这次参会的厂商很齐，国际知名厂商的技术Leader都去了，包括尤金-卡巴斯基等行业技术权威。瑞星和江民的技术负责人也去参会了。

陈睿是唯一一个代表中国本土厂商做技术报告的，演讲的主题是：Research & Defense on Password-stealing Trojans in China

演讲的名单在下面，陈睿的演讲是11月30日下午2点10分的那个报告
http://www.aavar.org/avar2007/program_eng.htm

主要讲述了金山在木马防御上的技术观点，包括对“可信认证”技术的介绍。演讲完毕，部分国际厂商的技术Leader和陈睿进行了交流，表示很有兴趣进一步交流和合作。

这次AVAR的焦点是未来互联网的安全形势，以及防范电子犯罪。

论坛将会将本届AVAR2007峰会的相关资料整理发布。

陈睿的演讲全文

引用:

AVAR 2007 Speech:
Research & Defence on Password-stealingTrojans in China

Good afternoon, everyone.I am Chen Rui, a technical director ofKingsoft Corporation.


Hereis today’s agenda, I will go through password stealing Trojans and its defensein China.


During past 2 years, Password-stealing Trojan is a serious securityproblem in China.It breaks out while China Internet develops rapidly.
Please look at this diagram. Internet users in China grew upfrom 94 million in 2004 to 137 million in 2006. Up to the June in this year,the internet users in Chinaamount to 162 million with growing at an accelerating rate. Though Internet accessesto China mainland less than10 years, the amount of Internet users in China ranks NO. 2 among the world,only secondary to United States.

Let’s look at what these users do besides browsing web or receiving mails.During recent years, online game is very popular in China. Online Gamers in China grow upfrom 20 million in 2004 to 31 million in 2006. Until the June in this year, theChinese gamers amount to 38 million which ranks No.1 all over the world.Meanwhile, the Chinese gamers not only increase continuously but also consume alot of money to buy virtual items in the game.

Let’s go on. QQis the most popular Instant Messenging software in China. With high speed growth, the sameonline users of QQ grew up from 9 million to 33 million. QQ is not only an IMprogram but also provide a lot of value-added services. Just like using QQaccount to buy virtual items or reality goods, even using it to transfer money.

Let’s turn tothe E-business. The amount of e-business users in China grows up from 26 million in2004 to 68 million in 2006. Taobao,as the biggest C2Cwebsite in China,enlarges its user base at the number of 50 thousand daily. So we can say, thee-business users in Chinawill break through 100 million within 2 years.

With the development of internet inChina,the cyber crime also appears accordingly. Stealing gamers’ accounts, QQaccounts and e-business accounts is the most popular way of cyber crime. Thenumber of Password-stealing Trojans that captured by Kingsoft have doubled andredoubled every year. Why there are so many Trojans?.

Firstly, users are using more andmore virtual commodities, which would provide larger benefits for Trojans.

Secondly, though users of online games and QQ in China increase rapidly, they don’thave the consciousness of purchasing antivirus software. It means that littleusers learn about the security knowledge, which makes the Trojans easily attackuser’s computer.
Thirdly, virtual asset can be easily convertible to the real money. In China, it’sdifficult to monitor the exchange of virtual asset, which makes its difficultto prosecute or monitor the virtual asset- stealing guys. So those guys alwaysescape the legal sanction.


Therefore, during recent years, the ever-increasingpassword-stealing Trojans, especially the online games Trojans, have become thefirst priority threat to the users in China

It’s evidence that 12% user accounts have been stolen in 2004, whileit comes up to 68% in 2007. So the virtual asset -stealing problem in China may bethe most serious all over the world. With the little computer knowledge, thefresh internet user’s accounts almost are stolen by the Trojans.

Why so many people are interested in making Trojans? Because of thehuge benefit. On average, a Chinese Internet user spends 10 dollars per month onvirtual asset, while a online gamer spends 30 dollars per month. However, the
average monthly salary for Chinese city peopleis 250 dollars. So compared with Chinese economic status, the virtual asset ofChinese internet users is much attractive for the password-stealing guys.

A programmer who makes Trojans can earn 200 thousand dollars withinone year, while a common programmer only earn 10 thousand Dollars one year. Sothat’s the reason why so many people want to take an adventure to make Trojans.

In China,a well-organized grey industrial chain is formed. Password-stealing, hasupgraded from technical behavior to social issue.

Please look at this diagram. The source of the industrial chain isthe Trojan developer. Those developers are well-organized. For example, some ofthem take charge of developing free module, which can fight against with thesecurity software. The next level in this chain is sales person of Trojans. Andthe further lower level is password-stealers who are always hackers. They areresponsible for the spreading of Trojans in order to steal virtual asset fromend-users. The lowest level is the Virtual assets disposal market where profitearned by selling off stolen assets at lower price through C2C websites, just like Tao Bao and Ebay.

Password-stealing Trojans becomes the top threat to internetcustomers. Chinese security vendors and ISPs counteract Trojans primarily in twomethods. Anti-Trojan by software, or by hardware.
Basically, software Anti-Trojan technologies can be divided intothree types:
Client-scan. Identify with signature or heuristic scan, and thenremove it.
Client-defense. monitor password-stealing intention, and block thebehavior.
The above two types are widely applied to the security softwareproducts.
The third type is client protection. Even if a computer has beenattacked by Trojan, user's application would be protected by techniques, suchas keyboard input protection, and prevent the process being injected. Forexample, QQ applied the Keyboard Input Protection Module provided by NProtect.

The usage of hardware to Anti-Trojan can be divided into three types:
Matrix Card, Telephoneconfirm, and USB Guard.

Normally, the usage of hardware can make the Trojans ineffectivetheoretically. However, security vendors usually choose software techniques to Anti-Trojanfor the sake of cost and universality. Anti-virus technologies, such as signature,or heuristic scan, have good effect in identifying Trojans, but lower than thatin defending virus.

Why the efficiency is lower? Because Trojans are always spreadingwithin a small area, the cost to capture Trojans is very high. The amount ofTrojans is huge. What’s the worse, the Trojans transformed frequently.

Therefore, Ithink there are three key points to enhance the ability of Anti-Trojan undercurrent technologies:
First, increaseTrojan samples collecting quantity and frequency.
Second, enhancethe accuracy of determining malicious behaviors, reduce misjudgment of commonapplications, decrease user interruptions.
Third, providespecific protection for popular applications.

Here, I’d like to briefly introduce Kingsoft’s technical scheme andour ways to enhance the ability of Anti-Trojan. We add a new feature called “TrustedAuthentication”. “Trusted Authentication” is based on a knowledgebase of filescollection and analysis system which is deployed on internet servers. It widelycollects various files, including the usual executable files and Trojansamples. It classifies the collected files into “White List” or “Black List” throughautomatic or manual analysis. “White List” refers to the files that are usuallyregarded as common files; “Black List” refers to the Trojans or malwares. Everyrunning Kingsoft Internet Security product will connect to this system andmatches the files that trigger suspicious behaviors with “Black or White List”.The “Trusted Authentication” system will send a feedback instantly, which tellswhether this file is secure or not.

This is the schematic diagram of the “Trusted Authentication”technology used by Kingsoft Internet Security.


“Trusted Authentication” technology is able toenhance the identifying capability for Trojans effectively. First of all, it helpsthe users make sure which files are secured, thus it reduces misjudgment,decreases user interruption. Secondly, it greatly enhances responding speed infavor of established “Black List”. Thirdly, it’s able to collect the suspiciousfiles from end-users directly.
The main thought of “Trusted Authentication” technology comes upwith Web 2.0. All Kingsoft Internet Security users will have better securityguarantee and be able to contribute to others.
I think, "Trusted Authentication" represents one of futureorientations of Anti-Trojan technologies. And I believe a trend that securitytechnology will gradually strengthen in server-side statistics and calculation.

Thank you for your time. Any questions are welcomed.

以下是正奇同学的中译本，原文可以在正奇的BLOG查看
http://hi.baidu.com/hzqedison

引用:

我今天要的讲的议程,我将陈述展开在中国盗号木马和它的防御.

在过去的两年里面,中国盗号木马是个比较严重的问题.这问题在中国互联网迅速发展的前景下迅速爆发。

中国互联网的用户从2004年的9400万发展到2006年的1.37亿.直到今年的6月份,互联网用户达到了1.62亿.这个比例还在迅速的增长.虽然互联网接入中国大陆不到10年,在中国互联网使用者的人数已经跃居世界第二了,仅次于美国.

让我们看一下这些用户除了上网浏览网页和接收邮件外还做什么.在近几年来,网络游戏在中国非常流行.在中国网游的用户从2004年的2000万发展到2006年的3100万,直到今年的6月份,网游玩家已经到达3800万人,这人数比率已经成为全球第一.这期间,中国网游玩家不仅迅速的增长,而且花费了很多钱在买游戏的虚拟装备.

QQ是中国最流行的即时聊天软件.网上使用者从2004年的900万人迅速增长到今年10月的3300万人,QQ不仅是即时聊天工具,而且有许多增值服务.比如用QB来买虚拟的网络东西或者来买实物.甚至用来换钱.

让我们转向网上购物.网上购物使用者从2004年的2600万发展到2006年的6800万.淘宝是中国最大的C2C站点,每天使用者增长大概有5万人.所以我们可以说,中国的网上购物用户将在近两年突破1亿

首先,用户使用了数以百计的虚拟财产,这对木马制作有着巨大的利益.

其次,尽管网络游戏和QQ用户迅速的发展,他们没有意识买杀毒软件.这意味这只有少部分用户有安全
意识,这就使得木马攻击用户电脑很容易.

第三,虚拟资产可以很方便的交换为现金.在中国,很难监控虚拟财产的交换,这就使得起诉或者监控虚拟
财产偷盗者很难.所以那些人总是逃脱了法律制裁.


为什么那么多热忠于做木马?因为有强大的利益的驱使,平均一个中国网民每月要花费10美元的虚拟财
产在网络上,而一个网络游戏的玩家每月要花费30美元.然而中国的平均收入为250美元.所以对比一下中国金融的现状,中国网民的虚拟财产是比较吸引那些盗号的人.

一个制作木马的程序员每年大概可以赚20万美金,然而做一个普通的程序员每年只能挣到1万美金.所
以这就是他们为什么冒险来做这木马的原因.

请看一下这张图表,源头是盗号的开发者.这些开发者是有组织的.比如,有人专门负责开发制作免杀程序,来逃避安全软件的查杀.接下来的一条链条是出售木马的.再底下是被称为黑客的盗号者,他们负责传播木马以便偷盗那些虚拟财产.最底下一层是虚拟财产交易市场,他们把偷来的虚拟财产在例如淘宝,易趣这些C2C站点低价出售贩卖。

盗号木马成为互联网消费者最大的威胁,中国的安全提供商和互联网提供商对付木马主要有两种方法,
抵御木马用软件或者是硬件.

基本上,反木马技术的软件运用的技术有三种方案:

客户端扫描.通过特征码或者是启发扫描鉴别,然后移除它.

客户端防御.监控盗号意图,然后阻止它的行为.

以上两种方式被普遍的应用于安全软件里面.

用硬件来反木马的分为三种类型:
密保卡,电话(手机)确认,和USB防护.

通常,用硬件防御,理论上可以完全抵御木马.然而,安全提供商普遍的出售软件来抵御木马.反病毒技术,
例如像特征码或者是启发扫描都能很好的鉴别木马,但是比起抵御病毒来效果差很多.
通常,用硬件防御,理论上可以完全抵御木马.然而,安全提供商普遍的出售软件来抵御木马.反病毒技术,
例如像特征码或者是启发扫描都能很好的鉴别木马,但是比起抵御病毒来效果差很多.

为什么效果差很多呢?因为木马总是在一个小区域传播,捕获他的成本花费比较高.木马数量很大.更坏的是木马经常变换来逃避安全软件的查杀.用传统的特征码定位很难即时的删除木马.用特征码定位的方法很难准确定位木马.

因此,我认为有三点方法来提高抵御木马的方法在当今技术上:

第一,增加木马样本的收集数量和频率.

第二,提高对恶意行为的精准判断,减少误杀程序,和降低对用户的提示

第三,对常用程序提高特别的保护.

这是我要简要的介绍金山毒霸设计的技术来提高抵御木马的能力.我们添加了一个新的特色,叫做"可信
任"技术."可信任"技术是基于一个收集文件和分析系统而扩展的知识库.它可以收集大量的不同的文件,包括通常的可执行程序和木马样本.通过自动分析或者是人工分析把收集来的文件分类到"白名单"和"黑名单
"里."白名单"里面的文件是确认的普通文件;"黑名单"里面包括木马和恶意程序.每个运行金山毒霸安全套装
的系统都会连接到这个系统和"黑白名单"库里面的文件进行比对."可信任技术"系统将会立刻反馈告诉我们这文件是不是安全.

"可信任"技术能够有效的提供鉴别木马的能力.首先他帮助了用户确认了哪些文件是安全的,因而它减
少了误杀和用户提示操作.其次,它有利于提高,确定是否为"黑名单"的文件的回应的速度.最后,它能够直接的从使用者那收集可疑文件.

大体上"可信任"技术来自于Web2.0.(迅雷为什么能够这样快?因为用户越多,迅雷越快,可信任技术也
是,用的人越多,毒霸的杀毒能力越强).所有的金山毒霸安全套装的用户将会有更安全的保证同时还能贡献于其他人.

我认为"可信任"将会是以后反木马技术的一种趋势.并且我相信安全技术一个趋势将逐渐在统计和计算
方面加强(基于统计才能判断).

有中国特色的盗号木马的研究和防御{4E}

引用:

原帖由 小玄子 于 2007-12-3 11:38 发表
有中国特色的盗号木马的研究和防御{4E}

厉害，邓大爷和江小爷的东西，这么快全学会了。

学习一下……{78}

不错，很有见解！

学习学习啊

有同感哦～～

木马乃中国的特色产品，要发扬光大呀{78}

很不错！谢谢铁军老师 和 陈老师

赶上第一页。。。高兴{D3}

哇哈。。{7E(2)}

我也是来学习一下啦，呵呵。

我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..! 我来抢啰..!

学习

多参加这样的大会\
扩大我们国内产品的影响力

哦哦哦

学习了

好东西,好内容,希望大家分享下

xcvvvvvvvvvvvvvvvvvvvvvvvvvvv