摘要： 为防范持续性威胁攻击中的远程控制木马,提出一种主动防御思路,即针对不公开源代码和网络协议的木马程序进行漏洞挖掘和瘫痪攻击。使用广义后缀树和分层次聚类等数据挖掘算法逆向分析木马网络协议的特征,自动构造其协议格式。将其与Fuzz测试框架相结合,通过导入之前逆向分析得出的协议格式自动生成Fuzz的配置文件,从而较大程度地提高模糊测试和漏洞挖掘效率。经过一系列针对实际远程控制木马程序的测试,发现若干木马控制端的漏洞,从而说明该远程控制木马漏洞挖掘方法是可行、有效的,并具有一定创新性。

关键词: 远程控制木马, 网络协议逆向分析, Fuzz测试, 漏洞挖掘, 瘫痪攻击

Abstract: In view of Trojan’s control of the popular Advanced Persistent Threat(APT) attack’s method,this paper presents an active defense idea,namely for fuzzing and paralysis attack of closed source code Trojan.It uses generalized suffix tree and hierarchical clustering algorithm to learn characteristics of Trojan’s network traffic to construct protocol format.Then it combines Peach with this Fuzz framework,automatically generating configuration file of Fuzz test through the protocol format,so as to largely enhance efficiency of Fuzz test.After a series of tests through remote control Trojan,it successfully discovers several Trojan’s vulnerabilities,which illustrates that the remote control Trojan vulnerability mining method is a kind of innovative and effective solution.

Key words: remote control trojan, reverse analysis of network protocol, Fuzz test, vulnerability mining, paralysis attack

中图分类号: 

• TP393.08