JP2019095882A - Program and information processing device - Google Patents

Abstract

To provide a program and an information processing device capable of surely detecting ransomware.SOLUTION: A mini filter B functions as request detection means which can detect a specific request (IRP request) in a Kernel space corresponding to a prescribed request performed in a user space, and ransomware infection determination means for determining that a computer is infected with a ransomware in the case of satisfying a first condition that the specific request is detected at a predetermined frequency.SELECTED DRAWING: Figure 10

Description

  The present invention relates to a program and an information processing apparatus capable of detecting ransomware.

In recent years, a type of malware called ransomware has become prevalent worldwide.
Ransomware, like other common malware, infects terminal devices such as personal computers via the Internet or email.
The terminal device performs the following behavior when it is infected with ransomware.
First, the ransomware encrypts (locks) the file stored in the terminal device, thereby making the file unusable.
Then, the ransomware causes the terminal device to display a threatening message requiring ransom in return for restoring the encrypted file.
This kind of ransomware starts file encryption immediately upon infection, and also has the feature of performing encryption of multiple files in stages, and the conventional method completely prevents the ransomware damage. It is difficult.
For example, since methods such as signature matching can not detect unknown ransomware, even real-time monitoring, which constantly monitors for ransomware intrusion, may allow intrusion and become infected.
Also, even if you notice the ransomware infection early and take action such as turning off the terminal device immediately, it is inevitable that some files will be encrypted, and it is extremely difficult to completely prevent the damage. It is.
There is also a post-infection post-infection method that restores files to their pre-infection state, but is not effective for ransomware that destroys snapshots or restore points.
For such a problem, Patent Document 1 discloses a program for preventing a ransomware attack.

Patent No. 5996145 gazette

However, since the program disclosed in Patent Document 1 sets the operation (calling, etc.) of a function (API: Application Programming Interface) such as a file reading function as an essential condition for detecting a ransomware, for example, There is a problem that the ransomware can not be detected when an API different from the assumed API is used as an API corresponding to "read file".
Thus, there are problems to be solved in the conventional methods for preventing ransomware attacks.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide a program and an information processing apparatus capable of reliably detecting ransomware.

  In order to achieve the above object, a program of the present invention comprises a computer, a request detecting means capable of detecting a specific request in kernel space corresponding to a predetermined request performed in user space, and the specific request is a predetermined one. The computer is made to function as a ransomware infection judging means for judging that the computer is infected with ransomware when the first condition that the frequency is detected is satisfied.

  According to the present invention, a ransomware attack can be effectively prevented.

It is a block diagram showing the general composition of an information processor. FIG. 5 is a diagram schematically illustrating the flow of instructions when a user operates a computer, divided into a user space and a kernel space. FIG. 2 is a diagram particularly for explaining the flow of instructions in a kernel space. It is a figure for demonstrating the operation | movement when infected with ransomware "WannaCry". It is a figure for demonstrating API called at the time of infection of ransomware "WannaCry". It is a figure which shows the state of the file before being encrypted by "WannaCry", (a) is a state where five files are stored in docs folder of desktop, (b) is a "20150728_hattori. Pdf" file. It is a figure which shows a header. It is a figure for demonstrating the operation | movement of "WannaCry", (a) is an operation of searching for a file from desktop using "FindFirstFileW", (b) is a file from docs folder of desktop using "FindFirstFileW" (C) is a diagram showing an operation of opening “20150728_hattori.pdf” of the docs folder using “CreateFileW”. It is a figure for demonstrating the operation | movement of "WannaCry", (a) is operation which newly creates empty file "20150728_hattori.pdf.WNCRY" in docs folder using "CreateFileW", (b) is "WriteFile. (C) write the encrypted data to the original file "20150728_hattori.pdf" using "WriteFile". FIG. It is a figure for demonstrating the operation | movement of "WannaCry", (a) is a figure which shows the header of "20150728_hattori.pdf" (encryption file), (b) is newly created "20150728_hattori.pdf.WNCRY" (C) is a figure which shows the header of (encryption file), and (c) is a figure which shows the state in which only the newly created encryption file remained by this by using "DeleteFileW", and the original file is deleted. . It is a figure for demonstrating the operation | movement in the kernel mode performed with a computer based on the program of this invention. FIG. 17 is a diagram for describing an operation to be performed by a computer based on a program of the present invention, and for listing up an IRP request corresponding to an API called upon infection with a ransomware “WannaCry”. It is a figure which shows an example of an IRP list. FIG. 7 is a diagram showing an example of an IRP list including IRP requests associated with time information and file paths. FIG. 7 shows a first composite IRP list consisting of read and newly created IRP requests. FIG. 7 shows a second composite IRP list consisting of read and delete IRP requests. FIG. 10 is a diagram showing a third combined IRP list consisting of newly created and written IRP requests. It is a dialog that is displayed on the computer display when "vssadmin.exe Delete Shadows / All / Quiet" is executed as the ransomware operation. It is a figure which shows an example of the signature table which includes the header and extension of a known file in a structure. It is a figure for demonstrating encryption determination.

  Hereinafter, an embodiment of the present invention will be described with reference to FIGS. 1 to 19.

First, the information processing apparatus 20 in which the program of the present invention operates will be described.
FIG. 1 is a block diagram showing a general configuration of the information processing apparatus 20. As shown in FIG.
The information processing apparatus 20 is a computer of the present invention, and a personal computer (PC), a tablet computer, or the like can be applied.
As shown in FIG. 1, the information processing apparatus 20 includes a CPU 21 for executing an instruction, a hard disk 22 for storing files (data) and programs, a memory 23 for the CPU 21 to read data and programs, and user operations. It comprises an input / output device 24 such as a mouse and keyboard, a display 25 for displaying operation contents and processing results, etc., and a communication interface 26 etc. for enabling transmission and reception of information with the outside through e-mail, Internet etc. ing.
In such a computer, an operating system (OS), which is basic software, is stored in the hard disk 22, and performs various operations.
Although the information processing apparatus 20 according to the present embodiment is described as being provided with Windows (registered trademark) as an OS, the present invention can be applied to the case where another OS is provided.

Next, operations related to the file system and kernel which are basic operations of such a computer will be described.
"File system" refers to the function of an operating system (hereinafter referred to as the "OS") for operating devices such as hard disks, and is implemented to operate, access, and search data (files) stored in the device. It is done.
FIG. 2 is a diagram showing the flow of instructions when the user operates the computer.
As shown in FIG. 2, in the file system, various types of processing are executed in two processing spaces such as “user space” and “kernel space”.
The “user space” is a processing space close to the user, for example, a space in which application software operates.
"Kernel space" means the space in which the kernel operates. The "kernel" is the core part of the OS, which manages various resources and abstracts them to mediate the interaction between hardware and software.
For example, as shown in FIG. 2, when the user performs "predetermined operation" on the computer, in the user space (user mode), the user land calls a Windows API function (hereinafter referred to as API) corresponding to the operation, This is passed to the kernel as an I / O request (a predetermined request made in user space).
The kernel operates in a kernel mode (kernel space), and performs various processing on a device such as a hard disk based on a specific request corresponding to the API ("IRP request": specific request in the kernel space).
The “predetermined operation” includes an operation performed via a library, an application, and the like, in addition to an operation via a CUI (Character User Interface) or a GUI (Graphical User Interface).

More specifically, as shown in FIG. 3, in the user mode (user space), "CreateFile" corresponding to "newly created" of file, "WriteFile" corresponding to "write" of file, and "read" of file APIs such as "ReadFile" corresponding to "" and "DeleteFile" corresponding to "delete" of a file are called as an I / O request.
In the kernel mode (kernel space), in response to an I / O request in the user space, the I / O manager makes a specific request corresponding to "new creation", "write", "read", and "deletion".
Specifically, the I / O manager issues IRP requests corresponding to the I / O requests, and these are output to the file system driver and storage driver stack via the filter manager, and finally, in the hard disk Various processing is performed.
The IRP request includes, for example, “IRP_MJ_CREATE” corresponding to “newly created”, “IRP_MJ_WRITE” corresponding to “write”, “IRP_MJ_READ” corresponding to “read”, “IRP_MJ_CLEANUP” corresponding to “delete”, etc. .
As described above, in the computer, various APIs as I / O requests are called in the user space, and in the kernel space, file writing, new creation, reading, deletion and the like are performed by IRP requests as I / O requests.
The filter manager can register any IRP request, and can make the mini filter (mini filter A or B) perform an operation such as monitoring for the registered IRP request.

Next, the operation when the computer is infected with ransomware will be described.
The operation when infected with "WannaCry", which is a kind of ransomware, will be described below.
For convenience, "WannaCry" is also referred to as "ransomware".

When ransomware intrudes into a computer via the Internet or e-mail, it is stored in a storage means such as a hard disk and is deployed as a predetermined process on the memory to be infected.
"WannaCry" is a malware with a worm function that utilizes a vulnerability (MS17-010) in a Windows SMB server, and as shown in Figure 4, it infects a computer by executing an EXE file in the resource section (Operation of dropper 1).
According to the operation of the dropper 1, "tasksche. Exe" (dropper 2) is automatically started.
The dropper 2 displays an image of a threatening statement and intimidation information generated in multiple languages as so-called wallpaper, and decodes (expands) the built-in DLL binary data in a memory.
As a result, the data of the file stored in the local folder or the shared folder (hereinafter, the “file” includes the data of the file) is encrypted.

Such "WannaCry" encryption is performed as follows using the file system of the computer, more specifically, various APIs in the user space.
A description will be given below with reference to the computer screen (FIGS. 5 to 9) when verifying that the file in the "docs" folder of the "Desktop" is encrypted using the "WannaCry" sample.

FIG. 5 is a diagram showing the flow until the file is encrypted by executing the “WannaCry” sample.
Fig. 6 shows the state of the file before being encrypted by "WannaCry", where (a) shows five files in the docs folder of Desktop ("20150728_hattori.pdf", "Chrysanthemum.jpg (a photograph of the chrysanthemum ), “Desert.jpg (photograph of desert)”, “hydrangeas.jpg (photograph of hydrangea)”, “Jellyfish.jpg (photograph of jellyfish)” are stored, (b) is “20150728_hattori It is a figure which shows the header of a ".pdf" file.
7 to 9 show screens of the debugger for explaining the operation of "WannaCry".
In each of the figures, "W" attached to the end of the character string of API has the same meaning as that not attached. For example, "FindFirstFileW" is synonymous with "FindFirstFile".

As shown in FIG. 5, when the "WannaCry" sample is executed, a predetermined file is searched by "FindFirstFile" (S1, S2), the file is opened by "CreateFile" (S3), and the file is read by "ReadFile" The data is read (S4) and encryption (S5) is performed.
In addition, a new file creation (S6) is performed in parallel with the operations of S1 to S5.
The file encrypted in S5 is written to the newly created file, and is also written to the original file and overwritten (S8).
As a result, two files of a newly created encrypted file and an encrypted file obtained by encrypting the original file data are generated.
However, of these, the encrypted file of the original file data is deleted (S9).
Each operation of S1 to S9 will be described with reference to a screen of a debugger or the like.

When the "WannaCry" sample is executed, "FindFirstFile" is called, and the target file is searched for each hierarchy by the API.
In the present embodiment, first, as shown in FIG. 7A, a search is performed for “Desktop” by using “FindFirstFile” (S1 in FIG. 5), and then, in FIG. 7B. As shown, by using "FindFirstFile", a search is performed for the "docs" folder under "Desktop" (S2 in FIG. 5).
Next, as shown in FIG. 7C, the “20150728_hattori / pdf” file placed at the top of the “docs” folder is opened by “CreateFile” (S3 in FIG. 5).

Subsequently, the data of the "20150728_hattori / pdf" file is read out by the "Read File" (S4 in FIG. 5).
Next, the data of the “20150728_hattori / pdf” file is encrypted and expanded in the memory (S5 in FIG. 5). By this encryption, file data is randomized and can be decrypted only with a decryption key known only to the ransomware creator.
Subsequently, as shown in FIG. 8A, “CreateFile” is called in parallel with S1 to S5 (especially S4) in FIG. 5, and “20150728_hattori / pdf” is stored in the “docs” folder of “Desktop” by the API. A file (empty file) having a file name of “.WNCRY” is newly created (S6 in FIG. 5).
As a result, an empty file having the extension ".WNCRY" added to the original file is newly created.

Next, as shown in FIG. 8B, the encrypted data of “20150728_hattori / pdf” is written to the newly created empty “20150728_hattori / pdf.WNCRY” file by “WriteFile” (S7 in FIG. 5). ). The header of the file is "WANACRY!".
Also, in parallel with this operation, as shown in FIG. 8C, the encrypted data of "20150728_hattori / pdf" is written to the original file "20150728_hattori / pdf." By "WriteFile" (overwritten) ) (S8 in FIG. 5).
As a result, as shown in FIGS. 9A and 9B, two encrypted files are created in the "docs" folder.
9 (a) is information indicating the header of the “20150728_hattori / pdf” file (encrypted file), the arrow is the display screen of the editor (MadEdit), and FIG. 9 (b) is “20150728_hattori / pdf”. It is a display screen of an editor which shows the header of ".WNCRY".
Then, “DeleteFile” is called, and the “20150728_hattori / pdf” file (the file to which encrypted data has been overwritten in S8 of FIG. 5) is deleted by the API (S9 of FIG. 5).
As a result, only the newly created "20150728_hattori / pdf.WNCRY" file remains in the "desktop" folder.

The encryption by the above-described operations S1 to S9 is repeatedly performed in a short time on all files in "docs".
As a result, as shown in FIG. 9C, a plurality of encrypted files are generated from the original file data that is the file with the extension “.WNCRY” attached to the original file.
In this example, “20150728_hattori.pdf.WNCRY”, “Chrysanthemum.jpg.WNCRY”, “desert.jpg.WNCRY”, “hydrangeas.jpg.WNCRY”, and “Jellyfish.jpg.WNCRY” are in the “docs” folder. It will be stored in.
As a result, the user can not view, edit, print, etc. the original file ("20150728_hattori. Pdf", "Chrysanthemum. Jpg", "desert. Jpg", "hydrangeas. Jpg", "Jellyfish. Jpg", etc.) It will be in the state.

From the above verification results, the inventor has determined that the following operations (1) to (4) are performed on a computer infected with ransomware.
(1) The encryption for a plurality of files is performed in a short time. For example, three or more files should be encrypted within 60 seconds.
As a result, "CreateFile", "ReadFile", "WriteFile", and "DeleteFile" are called with a constant frequency (3 times or more per 60 seconds).
(2) The file “read out” and “new creation” should be performed in the same time zone.
(3) “deleting” of the file is performed after “reading” of the file.
(4) After "new creation" of a file, "writing" is performed on the file.

For such a ransomware operation, the program of the present invention is configured to cause the computer to perform the following operation.
For example, the program of the present invention stored in the hard disk 22 is read by the CPU 21 so that the program is expanded on the memory 23. As a result, the following operations are performed by functioning as the mini filter B shown in FIG.

The program of the present invention causes a computer to function as request detection means for detecting a specific request (IRP request) in the kernel space corresponding to a predetermined request (API corresponding to an I / O request) in the user space.
Specifically, by functioning as a mini filter, various IRP requests registered in advance in the filter manager are detected (see FIG. 10).
The IRP request to be detected can exemplify “IRP_MJ_CREATE”, “IRP_MJ_WRITE”, “IRP_MJ_CLEANUP”, and “IRP_MJ_READ”.
These IRP requests are targeted for detection, as shown in Figure 11, when infected with ransomware, I / O requests such as "CreateFile", "ReadFile", "WriteFile" and "DeleteFile" are handled. This is because these APIs are called, and in the kernel space, IRP requests such as “IRP_MJ_CREATE”, “IRP_MJ_WRITE”, “IRP_MJ_CLEANUP”, and “IRP_MJ_READ” are made in response to these I / O requests.
Thus, in the user mode, whenever various APIs are called, it is possible to detect IRP requests corresponding to various APIs in the kernel mode.

Also, the program according to the present invention is a ransomware determining means for determining the predetermined process as a ransomware when the computer satisfies a first condition that a specific request (IRP request) is detected at a predetermined frequency. To function as
That is, when the IRP request is made a predetermined number of times or more within a predetermined time, it is determined that the client is infected with the ransomware.
As described in (1) above, when ransomware is infected, various APIs ("CreateFile", "ReadFile", "WriteFile", "DeleteFile") are called in large numbers in a short time, and this is supported Then, IRP requests (“IRP_MJ_CREATE”, “IRP_MJ_READ”, “IRP_MJ_WRITE”, “IRP_MJ_CLEANUP”) are performed with the same frequency.

Specifically, the frequency of IRP requests can be calculated by creating a predetermined list (hereinafter referred to as an IRP list) each time an IRP request is detected.
FIG. 12 shows an example of the IRP list, where (a) is an IRP list of "read", (b) is an IRP list of "newly created", (c) is an IRP list of "write", (d ) Is the "deleted" IRP list.
Such an IRP list can be created by listing information indicating that an IRP request has been made for each type on the memory each time the IRP request is detected.
Further, the IRP list shown in FIG. 12 is to delete (clear) the information listed up at regular time intervals (for example, every 60 seconds) from the memory.
By doing this, it is possible to calculate the number of IRP requests per unit time (frequency of IRP requests) by counting the number of lists for each type stored in the memory at fixed time intervals.
As shown in FIG. 11, there are two types of “writing” by ransomware: writing to a newly created file (S 7) and writing to the original file (S 8), so the frequency of IRP requests for “writing” Is preferably set to a condition set more frequently than the frequency of other IRP requests.

Also, as shown in FIG. 13, the IRP list may be created including the time (year-month [yyyy-mm-dd], hour-minute-second [hh: mm: ss]) when the IRP request was made. it can.
Therefore, for example, from the “read” IRP list shown in FIG. 13A, the IRP request “IRP_MJ_READ” of “read” is counted five times in 60 seconds (11:22:00 to 1:23:00) By doing this, the frequency of 5 times / minute can be calculated.
Then, judging that the computer is infected with the ransomware on the condition (first condition) that the frequency of the IRP request calculated in this way exceeds a predetermined frequency (for example, frequency 3 times / minute) Can.
As the first condition, one of four IRP requests may be determined, or two, three, or four IRP requests may be determined.
That is, based on the frequency of IRP requests for "newly created" and "deleted" as well as "read" and "write", it can be determined whether or not the ransomware has been infected.

As described above, the program of the present invention determines whether the computer is infected with ransomware based on the IRP request performed in the kernel space, so that the determination can be performed with high accuracy.
This is because IRP requests are uniquely defined for I / O requests, unlike APIs in user mode.
For example, although there are a plurality of APIs such as "WriteFile" and "ZwWriteFile" as APIs corresponding to "write", the IRP request corresponding to the same "write" is only "IRP_MJ_WRITE".
Therefore, when detecting the operation of the ransomware using the API as a key, leakage is likely to occur, but the operation of the ransomware can be detected without omission by using the IRP request as a key.
For this reason, when a predetermined IRP request is detected at a constant frequency, it can be detected without omission as it is what has been encrypted for a plurality of files in a short time by ransomware.

Further, the program of the present invention is a ransomware infection judging means, in addition to the first condition (frequency), as a specific request (IRP request), both “read” and “newly created” files are specified. The computer can be made to determine that it has been infected with ransomware if it meets the second condition (timing) of being detected in a time zone.
This is because, as described in (2) above, when the computer is infected with ransomware, “read” and “newly created” files are performed in the same time zone.
Specifically, "read" of a file and "new creation" for the file are performed within approximately 30 seconds.
Therefore, in addition to the first condition, if “read” and “newly created” for the same file are performed in the same time zone (for example, within 30 seconds), it is possible that the computer is infected with ransomware. Sex is more enhanced.
Whether “read” and “newly created” for the same file are performed in the same time zone can be performed using the IRP list (see FIGS. 13 and 14) including the file path.
The "file path" is information including the "path" of a folder whose hierarchy is overlapped before reaching the folder storing the "file".
For example, of the folders ("Users"-"rihou"-"Desktop"-"docs") hierarchically stored under the "C drive" of the hard disk, the file "20150728_hattori. The "file path" of pdf "can be shown as follows.
C: \ Users \ rihou \ Desktop \ docs \ 20150728_hattori.pdf

FIG. 14 is an IRP list (referred to as a first combined IRP list) obtained by combining the “read” IRP list shown in FIG. 13 (a) and the “newly created” IRP list shown in FIG. 13 (b).
From the IRP list in Figure 14, an IPR request for "read" at "11:22:00" for a file with a file path that includes path: "C: \ Users \ rihou \ Desktop \ docs \ 20150728_hattori.pdf" Since the IRP request of “newly created” is performed after “11:22:01” and the time difference is 1 second (within 30 seconds), the second condition is satisfied in this case. It can be determined that
Therefore, if the first condition is also satisfied, it can be accurately determined that the computer is infected with ransomware.
For example, the case where "read" IRP request and "newly created" IRP request are performed with a certain frequency, and the "read" IRP request and "newly created" IRP request are performed in the same time zone. It can be determined that you are infected with ransomware.
In addition, although the second condition targets the determination of the same file as the determination target file of the first condition, it is also possible to determine a file different from the determination target file of the first condition.
In addition, the second condition can also target “open” performed immediately before “readout” and “newly created”.
Further, the second condition may be affirmed determination when the condition for one file is satisfied, or the determination may be performed when the condition for a plurality of files is satisfied.
For example, the case where "read" IRP request and "newly created" IRP request are performed with a certain frequency, and the "read" IRP request and "newly created" IRP request are performed in the same time zone. In addition, it can be determined that they have been infected with ransomware if they are performed multiple times or at a fixed frequency.

Further, in the program of the present invention, as the ransomware infection judging means, in addition to the first condition and the second condition, “deletion” of the file is detected after “reading” of the file as a specific request. If the third condition is satisfied, the computer can function to determine that it is infected with ransomware.
This is because when the computer is infected with the ransomware as described in the above (3) and FIGS. 5 and 11, “deletion” of the file is performed after “reading” of the file.
Therefore, in addition to the first condition and the second condition, when "deleting" of the file is performed after "reading" of the file, it can be determined that the probability that the computer is infected with ransomware is high. .
For example, FIG. 15 is an IRP list (referred to as a second combined IRP list) obtained by combining the “read” IRP list shown in FIG. 13 (a) and the “deleted” IRP list shown in FIG. 13 (d).

From the IRP list in Figure 15, an IPR request for "read" at "11:22:00" is made for the file with the same file path "C: \ Users \ rihou \ Desktop \ docs \ 20150728_hattori. Pdf" Since the IRP request of “deletion” is made at “11:22:08” thereafter, it can be determined that the third condition is satisfied in this case.
Therefore, in addition, if one or both of the first condition and the second condition are satisfied, the infection can be detected with high accuracy, assuming that the computer is infected with the ransomware.
For example, if IRP requests for "read" or "delete" are made at a certain frequency (first condition), and if there is an IRP request for "delete" after each "read" IRP request, ransomware It can be judged that the virus was infected.
Also, if IRP requests for "read" or "delete" are made in the same time zone (second condition), and if there is an IRP request for "delete" after each "read" IRP request, ransomware It can be judged that the virus was infected.
The third condition may be the same file as the file for which the first or second condition is judged, or a file different from the file for which the first or second condition is judged. You can also
Also, the third condition is two or more of “search” → “open” → “read” → “write” → “delete” in addition to the context of “read” and “delete” It is also possible to judge the combined context.
Further, the third condition may be affirmed determination when satisfying one file, or may be affirmed when satisfying a plurality of files.

In the program according to the present invention, as the ransomware infection judging means, in addition to the first condition and the second condition, “writing” of the file is detected after “new creation” of the file as the specific request. If the fourth condition is satisfied, the computer can function to determine that it is infected with ransomware.
This is because when the computer is infected with ransomware as described in (4) and FIGS. 5 and 11 above, “writing” is performed on the file after “new creation” of the file.
For this reason, in addition to the first condition and the second condition, when "writing" of the file is performed after "new creation" of the file, it is determined that the probability that the computer is infected with the ransomware is high. it can.
For example, FIG. 16 is an IRP list (referred to as a second combined IRP list) obtained by combining the “newly created” IRP list shown in FIG. 13 (b) and the “written” IRP list shown in FIG. 13 (d). .

From the IRP list in Figure 16, an IPR request for "newly created" at "11:22:01" for the file with the same file path "C: \ Users \ rihou \ Desktop \ docs \ 20150728_hattori.pdf.WNCRY" Since the IRP request of “write” is performed at “11:22:07” after that, it can be determined that the fourth condition is satisfied in this case.
Therefore, additionally, if the first condition and the second condition are both satisfied, the infection can be detected with high accuracy, assuming that the computer is infected with the ransomware.
For example, when "newly created" or "written" IRP requests are made with a certain frequency (first condition), and each "newly created" IRP request is followed by "written" IRP requests, It can be determined that ransomware is infected.
In addition, when "newly created" and "written" IRP requests are made in the same time zone (second condition), and each "newly created" IRP request is followed by "written" IRP request, It can be determined that ransomware is infected.
The fourth condition may be the same file as the file for which the first or second condition is determined, or a file different from the file for which the first or second condition is determined. You can also
Also, assuming that the fourth condition does not overlap with the third condition other than the context of "new creation" and "write", "search" → "open" → "read" → "write" → It is also possible to judge the context that combined any two or more of “Delete”.
Further, the fourth condition may be affirmed determination when satisfying one file, or may be affirmed determination when satisfying a plurality of files.

In addition, the inventor has determined that there is a ransomware that deletes restoration related information such as snapshots and restoration points.
On the other hand, the program according to the present invention detects, as restoration information deletion detection means, a request for deleting data (called restoration related information) such as a file saved in the past such as a snapshot or restoration point, ransomware infection judging means As described above, when the restoration information deletion detection unit detects a request to delete restoration related information, it is possible to determine that the computer is infected with ransomware.
Here, the OS has a function ("Process by vssadmin.exe") that automatically creates a copy of a file at a specific point in time (restore point) and stores it in a dedicated area. By the way, the inventor has found that some ransomware delete the restoration related information by executing the command "vssadmin.exe Delete Shadows / All / Quiet".
For this reason, the program of the present invention uses the user account control function of the OS, and when the above “delete” command is issued to the snapshot or restore point, for confirmation as to whether or not to permit this. Display the dialog of.

FIG. 17 is a dialog displayed on the display of the computer when “vssadmin.exe Delete Shadows / All / Quiet” is executed as the ransomware operation.
In this way, the user can detect in advance if a snapshot or restoration point is deleted, and can prevent deletion in this dialog by not "permitting".
That is, since the start of the process can be stopped when the above command is detected while monitoring the start of the process by "vssadmin.exe", it is necessary to detect this before the restoration related information is deleted. Can.
On the other hand, when deleting a snapshot or restoration point by the user's own operation, "permission" can be made in the above dialog.

In addition, when the ransomware encrypts the target file, the inventor has determined that there is a ransomware that changes the extension first and then changes the header.
On the other hand, the program of the present invention causes a computer to function as file information storage means for storing file information (hereinafter referred to as a signature table) including a known file extension, and as a ransomware determination means The file is identified if the extension is different from the extension included in the signature table, and then it is determined that the computer is infected with ransomware if the condition that the header of the identified file is changed is satisfied. Can be made to function.

Specifically, as shown in FIG. 18, it is possible to determine whether the above condition is satisfied using a signature table including the header and the extension of the known file.
For example, by checking each file stored in the hard disk etc. with the signature table, it is constantly monitored whether or not the extension of each file has been changed, and when a change in the extension is detected, the file is Identify as a monitoring target.
For example, when it is detected that the extension of a predetermined WORD file (referred to as file A) is changed by collation with the signature table shown in FIG. 18, the file A is specified as a monitoring target.
At this time, it is possible to identify that the header of the file A is (50 4B 03 04 14 00 06 00) by referring to the signature table.
Subsequently, it is constantly monitored whether the header of the file A has been changed, and if the header has been changed, it is determined that the computer is infected with ransomware.
As a result, when encrypting the target file, it is possible to detect a type of ransomware in which the extension is changed first and then the header is changed.

It is also possible to determine that the target file has been encrypted using a known calculation method or the like, and use the determination result to determine whether the computer is infected with the ransomware.
Specifically, when a file is encrypted by ransomware, the file data is randomized, so that the encryption can be detected by using a known algorithm such as chi-square distribution or Monte Carlo method, for example. .
For example, in the case of a file with a file size of 2048 bytes, each of 2048 pieces of information may have any of 0 to 255 pieces of information, but its expected value (theoretical value) is 2048/256 = 8 times It becomes.
In this case, as shown in the following inequality, when the chi-square value determined by the left side is less than 300, the inventor has determined that the file is highly likely to be encrypted.
As described above, it is possible to determine whether the file is encrypted or not using the operation on the chi-square distribution, or to determine whether the file is infected with the ransomware. It can be added.
For example, based on the above inequality, it is possible to determine that the computer is infected with the ransomware when the determination result of the encryption is satisfied and any one of the above conditions is satisfied.
In this way, the detection accuracy of the ransomware can be further enhanced.
Also, when an encrypted file is detected, the damage can be minimized by backing up another file (unencrypted file).
In addition, as shown in FIG. 19, by calculating the encryption rate according to the chi-square value, processing according to the encryption rate (for example, determination of infection of ransomware, file deletion, notification, other ransomware measures, etc. ) Can also be done.

As described above, according to the program according to the embodiment of the present invention, it is determined whether or not a ransomware has been infected based on a specific request (IRP request) in the kernel space.
That is, the operation (call or the like) of a function (API) such as a file read function in the user space is not an essential condition for detecting the ransomware, and the above judgment is made based on the IRP request detected in the kernel space. Because ransomware can reliably detect this even if it is performed using an API different from the API for which “reading of file” is assumed, for example, It is possible to accurately detect whether or not an infection has occurred.
In addition, since it is possible to present support information such as notification of infection and the possibility and measures on the basis of accurate judgment results, it is possible to provide the user with a highly reliable and satisfactory ransomware countermeasure program. Can be provided.

Although the preferred embodiments of the present invention have been described above, the present invention can be applied to various embodiments regardless of the above-described embodiments.
For example, it is possible to monitor the change of the header or the extension (file name) by referring to the signature table, and to back up a file that can be a target of ransomware if either one is changed.
Thus, since the file can be backed up before being encrypted or deleted, the original file can be reliably restored even if it is infected with ransomware.

  The present invention can be suitably used for measures against malware, particularly ransomware.

  20 Information processing apparatus (computer)

Claims (6)

Computer,
Request detection means capable of detecting a specific request in kernel space corresponding to a predetermined request performed in user space, and the first condition that the specific request is detected at a predetermined frequency by the request detection means In this case, the program functions as a ransomware infection judging unit that judges that the computer is infected with ransomware. The program according to claim 1, wherein the specific request is a request for reading, creating a new file, writing to a file, and / or deleting a file. Computer,
The ransomware infection judging means
In addition to the first condition, in the case where the request detection means satisfies a second condition that both reading and creation of a file are detected in a specific time zone as the specific request, the computer The program according to claim 1 or 2, wherein the program is determined to be infected with ransomware. The ransomware infection judging means
In addition to the first condition and the second condition, when the third condition that deletion of the file is detected after reading of the file as the specific request is satisfied by the request detection unit, the third condition is satisfied. The program according to claim 3, wherein it is determined that the computer is infected with ransomware. The ransomware infection judging means
In addition to the first condition and the second condition, when the fourth condition that the writing of the file is detected after the new creation of the file is detected as the specific request by the request detection unit, The program according to claim 3, wherein the computer is determined to be infected with ransomware. In an information processing apparatus comprising a computer,
A request detection means capable of detecting a specific request in kernel space corresponding to a predetermined request performed in user space;
An information processing apparatus comprising: a ransomware infection determination unit configured to determine that the computer is infected with a ransomware when the condition that the specific request is detected at a predetermined frequency is satisfied.