XU Xu-xu,XUE Zhi,WU Gang

DOI: https://doi.org/10.3969/j.issn.1009-2552.2012.02.041

2012-01-01

Abstract:This paper first introduced the basic conceptions about Trojan Horse and basic technologies of Trojan Horse,and then it introduced the common methods of Trojan Horse detection.And it expounds the current research condition and development trend of Trojan Horse detection.It analyzes and summarizes the behavioral characteristics of their installation,and puts forward an anti-trojan strategy based on behavior analysis.

Ting Liu,Xiaohong Guan,Qinghua Zheng,Ke Lu,Yuanfeng Song,Weizhang Zhang

DOI: https://doi.org/10.1109/CCNC.2009.4785028

2010-01-01

Abstract:This paper presents a novel Trojan detection and defense system. The prototype searches the important files which contain users' confidential information on the disk. And then, these files will be monitored to find which processes will access them by capturing and analyzing the IRPs (I/O Request Packets). The processes of Trojans will be distinguished from regular ones by evaluating their API-calls with several machine-learning models, rather than traditional signature-based mechanism. Testing results show that this prototype could detect and defend the unknown Trojans quickly and accurately.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

HAO Dong-bai,GUO Lin,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.24.040

2007-01-01

Abstract:According to the analysis of Trojan horse attack patterns,implant methods,the security model of windows and limitations of the Trojan horse detection technologies at present,A defense against Trojan horse system based on restricted token is stated in this paper.Combined with constructing the secure work environment,auditing the startup of applications and restraining the malicious action of Trojan horse.The design of process environment control module,service manager module,register monitoring and anomaly diagnose module are focused on.At last,the experiment result validates the feasibility and availability of this system.

Cai Hongmin,Wu Naiqi,Teng Shaohua

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.05.076

2012-01-01

Abstract:Networks attack means emerge endlessly along with the growing serious network security problems.As a kind of main malicious code,Trojan horse program brings great troubles to computer users in the areas of infringing personal privacies and remotely monitoring the computers of others,etc.The authors implement a distributed Trojan horse program detection system by applying the deep packet inspection technology to the detection of Trojan horse program,we use regular expression to match the attack mode in detecting the Trojan horse program,therefore have strengthened the security of networks.

CHEN Lei-ting,ZHANG Liang

DOI: https://doi.org/10.3969/j.issn.1001-0548.2005.02.021

2005-01-01

Abstract:This paper points out the deficiency in detecting the unknown Trojan horse of the present anti-virus software at first, introduces the advantage of artificial immune system in self-adaptability aspect, and points out the feasibility of artificial immunity mechanism in Trojan horses detection; Then through an analysis about the new technology of Trojan horses, proves the deficiency of current computer security system with a Trojan horses model, presents the transfer of Trojan horses detection from the anti-virus software to the subsystem of immune IDS, improves the self-adaptive capacity of Trojan horses detection with its immune mechanism; Finally, a behavior mode is put forward, which is mapped from the using situation of process systematic resource to the process systematic call, and by this means, a Trojan horse detection model based on artificial immunity mechanism is set up.

SHI Yong,XUE Zhi,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.053

2005-01-01

Abstract:A new trojan horse on Windows operating system is presented. This technology combines SPI which is a new characteristic in Winsock 2 with remote thread injecting in Windows kernel and DLL(dynamic-link libraries) in Windows file system. And it uses some characteristics in filtration and interrupt of firewalls for reference. A new trojan horse hiding style is realized.

ZHANG Chen,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.02.023

2011-01-01

Abstract:Today's popular Trojans begin to use covert communication technology and bypass the detection of honeypot system.This paper first describes the common Trojan covert communication technologies and the growing popular kernel layer Rootkit covert communication technology,then discusses the current client honeypot detecting methods for malware.Aiming at the deficiency of Honeypot detection mechanisms for network communication,an effective improvement scheme is proposed,By using network traffic detection technology based on the NDIS intermediate driver,the Trojans date packets are acquired.This scheme could effectively detect Rootkit covert communication based on network driver and extract the key communication information for Trojan track and analysis.

XU Ming,YANG Tong,ZHENG Lian-qing,ZHANG Chuan-rong

2011-01-01

Abstract:To reinforce network security and prevent Trojan horse attacks,a concealing technology by triple jump in load and thread guard is analyzed and implemented with an example,and a Trojan horse using the technology is programmed,and the hidden nature and survivability of the Trojan horse is enhanced by it.Finally,the corresponding cleaning method is put forward.Experimental results show that the Trojan horse completes the expected hidden features,and can penetrate the latest Rising anti-virus software,Rising Firewall and general hardware firewalls,which demonstrate the feasibility and effectiveness of the concealing technology.

杨彦,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.11.015

2008-01-01

Abstract:Trojan is malicious program which is designed to obtain privilege and steal information; it seriously endangers the internet se- curity and information security. The rules of Trojan's attack actions are researched, a new Trojan horse detection method based on executable static analysis is proposed. The present attack tree model is improved, an extended attack tree model is designed to d escribe the sequences of threatening system calls Trojan commonly used. Matched the set of APIs used in PE file with the original extended attack tree, to predict the attack actions may appear in the implementation of the PE file and estimate whether the PE file is a Trojan.

MENG Lei,LIU Sheng-li,LIU Long,CHEN Jia-yong,SUN Hai-tao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.14.004

2012-01-01

Abstract:Trojan detection algorithm based on behavior analysis of communication has high computational complexity.Addressing the problem,this paper proposes a Trojan rapid detection based on heartbeat behavior analysis.The method selects two session attributes to describe the difference between Trojan communication flow and normal communication flow on the basis of description of heartbeat behavior in the Trojan communication large numbers of analysis on Trojan samples.And then Trojan Rapid Detection System(TRDS) is built based on the method.Experimental results show that TRDS can detect the Trojan communication in the 100 Mbit/s network rapidly and efficiently.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

宫照刚

2014-12-19

Abstract:The invention discloses a Trojan virus searching and killing tool which comprises an intelligent searching and killing module, a real-time monitoring module, a tool setting module and an information feedback module. After the Trojan virus searching and killing tool is started, static Trojan viruses in a computer are found and killed through the intelligent searching and killing module; suspicious Trojan files are found and processed by monitoring the real-time states of all current working parts of the computer through the real-time monitoring module; renewing, appearance, whether to be automatically started and the like of the tool can be conveniently set through the tool setting module; the practicability and function bugs of the tool can be conveniently fed back to a development maintainer in time for a user through the information feedback module so that the version of the tool can be upgraded. Compared with the prior art, the Trojan virus searching and killing tool has the advantages that information of the computer is made secure, the personal information security is ensured, the personal information is prevented from being stolen and embezzled by others, and practicability is high.

Computer Science

Wei-Feng ZHANG,Rui-Cheng LIU,Lei XU

DOI: https://doi.org/10.13328/j.cnki.jos.005495

2018-01-01

Abstract:Web Trojan is a form of attack that inserts an attacking script into the Web page,and by exploiting the vulnerabilities of browsers and their plug-ins,it causes the victim's system silently download and install malicious programs.Based on dynamic program analysis and machine learning method,this paper proposes a method of detecting Trojans based on dynamic behavior analysis.Firstly,the behaviors of the attack scripts on the landing page,including the dynamic function execution,the dynamic generation function execution,the script insertion,the page insertion and the URL jump,are monitored.Then these behaviors are extracted according to a set of rules.The associated string operation records are also processed as features.Next,for the use of heap malicious operation (the shellcode behavior),a feature indicating the heap risk is proposed.Finally,500 web samples from Alexa and VirusShare are collected as data sets,and a classifier is trained by machine learning method.The experimental results show that compared with the existing methods,the presented method has high accuracy (96.94％) and can effectively prevent interference of code obfuscation (lower false positive rate of 6.1％ and false negative rate of 1.3％).

Mengze Li

Abstract:The Trojan Virus, or Trojan, is a malicious computer program that is used to compromise a computer by fooling users about its real intent. Although, unlike computer viruses, or worms, the Trojan does not directly attack operating systems, many modern forms act as a backdoor, which can grant access without authorization. This kind of infection helps attackers to break the confidentiality, integrity and availability of the data, and can cause a huge impact to both, private users and public organizations, such as exposing the user’s credit card information, or other personal identity information (PII). Recent Trojans have been engineered to cause bigger destruction and yet remain less obvious than their ancestors. For example, several cheap android phones come preinstalled with Trojan viruses, which, for example, show advertisements on top of running apps and prevent users from removing the pictures. In a desktop-based example, the BackDoor.TeamViewer.49 can remove its icon from the Windows notification area and disable error reporting and implement a special mechanism meant to prevent it from being restarted on an infected computer once the TeamViewer is launched, which means that its malicious behavior is too hard to identify. 1 Landwehr, C. E; A. R Bull; J. P McDermott; W. S Choi (1993). A taxonomy of computer program security flaws, with examples. DTIC Document. Retrieved 2012-04-05. 2 "What is the difference between viruses, worms, and Trojans?". Symantec Corporation. Retrieved 2009-01-10. 3 "VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 (Question B3: What is a Trojan Horse?)". 9 October 1995. Retrieved 2012-09-13. 4 ValueWalk: Several cheap android phones come preinstalled with trojan viruses (2016). . Chatham: Newstex. Retrieved from http://ezproxy.valpo.edu/login?url=http://search.proquest.com/docview/1848915535?accountid=14811 5 https://www.scmagazine.com/knock-knock-unique-new-backdoor-trojan-infecting-computers/article/528205/ In this study, we are reviewing and analyzing the actual code of three famous modern Trojans in order to learn their most common functions and goals. Take the example below: { "timestamp": 12345, "account_id": "abc@gmail.com", "location": { "lat": 200, "lon": 1 }, "audio_url": "abc@gmail.com/12345/audio.aac", "image_url": "abc@gmail.com/12345/image.jpg" } These lines of code can help the hackers collect images, 10-second sound clips, and location information from users’ phones every 3 seconds, and upload them via Wi-Fi. We are furthermore comparing the modern Trojan with the old Trojan to see the improvement of the modern Trojan, and how the Trojan hide itself from the anti-malware software, and the IPS system. Both, code analysis and historical comparison are critical in developing patches to prevent the process of such unauthorized data theft. Although many Trojan viruses are armored, which means that the attackers have used advanced methods, such as encrypting the code, or added useless code to confuse the cybersecurity professional, we will be using hackers’ actual code stubs, obtained from public sources such as GitHub, in order to get around this obstacle. This analysis will support our theory that most of modern Trojan viruses are intending to act as a backdoor for granting unauthorized accesses, thereby causing bigger destruction while more skillfully attempting to evade detection by common countermeasures. 6 https://github.com/project-columbus/trojan

Computer Science,Engineering

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Yi Pang,Tao Yin

DOI: https://doi.org/10.1109/ICCT.2012.6511272

2012-01-01

Abstract:Most existing approaches for detecting Trojan are limited for obfuscation and encryption techniques. In this paper, we present a network behavior analysis designed to address the limitations of previously-proposed approaches. Our solution considered not only transport layer characteristics but also network layer characteristics. The approach in this paper exhibits two major advantages: (1) can better represent Trojan network behavior, and (2) performed at very low computational cost. Based on clustering technique, we proposed a detection model that detects Trojan communication with high accuracy. We implement the model on real-world traces. The experiments show that our model is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 90% accuracy and less than 3.5% false positive rate. We confidently consider that our detection approach is complementary to the existing techniques.

XING Yun-dong,LIU Sheng-li

2010-01-01

Abstract:Aimed at the problems that malwares like Trojan horses are performing more and more harmfully to the network security,to improve the efficiency of Trojan horse detection by NIDS,the characteristics and network communication forms of Trojan horses are analyzed.Then combined a sequence alignment algorithm,a model for signatures automatic generation of Trojan horses is designed and implemented.Finally,this model is proved to be practical and effective by the experiments.

Jiang Xie,Shuhao Li,Yongzheng Zhang,Xiaochun Yun,Jia Li

DOI: https://doi.org/10.48550/arXiv.2309.01174

2023-09-03

Networking and Internet Architecture

Abstract:Trojans are one of the most threatening network attacks currently. HTTP-based Trojan, in particular, accounts for a considerable proportion of them. Moreover, as the network environment becomes more complex, HTTP-based Trojan is more concealed than others. At present, many intrusion detection systems (IDSs) are increasingly difficult to effectively detect such Trojan traffic due to the inherent shortcomings of the methods used and the backwardness of training data. Classical anomaly detection and traditional machine learning-based (TML-based) anomaly detection are highly dependent on expert knowledge to extract features artificially, which is difficult to implement in HTTP-based Trojan traffic detection. Deep learning-based (DL-based) anomaly detection has been locally applied to IDSs, but it cannot be transplanted to HTTP-based Trojan traffic detection directly. To solve this problem, in this paper, we propose a neural network detection model (HSTF-Model) based on hierarchical spatiotemporal features of traffic. Meanwhile, we combine deep learning algorithms with expert knowledge through feature encoders and statistical characteristics to improve the self-learning ability of the model. Experiments indicate that F1 of HSTF-Model can reach 99.4% in real traffic. In addition, we present a dataset BTHT consisting of HTTP-based benign and Trojan traffic to facilitate related research in the field.

潘勉,薛质,李建华,李生红

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.043

2004-01-01

Abstract:A new scheme is studied to realize the injection of Trojan horse by combining the technology of DLL(dynamic linking library) and that of remote thread injection on the Windows platform. The idea of replacing traditional Trojan horse program with Trojan horse DLL and the notion of creating single Trojan horse injection program to realize the special function of Trojan horse injection are proposed. It is rather safe and flexible to inject Trojan horse by adopting this scheme.

Yong Wang,Dawu Gu,Wei Li,Jing Li,Mi Wen

DOI: https://doi.org/10.1109/ieec.2009.52

2009-01-01

Abstract:Rootkits Trojan virus, which can control attacked computers, delete import files and even steal password, are much popular now. Interrupt Descriptor Table (IDT) hook is rootkit technology in kernel level of Trojan. The paper makes deeply analysis on the IDT hooks handle procedure of rootkit Trojan according to previous other researchers methods. We compare its IDT structure and programs to find how Trojan interrupt handler code can respond the interrupt vector request in both real address mode and protected address mode. Finally, we analyze the IDT hook detection methods of rootkits Trojan by Windbg or other professional tools.