Technical System of Trojan Detection from the perspective of vulnerability Attack Process

Flashsky

Currently, there are four steps to take advantage of the vulnerability, including Trojan Horse mounting.

1. Vulnerability triggering

2. Vulnerability Exploitation

3. execute SHELLCODE

4. DOWNLOAD/virus/Trojan/backdoor DOWNLOAD execution

Of course, these four steps do not exist in every vulnerability exploitation. For example, some logic vulnerabilities, vulnerability triggering and exploits are one thing. For some attacks, there may be no steps to DOWNLOAD/virus/Trojan/backdoor. however, for most memory-related vulnerabilities, these four steps are basically involved.

Then, the technologies related to attack research are

1. Vulnerability mining technology to discover vulnerabilities

2. Vulnerability exploitation technology to enable vulnerability Exploitation
3. SHELLCODE skills and confrontation Technologies
4. Virus Technology

In contrast, we can summarize the overall MS protection system.

1. SDL process, including source code audit, SAL, and security testing to reduce vulnerabilities
2. Operating System Protection Systems: GS, heap protection, SAFESEH, ASLR, etc., to prevent attackers from using or reducing the available level
3. DEP to prevent SHELLCODE Execution
4. DEFENDER, UAC, anti-virus, Trojan, etc.

Currently, trojan detection is generally concentrated on 3, 4. Based on the vulnerability exploitation logic, when attackers execute SHELLCODE, in essence, it has the same permissions as the detection technology, and can fully implement confrontation. for example, the detection API, unhook api, raster detection API, stop detection engine, and find detection engine to terminate attacks. therefore, it is necessary to assist Step 1 and Step 2 for detection (because at the time of step 2, the attacker is not able to detect and confront the detection, of course, in addition to knowing your IP address). At the same time, many vulnerabilities may have a certain probability of success. The environment requires that the SHELLCODE may not be successfully executed, and the attack must be detected at Layer 1 or 2. currently, only some simple feature detection technologies are available for 1, 2. these simple feature detection methods can easily escape detection through dynamic technologies. this requires that trojan detection support 1. completely dynamic technology for confrontation, 2. from the vulnerability mechanism, more detection is performed when a vulnerability is triggered and exploited. to help defend against attacks on Layer 3 and Layer 3.

Trojan Horse detection should also follow the layer-4 above to implement three-dimensional and multi-level detection, in order to gain an advantage in the long-term confrontation with Trojan Horse. knowing that chuangyu's trojan detection system is a multi-level detection system based on the above model.