[转载]专业安全技术 超越签名技术

信息来源：www.antpower.org

来自微软的研究小组 他们的想法令人感到振奋 终于可以摆脱木马库、间谍软件库频繁升级、无限增大的困扰了！强烈推荐 学习

Stealth malware programs that silently infect enterprise and consumer machines are becoming a major threat to the future of the Internet [XZ04]. Resource hiding is a powerful stealth technique commonly used by malware to evade detection by computer users and antimalware scanners. In this paper, we focus on a subclass of malware, termed “ghostware”, which hide files, configuration settings, processes, and loaded modules from the operating system’s query and enumeration Application Programming Interfaces (APIs). Instead of targeting individual stealth implementations, we describe a systematic framework for detecting multiple types of hidden resources by leveraging the hiding behavior as a detection mechanism. Specifically, we adopt a cross-view diff-based approach to ghostware detection by comparing a high-level infected scan with a low-level clean scan and alternatively comparing an inside-the-box infected scan with an outside-the-box clean scan. We describe the design and implementation of the Strider GhostBuster tool and demonstrate its efficiency and effectiveness in detecting resources hidden by real-world malware such as rootkits, Trojans, and key-loggers.