计算机工程

• 安全技术 • 上一篇    下一篇

基于网络协议逆向分析的远程控制木马漏洞挖掘

潘道欣,王轶骏,薛质   

  1. (上海交通大学电子信息与电气工程学院,上海 200240)
  • 收稿日期:2015-01-06 出版日期:2016-02-15 发布日期:2016-01-29
  • 作者简介:潘道欣(1989-),男,硕士研究生,主研方向为网络与信息安全;王轶骏,讲师;薛质,教授、博士生导师。
  • 基金项目:
    中国信息安全测评中心科研基金资助项目(CNITSEC-KY-2013-009/2)。

Remote Control Trojan Vulnerability Mining Based on Reverse Analysis of Network Protocol

PAN Daoxin,WANG Yijun,XUE Zhi   

  1. (School of Electronic Information and Electrical Engineering,Shanghai Jiaotong University,Shanghai 200240,China)
  • Received:2015-01-06 Online:2016-02-15 Published:2016-01-29

摘要: 为防范持续性威胁攻击中的远程控制木马,提出一种主动防御思路,即针对不公开源代码和网络协议的木马程序进行漏洞挖掘和瘫痪攻击。使用广义后缀树和分层次聚类等数据挖掘算法逆向分析木马网络协议的特征,自动构造其协议格式。将其与Fuzz测试框架相结合,通过导入之前逆向分析得出的协议格式自动生成Fuzz的配置文件,从而较大程度地提高模糊测试和漏洞挖掘效率。经过一系列针对实际远程控制木马程序的测试,发现若干木马控制端的漏洞,从而说明该远程控制木马漏洞挖掘方法是可行、有效的,并具有一定创新性。

关键词: 远程控制木马, 网络协议逆向分析, Fuzz测试, 漏洞挖掘, 瘫痪攻击

Abstract: In view of Trojan’s control of the popular Advanced Persistent Threat(APT) attack’s method,this paper presents an active defense idea,namely for fuzzing and paralysis attack of closed source code Trojan.It uses generalized suffix tree and hierarchical clustering algorithm to learn characteristics of Trojan’s network traffic to construct protocol format.Then it combines Peach with this Fuzz framework,automatically generating configuration file of Fuzz test through the protocol format,so as to largely enhance efficiency of Fuzz test.After a series of tests through remote control Trojan,it successfully discovers several Trojan’s vulnerabilities,which illustrates that the remote control Trojan vulnerability mining method is a kind of innovative and effective solution.

Key words: remote control trojan, reverse analysis of network protocol, Fuzz test, vulnerability mining, paralysis attack

中图分类号: