Abstract: Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

Abstract: A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Abstract: Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

Abstract: A device and method for extracting data stored in a volatile memory are provided. In particular, a memory-data extracting device and method for ensuring integrity of data extracted from a volatile memory installed in a computer are provided. A memory-data extracting module extracts data stored in a memory. A module loader loads the memory-data extracting module in a kernel region of the memory and sets a priority of the loaded memory-data extracting module to be higher than priorities of kernel processors loaded in the memory. Task switching can be prevented in the course of extracting memory data by loading a process for extracting memory data in a kernel region and setting a priority of the loaded process to be higher than priorities of other kernel processes, thereby ensuring the integrity of data extracted from a non-volatile memory.

Abstract: Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

Abstract: A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not, the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Abstract: Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.

Abstract: A device and method for extracting data stored in a volatile memory are provided. In particular, a memory-data extracting device and method for ensuring integrity of data extracted from a volatile memory installed in a computer are provided. A memory-data extracting module extracts data stored in a memory. A module loader loads the memory-data extracting module in a kernel region of the memory and sets a priority of the loaded memory-data extracting module to be higher than priorities of kernel processors loaded in the memory. Task switching can be prevented in the course of extracting memory data by loading a process for extracting memory data in a kernel region and setting a priority of the loaded process to be higher than priorities of other kernel processes, thereby ensuring the integrity of data extracted from a non-volatile memory.