CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

XU Ming,YANG Tong,ZHENG Lian-qing,ZHANG Chuan-rong

2011-01-01

Abstract:To reinforce network security and prevent Trojan horse attacks,a concealing technology by triple jump in load and thread guard is analyzed and implemented with an example,and a Trojan horse using the technology is programmed,and the hidden nature and survivability of the Trojan horse is enhanced by it.Finally,the corresponding cleaning method is put forward.Experimental results show that the Trojan horse completes the expected hidden features,and can penetrate the latest Rising anti-virus software,Rising Firewall and general hardware firewalls,which demonstrate the feasibility and effectiveness of the concealing technology.

Fang Wangsheng,Shao Liping,Zhang Kejun

DOI: https://doi.org/10.3969/j.issn.1008-0570.2006.33.028

2006-01-01

Abstract:According to the structure characters of portable executable file format, the methods taking advantages of redundant spaces, redundant structures and static spaces allocated to strings to embed information into PE file are introduced in this paper. To prevent the embedded data from being understood and modified, a method is provided there, which make use of translating data in other forms to disguise information. To recover the original information, a method being availed of secret sharing schemas is also given. When some embedded informations are damaged, others can be used to recover the original embedded information to keep the em- bedded data completely.

XU Xu-xu,XUE Zhi,WU Gang

DOI: https://doi.org/10.3969/j.issn.1009-2552.2012.02.041

2012-01-01

Abstract:This paper first introduced the basic conceptions about Trojan Horse and basic technologies of Trojan Horse,and then it introduced the common methods of Trojan Horse detection.And it expounds the current research condition and development trend of Trojan Horse detection.It analyzes and summarizes the behavioral characteristics of their installation,and puts forward an anti-trojan strategy based on behavior analysis.

Ting Liu,Xiaohong Guan,Qinghua Zheng,Ke Lu,Yuanfeng Song,Weizhang Zhang

DOI: https://doi.org/10.1109/CCNC.2009.4785028

2010-01-01

Abstract:This paper presents a novel Trojan detection and defense system. The prototype searches the important files which contain users' confidential information on the disk. And then, these files will be monitored to find which processes will access them by capturing and analyzing the IRPs (I/O Request Packets). The processes of Trojans will be distinguished from regular ones by evaluating their API-calls with several machine-learning models, rather than traditional signature-based mechanism. Testing results show that this prototype could detect and defend the unknown Trojans quickly and accurately.

mingwei zhao,rongan jiang

DOI: https://doi.org/10.1007/978-3-642-28798-5_18

2012-01-01

Abstract:As a new kind of Trojan horse which combines with the kernel Rootkit technologies, kernel Trojan horse has received a great mount of people's attention and been used a lot. However, the sensitive property of kernel Trojan which follows traditional architecture model is fully exposed to the security software, and needs kernel concealment module to complete all the hidden works, thus the concealment module is too large, easily detected by security software. Based on the analysis of Trojan collaborative concealment model, this paper improves the traditional architecture model and introduces a lightweight concealment module of pure kernel Trojan horse architecture model. Furthermore, an example which adopts the improved model is present in this paper. The experimental results verify the feasibility and efficient of the improved model. © 2012 Springer-Verlag.

SHI Yong,XUE Zhi,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.053

2005-01-01

Abstract:A new trojan horse on Windows operating system is presented. This technology combines SPI which is a new characteristic in Winsock 2 with remote thread injecting in Windows kernel and DLL(dynamic-link libraries) in Windows file system. And it uses some characteristics in filtration and interrupt of firewalls for reference. A new trojan horse hiding style is realized.

LI Xiao-dong,LUO Ping,ZENG Zhi-feng

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.05.044

2007-01-01

Abstract:Trojan horse is a new kind computer virus,which makes much damage to computer information resources in a local network.This paper represented a new method to detect Trojans using its auto-startup characteristic.This method uses hooking system services dispatch table,so as to monitor file system and registry table.Compared with traditional detective methods,it can detect not only known Trojans but unknown ones.It is difficult for Trojans to escape detection because it is implemented in the kernel.

宫照刚

2014-12-19

Abstract:The invention discloses a Trojan virus searching and killing tool which comprises an intelligent searching and killing module, a real-time monitoring module, a tool setting module and an information feedback module. After the Trojan virus searching and killing tool is started, static Trojan viruses in a computer are found and killed through the intelligent searching and killing module; suspicious Trojan files are found and processed by monitoring the real-time states of all current working parts of the computer through the real-time monitoring module; renewing, appearance, whether to be automatically started and the like of the tool can be conveniently set through the tool setting module; the practicability and function bugs of the tool can be conveniently fed back to a development maintainer in time for a user through the information feedback module so that the version of the tool can be upgraded. Compared with the prior art, the Trojan virus searching and killing tool has the advantages that information of the computer is made secure, the personal information security is ensured, the personal information is prevented from being stolen and embezzled by others, and practicability is high.

Computer Science

杨彦,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.11.015

2008-01-01

Abstract:Trojan is malicious program which is designed to obtain privilege and steal information; it seriously endangers the internet se- curity and information security. The rules of Trojan's attack actions are researched, a new Trojan horse detection method based on executable static analysis is proposed. The present attack tree model is improved, an extended attack tree model is designed to d escribe the sequences of threatening system calls Trojan commonly used. Matched the set of APIs used in PE file with the original extended attack tree, to predict the attack actions may appear in the implementation of the PE file and estimate whether the PE file is a Trojan.

CHEN Lei-ting,ZHANG Liang

DOI: https://doi.org/10.3969/j.issn.1001-0548.2005.02.021

2005-01-01

Abstract:This paper points out the deficiency in detecting the unknown Trojan horse of the present anti-virus software at first, introduces the advantage of artificial immune system in self-adaptability aspect, and points out the feasibility of artificial immunity mechanism in Trojan horses detection; Then through an analysis about the new technology of Trojan horses, proves the deficiency of current computer security system with a Trojan horses model, presents the transfer of Trojan horses detection from the anti-virus software to the subsystem of immune IDS, improves the self-adaptive capacity of Trojan horses detection with its immune mechanism; Finally, a behavior mode is put forward, which is mapped from the using situation of process systematic resource to the process systematic call, and by this means, a Trojan horse detection model based on artificial immunity mechanism is set up.

杨彦,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.053

2008-01-01

Abstract:Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions.This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use,and classifies them into two categories: modifying kernel object data structures and changing execution paths.The technical principles are described and compared in detail.The future development directions are discussed.

林卫亮,王轶骏,薛质

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.03.025

2009-01-01

Abstract:Rootkit is a system layer hidden mechanism and implementation program and is becoming more and more popular.It is designed to take fundamental control of a computer system,without authorization by the system owners and legitimate managers.Concealing running processes is one of the Win32 Rootkit's standard functions.In this paper,the techniques for detecting this kind of Win32 Rootkit,are studiues and implemented their advantages and disadvantages analyzed and compaired,Finally,some prospects for this technique are proposed.

Dai Zhongchao,Zhang Xinming

DOI: https://doi.org/10.3969/j.issn.1671-489X.2007.05.025

2007-01-01

Abstract:This paper ,by combining on how the Ghost network technology is actually used to carry on the hard disc cloning of network with the cooperation of using the remote order of electronic classroom software to maintain the network computer lab, is in the hope of improving the service efficiency of the network computer lab by providing the concrete technological route and realization method.

张磊

DOI: https://doi.org/10.3969/j.issn.1006-4052.2010.10.047

2010-01-01

Abstract:With the computer and network technology,the rapid development of the back door of the increasing threats to information security.The authors adjusted the back door to look into the idea of a dynamic link library,so that there can be no process,no open ports etc.,thus achieving a process,the port hidden,so the back door DLL-based prevention and information security problems has become a more important object of study worthy of attention.This article describes the types of Trojan horse program works and realization of the function,describing the main API functions,and summarizes a number of DLL Trojans killing methods.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

ZHANG Chen,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.02.023

2011-01-01

Abstract:Today's popular Trojans begin to use covert communication technology and bypass the detection of honeypot system.This paper first describes the common Trojan covert communication technologies and the growing popular kernel layer Rootkit covert communication technology,then discusses the current client honeypot detecting methods for malware.Aiming at the deficiency of Honeypot detection mechanisms for network communication,an effective improvement scheme is proposed,By using network traffic detection technology based on the NDIS intermediate driver,the Trojans date packets are acquired.This scheme could effectively detect Rootkit covert communication based on network driver and extract the key communication information for Trojan track and analysis.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

HAO Dong-bai,GUO Lin,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.24.040

2007-01-01

Abstract:According to the analysis of Trojan horse attack patterns,implant methods,the security model of windows and limitations of the Trojan horse detection technologies at present,A defense against Trojan horse system based on restricted token is stated in this paper.Combined with constructing the secure work environment,auditing the startup of applications and restraining the malicious action of Trojan horse.The design of process environment control module,service manager module,register monitoring and anomaly diagnose module are focused on.At last,the experiment result validates the feasibility and availability of this system.

潘茂如,曹天杰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.18.047

2010-01-01

Abstract:The realization mechanism of the Direct Kernel Object Manipulation(DKOM) and call gate are analyzed and proposed.By using call gate,it can promote the program’s privilege to modify the kernel’s process list to hide the process without the driver.A Trojan program is designed and implemented,and the hidden and survival functions are verified in experimental conditions based on the proposal.The experiments have proved that the Trojan can hide the process effectively and escape the detection and killing of the common security software.It also analyzes the Trojan program’s detection method.