CN103067370A - Method of identifying remote control Trojan and device thereof - Google Patents
Method of identifying remote control Trojan and device thereof Download PDFInfo
- Publication number
- CN103067370A CN103067370A CN201210568119XA CN201210568119A CN103067370A CN 103067370 A CN103067370 A CN 103067370A CN 201210568119X A CN201210568119X A CN 201210568119XA CN 201210568119 A CN201210568119 A CN 201210568119A CN 103067370 A CN103067370 A CN 103067370A
- Authority
- CN
- China
- Prior art keywords
- wooden horse
- packet
- data
- format
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method of identifying remote control Trojan and a device thereof. The method of identifying remote control Trojan comprises a step S11 which is capturing a data package and extracting a formatting characteristic and a step S12 which is matching up the formatting characteristic of the data package with the a Trojan data package format bank, if matches, the data package is intercepted, if not, the data package is allowed to be connected with a network. The method of identifying remote control Trojan and the device thereof can judge whether a data package is controlled by a remote Trojan through monitoring a formatting characteristic of the data package to stop the Trojan or a virus from illegally operating to a user and to avoid unnecessary loss of the user.
Description
Technical field
The present invention relates to information filtering field, the communications field, be specifically related to a kind of method and device thereof of identifying control wooden horse far away.
Background technology
The computer wooden horse generally is comprised of two parts, service end and control end, namely C/S(CONTROL/SERVE commonly used) pattern.Service end (S holds Server): remote computer machine operation.Just can be controlled or cause other destruction in case run succeeded, this will see how the people of kind of wooden horse thinks and the function of wooden horse itself that these control function, and the main API that calls Windows that adopts realizes.It mainly is the function of adequate and systematic service section end program that control end (C holds Client) also is client, client-side program, and to the instruction of service end issuing control, control section operates in local computer by network.Usually, when application program networked, wooden horse will send packet to service end.Therefore, the based on data packet format is identified control wooden horse far away, is problem demanding prompt solution.
Summary of the invention
The object of the invention is to overcome shortcoming of the prior art with not enough, a kind of method of identifying control wooden horse far away is provided.
The present invention adopts following technical scheme to realize: a kind of method of identifying control wooden horse far away comprises the steps:
Step S11: data intercept bag, and the format character of extraction packet;
Step S12: the format character of the packet that extracts is mated with the format character of the packet of wooden horse data packet format storehouse record, if mate, then tackle, if do not mate, then allow its networking.
Further, the present invention also provides a kind of device of identifying control wooden horse far away, it comprises format character extraction module, matching judgment module and wooden horse data lattice packet format storehouse, this format character extraction module data intercept bag, and the format character of extraction packet, this matching judgment module is mated the format character of the packet that format character and the wooden horse data packet format storehouse of the packet of format character extraction module extraction are put down in writing, if coupling, then tackle, if do not mate, then allow its networking.
With respect to prior art, method and device thereof that wooden horse is far controlled in identification of the present invention determine whether far to control the wooden horse operation by the monitoring to data packet format feature, to stop wooden horse or virus to user's illegal operation, avoid it to suffer unnecessary loss.
In order to understand more clearly the present invention, set forth the specific embodiment of the present invention below with reference to description of drawings.
Description of drawings
Fig. 1 is the flow chart that the present invention identifies the method for control wooden horse far away.
Fig. 2 is the module diagram that the present invention identifies the device of control wooden horse far away.
Embodiment
See also Fig. 1, it is the flow chart that the present invention identifies the method for control wooden horse far away.The method of this identification control far away wooden horse comprises the steps:
Step S11: when application program networked, wooden horse can send packet to service end.Therefore, at first want the data intercept bag, and extract the format character of packet.
Wherein, the format character of this packet comprises following material content:
1, package identification.For binary data packets, several bytes (being package identification) are fixed before it, and such as Ghost, therefore, it is different that wooden horse package identification and the normal sign of secure data bag have, therefore, and can be with package identification as basis for estimation.
2, data packet length.The data packet length that specific wooden horse sends has the characteristics of himself, therefore, and can be with data packet length as basis for estimation.
3, the CRC of packet.The packet CRC that specific wooden horse sends has the characteristics of himself, therefore, and can be with packet CRC as basis for estimation.
4, certain bits is equipped with the data value of specific meanings.
Step S12: the format character of the packet of the format character of the above-mentioned packet that will extract and wooden horse data packet format storehouse record is mated, if coupling then is judged as the wooden horse remote-control operation, tackles, if do not mate, then allows its networking.
This wooden horse data packet format storehouse records the format character of all wooden horse packets of having found.By the format character of the packet of the format character of the packet of current intercepting and the record of this wooden horse data packet format storehouse is compared, can directly determine whether the packet that wooden horse sends.
Particularly, 1, the package identification of extraction and the package identification of wooden horse data packet format storehouse record are mated, if a coupling in the package identification of the package identification that extracts and the record of wooden horse data packet format storehouse then is judged as the packet that wooden horse sends.2, the data packet length value of the data packet length that obtains and the record of wooden horse data packet format storehouse is mated, if with the data packet length value of wooden horse data packet format storehouse record in a coupling, then be judged as the packet that wooden horse sends.3, the CRC data of the packet of the CRC of the packet that obtains and the record of wooden horse data packet format storehouse are mated, if with one of them CRC Data Matching, then be judged as the packet that wooden horse sends.4, analyze the data value that the packet certain bits is equipped with specific meanings, mate with the particular meaning data value of wooden horse data packet format storehouse record, if a particular meaning data value coupling with in the wooden horse data packet format storehouse then is judged as the packet that wooden horse sends.The material content of above-mentioned format character is selected concrete compound mode by the data packet format storehouse, can select wherein one or more matching content, if selected matching content is all hit, namely is judged as the packet that wooden horse sends.
Far control the method for wooden horse by above identification, can be by the analysis of data packet format being judged the operation of identification control far away wooden horse, thus the operation of interception control far away wooden horse avoids the user to suffer a loss.
See also Fig. 2, it is the module diagram that the device of wooden horse is far controlled in identification of the present invention.Comprise format character extraction module 21, matching judgment module 22 and wooden horse data packet format storehouse 23.
These format character extraction module 21 data intercept bags, and the format character of extraction packet.Wherein, the format character of this packet comprises following material content: 1, package identification.For binary data packets, several bytes (being package identification) are fixed before it, such as Ghost, therefore, can extract this package identification as its format character as basis for estimation.2, data packet length.3, the CRC of packet.4, certain bits is equipped with the data value of specific meanings.
Then the format character of the packet put down in writing of the format character of this matching judgment module 22 packet that format character extraction module 21 is extracted and wooden horse data packet format storehouse 23 is mated, if coupling then is judged as the wooden horse remote-control operation, tackle, if do not mate, then allow its networking.
Wherein, this wooden horse data packet format storehouse 23 records the format character of all wooden horse packets of having found.By the format character of the packet of the format character of the packet of current intercepting and 23 records of this wooden horse data packet format storehouse is compared, can directly determine whether the packet that wooden horse sends.
Particularly, the content of carrying out Data Matching of this matching judgment module 22 comprises: 1, the package identification of extraction and the package identification of wooden horse data packet format storehouse record are mated, if a coupling in the package identification of the package identification that extracts and the record of wooden horse data packet format storehouse then is judged as the packet that wooden horse sends.2, the data packet length with the data packet length that obtains and the record of wooden horse data packet format storehouse mates, if with the data packet length of wooden horse data packet format storehouse record in a coupling, then be judged as the packet that wooden horse sends.3, the CRC data of the packet of the CRC of the packet that obtains and the record of wooden horse data packet format storehouse are mated, if with wooden horse data packet format storehouse in a CRC Data Matching, then be judged as the packet that wooden horse sends.4, analyze the data value that the packet certain bits is equipped with specific meanings, mate with the particular meaning data value of wooden horse data packet format storehouse record, if a particular meaning data value coupling with in the wooden horse data packet format storehouse then is judged as the packet that wooden horse sends.The material content of above-mentioned format character is selected concrete compound mode by the data packet format storehouse, can select wherein one or more matching content, if selected matching content is all hit, namely is judged as the packet that wooden horse sends.
With respect to prior art, method and device thereof that wooden horse is far controlled in identification of the present invention operate by data packet format feature being determined whether far to control wooden horse, to stop wooden horse or virus to user's illegal operation, avoid it to suffer unnecessary loss.
The present invention is not limited to above-mentioned execution mode, if various changes of the present invention or distortion are not broken away from the spirit and scope of the present invention, if these changes and distortion belong within claim of the present invention and the equivalent technologies scope, then the present invention also is intended to comprise these changes and distortion.
Claims (6)
1. the method for an identification control far away wooden horse comprises the steps:
Step S11: data intercept bag, and the format character of extraction packet;
Step S12: the format character of the packet that extracts is mated with the format character of the packet of wooden horse data packet format storehouse record, if mate, then tackle, if do not mate, then allow its networking.
2. the method for wooden horse is far controlled in identification according to claim 1, it is characterized in that: the format character content of this packet comprises: package identification, data packet length, packet CRC or packet certain bits are equipped with the numerical value of specific meanings.
3. the method for wooden horse is far controlled in identification according to claim 2, it is characterized in that: this step S12 is specially: the package identification of extraction and the package identification of wooden horse data packet format storehouse record are mated, if a coupling with in the package identification of wooden horse data packet format storehouse record then is judged as the packet that wooden horse sends; And/or the data packet length value of the data packet length that obtains and the record of wooden horse data packet format storehouse mated, if with the data packet length value of wooden horse data packet format storehouse record in a coupling, then be judged as the packet that wooden horse sends; And/or the CRC data of the packet of the CRC of the packet that obtains and the record of wooden horse data packet format storehouse are mated, if with the record of wooden horse data packet format storehouse in a CRC Data Matching, then be judged as the packet that wooden horse sends; And/or analysis packet certain bits is equipped with the data value of specific meanings, and mate with the particular meaning data value of wooden horse data packet format storehouse record, if a particular meaning data value coupling with in the record of wooden horse data packet format storehouse then is judged as the packet that wooden horse sends.
4. identify the device of controlling wooden horse far away for one kind, it is characterized in that: comprise format character extraction module, matching judgment module and wooden horse data lattice packet format storehouse, this format character extraction module data intercept bag, and the format character of extraction packet, this matching judgment module is mated the format character of the packet that format character and the wooden horse data packet format storehouse of the packet of format character extraction module extraction are put down in writing, if coupling is then tackled, if do not mate, then allow its networking.
5. the device of wooden horse is far controlled in identification according to claim 4, it is characterized in that: the format character that this format character extraction module extracts comprises: package identification, data packet length, packet CRC or packet certain bits are equipped with the numerical value of specific meanings.
6. the device of wooden horse is far controlled in identification according to claim 5, it is characterized in that: the content that this matching judgment module is carried out Data Matching comprises: the package identification of extraction and the package identification of wooden horse data packet format storehouse record are mated, if a coupling with in the package identification of wooden horse data packet format storehouse record then is judged as the packet that wooden horse sends; And/or the data packet length value of the data packet length that obtains and the record of wooden horse data packet format storehouse mated, if with the data packet length value of wooden horse data packet format storehouse record in a coupling, then be judged as the packet that wooden horse sends; And/or the CRC data of the packet of the CRC of the packet that obtains and the record of wooden horse data packet format storehouse are mated, if with the record of wooden horse data packet format storehouse in a CRC Data Matching, then be judged as the packet that wooden horse sends; And/or analysis packet certain bits is equipped with the data value of specific meanings, and mate with the particular meaning data value of wooden horse data packet format storehouse record, if a particular meaning data value coupling with in the record of wooden horse data packet format storehouse then is judged as the packet that wooden horse sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210568119XA CN103067370A (en) | 2012-12-24 | 2012-12-24 | Method of identifying remote control Trojan and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210568119XA CN103067370A (en) | 2012-12-24 | 2012-12-24 | Method of identifying remote control Trojan and device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103067370A true CN103067370A (en) | 2013-04-24 |
Family
ID=48109832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210568119XA Pending CN103067370A (en) | 2012-12-24 | 2012-12-24 | Method of identifying remote control Trojan and device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103067370A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302520A (en) * | 2016-09-14 | 2017-01-04 | 恒安嘉新(北京)科技有限公司 | A kind of remote control class wooden horse sweep-out method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431521A (en) * | 2008-11-26 | 2009-05-13 | 北京网康科技有限公司 | Anti-Trojan network security system and method |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN101686239A (en) * | 2009-05-26 | 2010-03-31 | 中山大学 | Trojan discovery system |
-
2012
- 2012-12-24 CN CN201210568119XA patent/CN103067370A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431521A (en) * | 2008-11-26 | 2009-05-13 | 北京网康科技有限公司 | Anti-Trojan network security system and method |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN101686239A (en) * | 2009-05-26 | 2010-03-31 | 中山大学 | Trojan discovery system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302520A (en) * | 2016-09-14 | 2017-01-04 | 恒安嘉新(北京)科技有限公司 | A kind of remote control class wooden horse sweep-out method and device |
| CN106302520B (en) * | 2016-09-14 | 2019-10-11 | 恒安嘉新(北京)科技股份公司 | A kind of far control class wooden horse sweep-out method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6142702B2 (en) | Monitoring device, monitoring method and program | |
| CN101977235B (en) | URL (Uniform Resource Locator) filtering method aiming at HTTPS (Hypertext Transport Protocol Server) encrypted website access | |
| CN110708215B (en) | Deep packet inspection rule base generation method, device, network equipment and storage medium | |
| US20170149830A1 (en) | Apparatus and method for automatically generating detection rule | |
| CN103428183B (en) | Method and device for identifying malicious website | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| WO2014117406A1 (en) | Feature extraction device, network traffic identification method, device and system. | |
| CN102594825A (en) | Method and device for detecting intranet Trojans | |
| CN105103496A (en) | System and method for extracting and storing metadata for analyzing network communications | |
| CN101594248A (en) | The remote assistance method of information security and system maintenance, system and server | |
| CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
| CN104394164A (en) | Method of identifying HTTPS port data based on sessions and protocols | |
| WO2015081693A1 (en) | Network sharing user identification method and apparatus | |
| CN103209170A (en) | File type identification method and identification system | |
| CN103929732B (en) | A kind of method and M2M gateways of management terminal peripheral hardware | |
| CN104346337B (en) | Method and device for intercepting junk information | |
| CN102510563A (en) | Method and system for detecting malicious software of mobile Internet | |
| CN102111400A (en) | Trojan horse detection method, device and system | |
| CN105260658A (en) | Method and system for setting privacy interface | |
| CN103067370A (en) | Method of identifying remote control Trojan and device thereof | |
| CN104486292A (en) | Enterprise-resource safety-access control method, device and system | |
| CN104660584B (en) | Analysis of Trojan Virus technology based on network session | |
| CN105100246A (en) | Network flow management and control method based on downloaded resource name | |
| CN101883081A (en) | Method for carrying out video stream transmission filtering based on content of network data packet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: KINGSOFT CORPORATION LIMITED BEIKE INTERNET (BEIJI Effective date: 20130503 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20130503 Address after: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Applicant after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd. Applicant after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Applicant after: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY Co.,Ltd. Applicant after: BEIJING KINGSOFT NETWORK TECHNOLOGY Co.,Ltd. Address before: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130424 |