To ra mt m c c y cc chc nng.Bc 2: Xy dng mt cng c Patcher sa i mt s byte code trong tp tin nh phn ca m c tng ng vi mi la chn chc nng hay cu hnh ci t ca m c c sinh ra.Bc 3: Ghi tp tin m c c sinh ra bng Patcher.Cc cng c - k thut sinh m c t ng.

Hnh 7: M t qu trnh Patch.15/04/2015MSEC13

II. Phn mm phng chng m c K thut pht hin m c.Flushot Plus v Anti4us l hai tin ch phng chng m c u tin nm 1987.n ngy nay, Cc sn phm phng chng m c ngy cng pht trin.15/04/2015MSEC14Gii thiu.

Hnh 8: Cc phn mm phng chng m c ph bin

II. Tng quan v Phn mm phng chng m cDa vo du hiu c trng (Signature-based)Da vo c im bt thng (Anomaly-based)

Cc k thut phn tch:Phn tch tnh (Static)Phn tch ng (Dynamic)Phn tch lai (Hybrid)152. Nguyn l pht hin m c.

Hnh 9: S phn chia cc k thut pht hin m c15/04/2015MSEC

15

II. Tng quan v Phn mm phng chng m c16

Hnh 10: Pht hin m c da vo du hiu c trngu th:Pht hin chnh xc cc m c nu signature trng khp vi cc mu trong tp mu nhn dngHn ch:Xy dng tp cc signature l v cng kh khn.Khng pht hin c cc m c mi, cc zero-days.Vic lu tr v i chiu signature gp kh khnNguyn l pht hin m c15/04/2015MSEC

16

II. Tng quan v Phn mm phng chng m c17Nguyn l pht hin m c

Hnh 11: Phn loi hnh vi da vo c im bt thng u th:L cha kha c th pht hin ra cc khai thc zero-day hay zero-attack.Hn ch:Sai s gia trng thi bnh thng v bt thngS phc tp, rc ri khi xc nh nhng trng thi c php hc15/04/2015MSEC

II. Phn mm phng chng m c K thut pht hin m c.Checksummers.Fuzzy hashingScan stringCode emulationStatic huericsticBehavior blocking15/04/2015MSEC18Cc k thut pht hin m c.

II. Tng quan v Phn mm phng chng m cChecksummers: l k thut pht hin i tng m c trn c s tnh ton vn ca chng trnh.19Cc k thut pht hin m c

Hnh 12: Tp m c c qut trn trang virustotal.comu im: chnh xc gn nh tuyt i.Nhc im:Nhn dng thiu. Qu trnh nhn dng lu nu c s d liu mu ln.Qu trnh xy dng c s d liu mu kh khn, phc tp. M c c th d dng vt qua nu nhn dng bng m hash.15/04/2015MSEC

II. Tng quan v Phn mm phng chng m cFuzzy hashing: vn l nhn dng m c qua m hash nhng c b sung thm cc phn tch v tnh ton t mt m hash ca m c, c th nhn ra cc m hash h hng, nng cao kh nng pht hin.20Cc k thut pht hin m cFuzzy hashing = Context Triggered Piecewise Hashing (CTPH) = Piecewise hashing + Rolling hashing

Hnh 13: M t sau khi tin hnh Rolling hashu im:Ci thin hn k thut Checksummers.Nng cao kh nng pht hin m c vi c s d liu mu b hn ch.Nhc im:Vic xy dng thut ton v la chn di k t ph hp l kh khn. C th xy ra cnh bo gi (cnh bo sai).15/04/2015MSEC

II. Tng quan v Phn mm phng chng m cScan string: k thut s dng mt chui trch ngang (chui bytes) l c trng ca tp tin m c v khng tn ti trong cc tp tin sch lm c s d liu mu dng nhn dng m c.21Cc k thut pht hin m c

Hnh 14: on m ca virus Stoned khi c phn tchu im:Nhn dng chnh xc.Tc nhn dng nhanh hn so vi k thut Checksummers.Nhc im:Qu trnh xy dng v cp nht c s d liu phc tp.Nhn dng b ng, khng pht hin c khi m chng trnh b thay i.15/04/2015MSEC

II. Tng quan v Phn mm phng chng m cCode emulation: l mt k thut pht hin m c c nh gi cao. Bng vic m phng li h thng CPU, h thng qun l b nh, cc ch th my cp thp ging nh my qut thc t.22Cc k thut pht hin m c

Hnh 15: Cu trc ca thanh ghi v c CPU Intel 16bit c nh ngha li bng ngn ng Cu im:M c hot ng c lp, khng nh hng n h thng my tht.Nhc im:M phng li cc thng tin h thng CPU, b nh l rt kh khn.Cp nht v vn hnh h thng m phng yu cu tnh k thut cao.15/04/2015MSEC

II. Tng quan v Phn mm phng chng m cStatic Heuristic Analysis: k thut ny phn tch, tnh ton nhng thng tin t chng trnh nh: PE Header, Section, cc hm API c Import hay nhng du hiu ng nghi ng nh: kch thc ca mt s trng khng chnh xc, m iu hng, t hp cc Flag23Cc k thut pht hin m cHnh 16: Phn loi ngng ly nhim mc n lp.u im:Ch ng trong vic xy dng c s d liu mu.Nng cao kh nng nhn dng m c (bao gm c nhng loi m c cha c trong c s d liu mu)Nhc im:Kh khn trong vic la chn cc c trng s dng cho vic phn loi ngng ly nhim.C th xy ra cnh bo gi (cnh bo sai).

15/04/2015MSEC

II. Tng quan v Phn mm phng chng m cBehavior Blocking: l k thut cho php ngn chn cc hnh vi, cc khi lnh b nghi ng l m c trc khi chng c c hi nh hng n h thng.24Cc k thut pht hin m c

Hnh 17: Mt khi ngn chn hnh vi la o trn DOSu im:C kh nng ngn chn s nh hng ca chng trnh m c ln h thng.Ty theo nng lc phn tch ty chnh nh hng ca m c.Nhc im:Yu cu ngi (h thng) phn tch phi c tnh chuyn mn cao.C th xy ra cnh bo gi (cnh bo sai).15/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m cCu trc tp tin thc thi.Cc k thut vt qua phn mm phng chng m c.Demo chng trnh.2515/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m cPE File Format (Portable Executable File Format): l nh dng tp tin thc thi trn H iu hnh Windows 32bit v Windows 64bit. Bao gm cc file .exe, .dll (32bit), .com, .net, ngoi tr cc file VxDs v .dll (16bit).

headersection1. Cu trc tp tin thc thiCu trc mt tp tin thc thi bao gm:DOS MZ HeaderDOS StubPE HeaderSection TableSection

Hnh 18. Cu trc mt tp tin thc thi2315/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m cCu trc PE Header:Signature: du hiu nhn bit nh dng File (4 bytes)(PE : 50 45 00 00 32 bits)(NE : 4E 45 00 00 16 bits)(LE : 4C 45 00 00 trnh iu khin thit b o Window 3.x)( LX : 45 58 00 00 File cho OS/2 2.0 )File Header: cha thng tin v s b tr vt l v nhng c tnh ca file (20 bytes)Optional Header: cha thng tin v s logic bn trong ca mt file PE (224 bytes)

1. Cu trc tp tin thc thistruct IMAGE_NT_HEADERS { Singature DWORD FileHeader IMAGE_FILE_HEADER OptionalHeaer IMAGE_OPTIONAL_HEADER32};

2415/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m cTrong cu trc File Header, mt s thnh phn cn lu l:Machine: gi tr xc nh PE File ny c bin dch cho dng my no (di dng m trn Intel 32 bits)

NumberOfSections: cho bit s Section ca PE File. Thnh phn ny cn thay i nu nh mun thm hoc xa bt k sections no trong mt PE File.

Characteristics: l bit c, xc nh nh dng PE File. Gi tr 0x0102 nu l file *.EXEGi tr 0x2102 nu l file *.DLL

1. Cu trc tp tin thc thistruct IMAGE_FILE_HEADER { Machine WORD NumberOfSections WORD TimeDateStamp DWORD PointerToSymbolTable DWORD NumberOfSymbols DWORD SizeOfOptionalHeader WORD Characteristics WORD};

2515/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m cOptional Header bao gm 31 thnh phn, chim 224 bytes.

Trong , cc thnh phn lu c m t nh sau:

Magic (2 bytes): xc nh l tp tin 32 bit (0B 01) hay 64 bit (0B 20)

AddressOfEntryPoint (4 bytes): cha a ch o tng i (RVA) ca cu lnh u tin s c thc thi khi chng trnh PE loader sn sng chy tp tin PE (.text hoc .code)

ImageBase (4 bytes): a ch np c u tin cho tp tin PE.

Section Alignment (4 bytes): phn lin kt ca cc Section trong b nh

File Alignment (4 bytes): phn lin kt ca cc Section trong tp tin

SizeOfImage (4 bytes): ton b kch thc ca PE image trong b nh, l tng ca tt c cc headers v sections c lin kt ti Section Alignment

SizeOfHeaders (4 bytes): kch thc ca tt c cc headers + section table.

Data Directory: l mt mng gm 16 phn t, trong mi phn lin quan n mt cu trc d liu quan trng trong PE tp tin.1. Cu trc tp tin thc thi2615/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m cSection Table cha thng tin v mi Section.1. Cu trc tp tin thc thistruct IMAGE_SECTION_HEADER { Name1 BYTE union Misc PhysicalAddress DWORD VirtualSize DWORD Ends VirtualAddress DWORD SizeOfRawData DWORD PointerToRawData DWORD PointerToRelocations DWORD PointerToLinenumbers DWORD NumberOfRelocations WORD NumberOfLinenumbers WORD Characteristics DWORD};

VirtualSize: l kch thc ca sections data c tnh theo bytesVirtualAddress: hay gi l RVA (a ch o tng i) ca section. SizeOfRawData : kch thc ca sections data trong tp tin trn aPointToRawData : l offset t v tr bt u ca tp tin cho ti phn sections data.Characteristics: bao gm cc c, cho bit thuc tnh ca section.2715/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m c

1. Cu trc tp tin thc thi

Sections cha ni dung chnh ca tp tin

Mt s Sections thng dng: .text, .data (.rdata, .bss), .rsrc, .edata, .idata, .debug, .relocHnh 19: Import SectionsHnh 20: Export Sections (By Name + By Ordinal only)2815/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m c15/04/2015MSEC32K thut m ha.K thut chn m rc.K thut r nhnh.S dng Stub gii m v thc thi trn b nh.K thut PRIDE (Pseudo-Random Index Decryption).Cc k thut chng phn tch m c.K thut che giu API (Application Programming Interface).K thut s dng ch k s.Khai thc l hng trn H iu hnh.

III. Cc k thut vt qua Phn mm phng chng m c2.1.K thut m ha: l mt cch thc ph hp v hiu qu, va lm thay i du hiu c trng ca m c, va gy kh trong vic phn tch hot ng ca m c.33Cc k thut m ha:M ha c bnM ha dngM ha vi kha ngu nhin2. Cc k thut vt qua phn mm phng chng m cM ha da trn php hon vM ha ph thuc vo m lnh

15/04/2015MSEC

33

III. Cc k thut vt qua Phn mm phng chng m c2.2. K thut chn m rc:M lnh rc c thm vo nhng khng nh hng n tnh logic ca chng trnh.Mt s lnh nh: XCHG, NOP, MOV ax, ax, SUB ax 0 342. Cc k thut vt qua phn mm phng chng m c2.3.K thut r nhnh:

Chng trnh c to ra vi nhiu im kim tra ngu nhin bng cc lnh nhy c iu kin (JNE, JNZ).

Hnh 21: Hot ng chng trnh khi c v khng r nhnh15/04/2015MSEC

III. Cc k thut vt qua Phn mm phng chng m c2.4. S dng Stub gii m v thc thi trn b nh.15/04/2015MSEC35

Tp tin nh phn mi c to ra c hai phn, phn th nht gi l Stub, phn ny s chu trch nhim cho vic gii m v thc thi m c trn b nh. Phn th hai l phn Payload, phn ny chnh l m c c m ha, c rt nhiu gii thut c th la chn.Hnh 22: Hnh nh tp tin c to ra.

III. Cc k thut vt qua Phn mm phng chng m c15/04/2015MSEC36

2.4. S dng Stub gii m v thc thi trn b nh.Thm Junk code chnh sa lung chy.Thay i hoc m ha chui.Thay i tn bin.Thay i th t v b ngoi ca m.Thm hoc i icon.M ha ton b chui bin v k c payload cng vi thut ton m ha d liu theo tiu chun.Lm ri ton b hm gi API kh nghi.Khin cho di ca tt c cc phn t pha ui thay i, khng th d on c.Xa ton b nhng chui khng cn thit v n cc ngun c th l du hiu nhn din bi Antivirus.Hnh 23:Tp tin c lm ri.

III. Cc k thut vt qua Phn mm phng chng m c2.5. K thut PRIDE (Pseudo-Random Index Decryption).Mc ch ca k thut ny bo v virus trc phng php heuristic. Ngay c vi vic thay i hng thc hin ca th tc gii m.15/04/2015MSEC37Data: l a ch b m bn trong cha d liu ca virus.Tun t c d liu v to ra mt b m mi cha cc d liu c gii m.Kim sot m lnh mi c gii m.PRIDE bao gm vic gii m mt cch ngu nhin v khng theo th t, byte 10 c gii m, byte 25 c gii m, byte 7 c gii m c nh vy. Kiu truy cp vo b nh nh th s ging vi vi truy cp b nh ca mt ng dng bnh thng. ng thi k thut ny s cng c hn tnh a hnh ca m lnh gii m.

III. Cc k thut vt qua Phn mm phng chng m c15/04/2015MSEC38pride_start = (size_of_data - 4) & random ();pride_step = (size_of_data - 8) & random ();pride_key = get_random_key ();

MOV CR, pride_startMOV IR, val ; val = (size_of_data - 4) & random()MOV BR, val ; val = random()

PUSH IRXOR IR, CRMOV BR, [IR + source]XOR BR, key ; or ADD BR, +/- key ; or nothing (no decryption)ADD IR, destMOV [IR], BR ; write the decrypted dwordPOP IRADD CR, val ; CR += [4;7]AND CR, val ; val = ((random() & ; size_of_data) | (size_of_data-4)) & -4 ; (-> CR := (CR % size_of_code) & FFFFFFFCh)ADD IR, pride_stepAND IR, val ; val = ((random() & ; size_of_data) | (size_of_data-1)) & -1 ; (-> IR := IR % size_of_code)CMP CR, pride_startJNZ ; jump at a random branch

2.5. K thut PRIDE (Pseudo-Random Index Decryption)size_of_data l kch thc ca d liu c m ha. u tin thut ton khi to bin sSau n s khi to thanh ghi s dng trong qu trnh gii m:

CR, IR v BR. CR l thanh ghi m v cha ch mc tun t gii m, IR l thanh ghi ch s v cha ch mc gi ngu nhin gii m, BR l thanh ghi m s dng lu tr tm thi d liu m haNhng con tr lnh trc c cp nhp cc thanh ghi CR v IR (ADD CR VAL v ADD CR VAL cho thanh ghi CR) kt hp vi nhau. Vi s r rng v yu cu ca con tr lnh AND thc hin trc nhng lnh AND trc38

III. Cc k thut vt qua Phn mm phng chng m cS dng cc hm APIHm IsDebuggerPresentHm CheckRemoteDebuggerPresentHm NtQueryInformationProcess

Kim tra cu trcHm NTGlobalFlag

Timing Check

NgtInt3Int2D

Hnh 24: Chy trc tip chng trnhHnh 25: Chy chng trnh thng qua Visual Studio 2012Anti-Debugger:342.6. Cc k thut chng phn tch m c15/04/2015MSEC

39

III. Cc k thut vt qua Phn mm phng chng m cCc phn mm o ha ph bin:Virtual-MachineVMware WorkstationOracle VirtualBoxMicrosoft Virtual PCParallels DesktopSandboxie

Anti-Virtual Machine:352.6. Cc k thut chng phn tch m cHnh 26: Mt s gii php o ha, Sandbox.15/04/2015MSEC40

III. Cc k thut vt qua Phn mm phng chng m cCc k thut Anti-Virtual MachineTiming BaseArtifacts Based

Anti-Virtual Machine:Hnh 27: Pht hin my o da vo Timing BaseHnh 28: Pht hin my o da vo Artifacts Base362.6. Cc k thut chng phn tch m c15/04/2015MSEC41

III. Cc k thut vt qua Phn mm phng chng m c15/04/2015MSEC42string DLLName= "abcxyz"; string APIName = FileCreat"; LoadLibraryA(Decrypt(DLLName))-> GetProcAddress(Decrypt(APIName)) -> Call itvoid HidenAPI(){ char* szMessage = "Hiden API"; char* szCaption = "Hello!"; HMODULE hModule = LoadLibraryA("user32.dll"); FARPROCfFuncProc = GetProcAddress(hModule, MessageBoxA"); ((int(WINAPI*)(HWND, LPCSTR, LPCSTR, UINT))fFuncProc)(0, szMessage, szCaption, 0 );}int main(){ HidenAPI();}

2.7. K thut che giu API (Application Programming Interface).Mc ch ca k thut ny l che giu cc API c gi trong qu trnh thc thi v cc API c lit k trong Import Directory. Khin cc AV khng nghi ng cc chc nng thc hin, hn na cn chng Debug, chng dch ngc phn mm.

III. Cc k thut vt qua Phn mm phng chng m c2.7. K thut che giu API (Application Programming Interface).15/04/2015MSEC43

Hnh 29: Thc thi hm MessageBox() m khng gi API.

III. Cc k thut vt qua Phn mm phng chng m c2.8. K thut s dng ch k s.15/04/2015MSEC44

Hnh 30: Ch k tht.Hnh 31: Ch k gi.

III. Cc k thut vt qua Phn mm phng chng m c2.9. Khai thc l hng trn H iu hnh.L hng trn H iu hnh: L nhng li lp trnh t nhng chng trnh h thng bn trong H iu hnh.Nhng m c s dng l hng trn h iu hnh thng kh pht hin hn so vi nhng m c thng thng, nhng loi m c ny c thi gian hot ng ngm rt lu trc khi chng b pht hin bi nhng chuyn gia phn tch m c.Nhng l hng trn H iu hnh khng ch xut hin trn HH Windows m cn trn Linux, Android, MAC OS Trc Apple tuyn b khng th c m c.15/04/2015MSEC45

Hnh 32: S ly lan ca Stuxnet.

III. Cc k thut vt qua Phn mm phng chng m c2.9. Khai thc l hng trn H iu hnh.Cc l hng trn H iu hnh in hnh nm 2014CVE-2014-414: Windows OLE Package Manager SandWorm ExploitCVE-2014-4113: Windows TrackPopupMenu Win32k NULL Pointer DereferenceCVE-2014:6324: Windows Kerberos - Elevation of Privilege (MS14-068)Mt s l hng trn H iu hnh mi cng b nm 2015CVE-2015-0004: Windows < 8.1 (32/64 bit) - Privilege Escalation (User Profile Service) (MS15-003)Windows 8.1 - Local WebDAV NTLM Reflection Elevation of PrivilegeMcAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation15/04/2015MSEC46

46

III. Cc k thut vt qua Phn mm phng chng m c15/04/2015MSEC472.9. Khai thc l hng trn H iu hnh.

Hnh 33: Khai thc CVE-2014-4113 leo thang c quyn NT AUTHORITY\SYSTEM

III. Cc k thut vt qua Phn mm phng chng m cDEMO15/04/2015MSEC48Demo

Kt lunCc phn mm phng chng m c Khng an ton 100%. Ch c coi l Thuc an thn.Tuy nhin khng v th m loi b hon ton phn mm phng chng m c khi h thng.H thng cn phi thng xuyn bo tr, theo di gim thiu ti a tc hi ca m c.Cn xy dng chnh sch an ninh cho h thng, m bo vic gim thiu ti a ri do do m c gy ra, cc bin php phng chng, khc phc hu qu do m c.Cc m c mun vt c qua cc phn mm phng chng m c th k thut lp trnh l chnh, cc l chn bo v ch l v bc bn ngoi, s b pht hin sm hn.Cn nhiu k thut vt qua phn mm phng chng m c, nhng do gii hn v thi gian nghin cu, iu kin thc t v ti liu nn nhm nghin cu cha trnh by trong ni dung nghin cu.15/04/2015MSEC49

Kt lunQ&A15/04/2015MSEC50

Ti liu tham kho51[1] Aditya P. Mathur and Nwokedi Idika, "A Survey of Malware Detection Techniques"[2] Joshua Tully, "Introduction into Windows Anti-Debugging", 9/2008 [3] Joshua Tully, "An Anti-Reverse Engineering Guide", 11/2008[4] Mark Vincent Yason, "The Art of Unpacking"[5] Michael Sikorski and Andrew Honig, "Praise for Practical Malware Analysis" [6] Moritz Jodeit, "Exploiting CVE-2014-4113 on Windows 8.1" [7] N. Rin, "VMDE - Virtual Machines Detection Enhanced" [8] Peter Szor, "The Art of Computer Virus Research and Defense" [9] Philippe Beaucamps, "Advanced Metamorphic Techniques in Computer Viruses[10] Richard Ford, "The future of virus detection"[11] Ronnie Johndas, "Analysis of CVE-2014-4113" [12] http://www.ducasec.com/an-ninh-mang-the-gioi-nhin-lai-2014-va-du-doan-2015/[13] http://itsecuritylab.eu/index.php/2010/09/03/writing-crypter-bypassing-antivirus-how-to-for-beginners/

15/04/2015MSEC

Cm n Thy C v cc Bn ch lng nghe!Lin h#tuananh: tuananh2710.mta@gmail.com#hoangcuong: hoangcuong@mta.edu.vn15/04/2015MSEC52

In Slide Show mode, click the arrow to enter the PowerPoint Getting Started Center.52