CN107181719B - Trojan horse program detection method and device - Google Patents

Trojan horse program detection method and device Download PDF

Info

Publication number
CN107181719B
CN107181719B CN201610136580.6A CN201610136580A CN107181719B CN 107181719 B CN107181719 B CN 107181719B CN 201610136580 A CN201610136580 A CN 201610136580A CN 107181719 B CN107181719 B CN 107181719B
Authority
CN
China
Prior art keywords
program
information
specified event
server
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610136580.6A
Other languages
Chinese (zh)
Other versions
CN107181719A (en
Inventor
费永康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610136580.6A priority Critical patent/CN107181719B/en
Publication of CN107181719A publication Critical patent/CN107181719A/en
Application granted granted Critical
Publication of CN107181719B publication Critical patent/CN107181719B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a method and a device for detecting a Trojan horse program, wherein the method comprises the following steps: the client monitors that a specified event occurs on the information aggregation platform; the client sends verification information of the program corresponding to the specified event to the server, so that the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information; and the client sends the program corresponding to the specified event to a server according to the received program reporting command so that the server detects whether the program is a Trojan horse program. Through the technical scheme, the Trojan program can be positioned by technical means when the Trojan program just invades the information convergence platform, the discovery and response time is shortened, so that the Trojan program can be quickly warned and positioned, the Trojan program can be subjected to full screening and killing in time before the Trojan program is propagated in a large quantity, and the economic loss caused by user information leakage is effectively reduced.

Description

Trojan horse program detection method and device
Technical Field
The application relates to the technical field of internet, in particular to a Trojan horse program detection method and device.
Background
With the rapid development of electronic commerce, the value of user information becomes more and more important, and a plurality of lawbreakers gain benefits by stealing the user information. For example, a hacker writes an information disclosure Trojan-like program and implants the information disclosure Trojan-like program into a vendor platform, thereby stealing sensitive information such as vendor Cookie and disguising that a vendor user steals user information from an e-commerce platform. A hacker who obtains the user information can utilize the user information to pertinently carry out illegal criminal activities such as order fraud, telephone fraud, credit card fraud and the like on the user.
The information leakage Trojan horse program compiled by a hacker is aimed at stealing sensitive information such as vendor Cookie and the like and stealing user information by taking an intrusion into a vendor platform as a means, and has no behavior characteristics such as self-reproduction, infection and the like of a common Trojan horse program.
At present, at the beginning of the propagation of an information leakage Trojan program, the information leakage Trojan program cannot be positioned through a technical means, and only after a large number of cases occur, the information leakage Trojan program is finally positioned according to the report of a user and the manual traceability analysis. The process is long, and the information leakage trojan-like programs are spread and run for a period of time, so that economic losses are caused to a large number of users.
Disclosure of Invention
The application provides a detection method of a Trojan horse program, which comprises the following steps:
the client monitors that a specified event occurs on the information aggregation platform;
the client sends verification information of the program corresponding to the specified event to the server, so that the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information;
and the client sends the program corresponding to the specified event to a server according to the received program reporting command so that the server detects whether the program is a Trojan horse program.
The client monitors a process of occurrence of a specified event on the information aggregation platform, and specifically includes:
and when the client monitors that the information aggregation platform inquires user information, determining that a specified event occurs on the information aggregation platform.
The client monitors the process of the information aggregation platform for inquiring the user information, and specifically comprises the following steps:
the client side injects a dynamic link library dll into each process of the information convergence platform, and the dll is used for monitoring whether the process has a behavior of inquiring user information through an inquiry interface provided by the e-commerce platform; when the dll monitors that a process inquires user information through the inquiry interface, the information aggregation platform is monitored to inquire the user information through the inquiry interface;
the query interface comprises a Uniform Resource Locator (URL) interface or an Application Programming Interface (API).
The verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
The application provides a detection method of a Trojan horse program, which comprises the following steps:
the server receives verification information sent by the client, wherein the verification information is the verification information of a program corresponding to a specified event sent when the client monitors that the specified event occurs on the information convergence platform;
the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information; if yes, the server side sends a program reporting command to the client side;
the server receives a program corresponding to the specified event sent by the client;
and the server detects whether the program is a Trojan horse program.
The step of judging, by the server, whether the program corresponding to the specified event is a dangerous program by using the verification information specifically includes:
the server side judges whether the verification information exists in a program white list library maintained in advance;
if not, the server side determines that the program corresponding to the specified event is a dangerous program;
if so, the server side determines that the program corresponding to the specified event is not a dangerous program;
a program white list library is maintained in advance on the server, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
The verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
The step of judging, by the server, whether the program corresponding to the specified event is a dangerous program by using the verification information specifically includes: the server side judges whether the currently received verification information contains signature information; if not, the server side determines that the program corresponding to the specified event is a dangerous program;
if so, the server side judges whether the signature information is contained in a program white list library;
if the signature information is not contained in the program white list library, the server side determines that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, the server side determines that the program corresponding to the specified event is not a dangerous program.
After the server determines that the program corresponding to the specified event is not a dangerous program, the method further includes: the server side judges whether other information except the signature information in the verification information is completely contained in the program white list library or not; if not, storing the information of the information aggregation platform into a monitoring list; the server side judges whether a user information leakage event occurs in the information aggregation platform in the monitoring list or not; and if so, determining that the program corresponding to the specified event is a dangerous program.
The application provides a detection device of Trojan program, the detection device of Trojan program uses on the client, just the detection device of Trojan program specifically includes:
the determining module is used for monitoring that a specified event occurs on the information gathering platform;
the information sending module is used for sending the verification information of the program corresponding to the specified event to the server so that the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information;
and the program sending module is used for sending the program corresponding to the specified event to the server according to the received program reporting command so as to enable the server to detect whether the program is a Trojan horse program.
The determining module is specifically configured to determine that a specified event occurs on the information aggregation platform when the information aggregation platform is monitored to query user information in a process of monitoring that the specified event occurs on the information aggregation platform.
The determining module is specifically used for injecting a dynamic link library dll into each process of the information convergence platform in the process of monitoring the information convergence platform to inquire the user information, wherein the dll is used for monitoring whether the process has a behavior of inquiring the user information through an inquiry interface provided by the e-commerce platform; when the behavior that a process inquires user information through the inquiry interface is monitored through dll, the information convergence platform is monitored to inquire the user information through the inquiry interface;
the query interface comprises a Uniform Resource Locator (URL) interface or an Application Programming Interface (API).
The verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
The application provides a detection device of Trojan program, the detection device of Trojan program uses on the server, just the detection device of Trojan program specifically includes:
the information receiving module is used for receiving verification information sent by a client, wherein the verification information is the verification information of a program corresponding to a specified event sent when the client monitors that the specified event occurs on an information convergence platform;
the judging module is used for judging whether the program corresponding to the specified event is a dangerous program or not by utilizing the verification information;
the sending module is used for sending a program reporting command to the client when the judgment result is yes;
the program receiving module is used for receiving a program corresponding to the specified event sent by the client;
and the detection module is used for detecting whether the program is a Trojan horse program.
The judging module is specifically configured to judge whether the verification information exists in a program white list library maintained in advance in the process of judging whether the program corresponding to the specified event is a dangerous program by using the verification information; if not, determining that the program corresponding to the specified event is a dangerous program; if so, determining that the program corresponding to the specified event is not a dangerous program;
a program white list library is maintained in advance on the server, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
The verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
The judging module is specifically configured to judge whether the currently received verification information includes signature information in the process of judging whether the program corresponding to the specified event is a dangerous program by using the verification information; if not, determining that the program corresponding to the specified event is a dangerous program; if yes, judging whether the signature information is contained in a program white list library; if the signature information is not contained in the program white list library, determining that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, determining that the program corresponding to the specified event is not a dangerous program.
The judging module is further configured to judge whether information other than the signature information in the verification information is completely contained in the program white list library after determining that the program corresponding to the specified event is not a dangerous program; if not, storing the information of the information aggregation platform into a monitoring list;
judging whether a user information leakage event occurs in the information aggregation platform in the monitoring list; and if so, determining that the program corresponding to the specified event is a dangerous program.
Based on the technical scheme, in the embodiment of the application, the client deployed on the information aggregation platform monitors the specified event and sends the verification information of the program corresponding to the specified event to the server, the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information, and when the program is the dangerous program, the client sends the program corresponding to the specified event to the server, and the server detects whether the program is a Trojan program or not. Based on the mode, aiming at the information leakage Trojan programs, the Trojan programs can be positioned by technical means when the Trojan programs just invade the information convergence platform, the discovery and response time is shortened, so that the Trojan programs can be quickly warned and positioned, the Trojan programs can be timely subjected to whole-network searching and killing before the Trojan programs are spread in a large quantity, and the economic loss caused by information leakage of users is effectively reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present application or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a flow chart of a method for detecting a Trojan horse program in one embodiment of the present application;
FIG. 2 is a flow chart of a Trojan horse program detection method in another embodiment of the present application;
FIG. 3 is a schematic diagram of an application scenario in an embodiment of the present application;
FIG. 4 is a flow chart of a method for detecting a Trojan horse program in another embodiment of the present application;
FIG. 5 is a diagram of a hardware configuration of a client in one embodiment of the present application;
fig. 6 is a block diagram of a detection device of a trojan horse program according to an embodiment of the present application;
FIG. 7 is a hardware block diagram of a server in one embodiment of the present application;
fig. 8 is a block diagram of a detection device for a trojan horse program according to an embodiment of the present application.
Detailed Description
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
In the subsequent process of the embodiment of the application, the information aggregation platform may be a vendor platform, such as a PC (Personal Computer), a mobile terminal, a tablet Computer, etc. used by a vendor, and the client may be deployed on the information aggregation platform. The e-commerce platform can be a server used by a service provider, such as a server used by a Taobao platform, and the service end can be deployed on the e-commerce platform. In actual use, the e-commerce platform can provide a query interface such as a URL interface or an API to the information aggregation platform. The seller platform needs to acquire user information, and thus the seller platform may be referred to as an information convergence platform.
To solve the problems in the prior art, an embodiment of the present application provides a method for detecting a trojan horse program, where the method may be applied to a client, and as shown in fig. 1, the method includes the following steps:
step 101, a client monitors that a specified event occurs on an information aggregation platform.
In the embodiment of the present application, the client monitors a process of a specified event occurring on the information aggregation platform, which may specifically include, but is not limited to, the following manners: when the client monitors that the information aggregation platform inquires the user information, the client determines that a specified event occurs on the information aggregation platform, wherein the specified event is an event for inquiring the user information.
In the embodiment of the present application, the process of the client monitoring the information aggregation platform to query the user information may specifically include, but is not limited to, the following ways: the client side injects dll (Dynamic Link Library) into each process of the information convergence platform, and the dll is used for monitoring whether the process (namely the process injected by the dll) has the behavior of inquiring the user information through an inquiry interface provided by the e-commerce platform. And when the behavior that a process inquires the user information through the query interface is monitored through dll, the client monitors the information convergence platform to inquire the user information through the query interface. The query interface may specifically include, but is not limited to: a URL (Uniform Resource Locator) Interface or an API (Application Programming Interface).
And 102, the client sends verification information of the program corresponding to the specified event to the server, so that the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information.
Wherein, specifying the program corresponding to the event means: when a program is executed to cause the specified event to occur, the program is taken as the program corresponding to the specified event. For example, when the information convergence platform executes the program 1, a specific event occurs on the information convergence platform, and then the program corresponding to the specific event is the program 1.
The verification information of the program may specifically include, but is not limited to, one or any combination of the following: signature information of the program, file name, md5(Message Digest Algorithm fifth edition 5) value, file size, and the like. The signature information may also include the issuing manufacturer of the program.
And 103, the client sends the program corresponding to the specified event to the server according to the received program reporting command, so that the server detects whether the program is a Trojan horse program.
After the server judges whether the program corresponding to the specified event is a dangerous program, if so, the server sends a program reporting command to the client, and the client sends the program corresponding to the specified event to the server according to the received program reporting command. If the judgment result is negative, the server side does not send a program reporting command to the client side, and the process is ended.
Based on the technical scheme, in the embodiment of the application, the client deployed on the information aggregation platform monitors the specified event and sends the verification information of the program corresponding to the specified event to the server, the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information, and when the program is the dangerous program, the client sends the program corresponding to the specified event to the server, and the server detects whether the program is a Trojan program or not. Based on the mode, aiming at the information leakage Trojan programs, the Trojan programs can be positioned by technical means when the Trojan programs just invade the information convergence platform, the discovery and response time is shortened, so that the Trojan programs can be quickly warned and positioned, the Trojan programs can be timely subjected to whole-network searching and killing before the Trojan programs are spread in a large quantity, and the economic loss caused by information leakage of users is effectively reduced.
The embodiment of the present application further provides a method for detecting a trojan program, where the method may be applied to a server, and as shown in fig. 2, the method for detecting a trojan program may specifically include the following steps:
step 201, the server receives the verification information sent by the client.
The verification information may specifically be: when the client monitors that a specified event occurs on the information aggregation platform, the client sends verification information of a program corresponding to the specified event to the server.
The verification information may specifically include, but is not limited to, one or any combination of the following: signature information, file name, md5 value, file size, etc. The signature information may also include a publisher.
Step 202, the server determines whether the program corresponding to the specified event is a dangerous program by using the verification information. If yes, go to step 203; if not, the processing flow of the program is ended.
In an example, in the embodiment of the present application, the process of determining, by the server, whether the program corresponding to the specified event is a dangerous program by using the verification information may specifically include, but is not limited to, the following manners: the server side judges whether the verification information exists in a program white list library maintained in advance; if not, the server side determines that the program corresponding to the specified event is a dangerous program; if so, the server side determines that the program corresponding to the specified event is not a dangerous program. The server maintains a program white list library in advance, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
In another example, in the embodiment of the present application, the process of determining, by the server, whether the program corresponding to the specified event is a dangerous program by using the verification information may specifically include, but is not limited to, the following manners: the server side judges whether the currently received verification information contains signature information; if not, the server side determines that the program corresponding to the specified event is a dangerous program; if so, the server side judges whether the signature information contained in the verification information is contained in a program white list library or not; if the signature information is not contained in the program white list library, the server side determines that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, the server side determines that the program corresponding to the specified event is not a dangerous program.
In the embodiment of the application, after the server determines that the program corresponding to the specified event is not a dangerous program, the server can also judge whether other information except the signature information in the verification information is completely contained in the program white list library; if not, the server stores the information of the information aggregation platform into the monitoring list. Further, the server can judge whether a user information leakage event occurs in the information aggregation platform in the monitoring list; if so, the program corresponding to the specified event is determined to be a dangerous program.
Step 203, the server sends a program report command to the client.
Step 204, the server receives the program corresponding to the specified event sent by the client.
In step 205, the server detects whether the program is a trojan horse program.
Based on the technical scheme, in the embodiment of the application, the client deployed on the information aggregation platform monitors the specified event and sends the verification information of the program corresponding to the specified event to the server, the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information, and when the program is the dangerous program, the client sends the program corresponding to the specified event to the server, and the server detects whether the program is a Trojan program or not. Based on the mode, aiming at the information leakage Trojan programs, the Trojan programs can be positioned by technical means when the Trojan programs just invade the information convergence platform, the discovery and response time is shortened, so that the Trojan programs can be quickly warned and positioned, the Trojan programs can be timely subjected to whole-network searching and killing before the Trojan programs are spread in a large quantity, and the economic loss caused by information leakage of users is effectively reduced.
The following describes the technical solution of the embodiment of the present application with reference to the application scenario shown in fig. 3.
In fig. 3, the information aggregation platform may be a vendor platform, such as a PC (Personal Computer), a mobile terminal, a tablet Computer, etc. used by a vendor, and the client may be deployed on the information aggregation platform. The e-commerce platform can be a server used by a service provider, such as a server used by a Taobao platform, and the service end can be deployed on the e-commerce platform. In actual use, the e-commerce platform can provide a query interface such as a URL interface or an API to the information aggregation platform.
In the electronic commerce transaction process, a buyer user submits a purchase order, and a seller user can query user information (such as commodity transaction information) of the buyer user through a query interface such as a URL interface or an API provided by an electronic commerce platform, and perform subsequent processes such as shipment. Specifically, the information aggregation platform may send a message for requesting user information to the e-commerce platform by using a URL interface or an API or other query interface provided by the e-commerce platform, where the message carries password information (such as a cookie, a token, or the like) of the seller, and after receiving the message, the e-commerce platform provides the user information to the information aggregation platform if the password information passes verification, so that the information aggregation platform may obtain the user information.
A hacker writes an information disclosure Trojan-like program and implants the information disclosure Trojan-like program into an information convergence platform, the information disclosure Trojan-like program can steal sensitive information (namely password information of a seller) such as Cookie of the seller from the information convergence platform, so that the information disclosure Trojan-like program can be disguised as the seller, a message for requesting user information is sent to an e-commerce platform through the information convergence platform, the message carries the password information of the seller, and after the e-commerce platform receives the message, if the password information passes verification, the user information is provided for equipment specified by the information disclosure Trojan-like program, so that the user information is stolen.
Based on the above features (that is, the information-revealing trojan program may also query the user information through a query interface such as a URL interface or an API provided by an e-commerce platform), referring to fig. 4, a flowchart of a method for detecting a trojan program provided in an embodiment of the present application is shown, where the method may include the following steps:
in step 401, the client monitors that a specified event occurs on the information aggregation platform.
In the embodiment of the present application, the client monitors a process of a specified event occurring on the information aggregation platform, which may specifically include, but is not limited to, the following manners: when the client monitors that the information aggregation platform inquires user information (such as inquiring user information through an inquiry interface provided by an e-commerce platform), the client determines that a specified event occurs on the information aggregation platform, and the specified event is an event for inquiring the user information.
In the embodiment of the application, an event for querying user information is defined as a specified event, and if the specified event is monitored to occur on the information aggregation platform, it is indicated that a program queries the user information, and the program may be a program normally used by a seller user or an information disclosure Trojan horse program, so that a server is required to perform subsequent distinguishing processing.
In the embodiment of the present application, the process of the client monitoring the information aggregation platform to query the user information may include, but is not limited to, the following manners: and the client side injects dll into each process of the information convergence platform, and the dll is used for monitoring whether the process has the behavior of inquiring the user information through an inquiry interface provided by the e-commerce platform. When the behavior that a process inquires the user information through the inquiry interface is monitored through dll, the information convergence platform is monitored to inquire the user information through the inquiry interface.
The query interface may specifically include, but is not limited to: a URL interface or API.
The client can be deployed on the information aggregation platform and is responsible for monitoring all processes of the information aggregation platform, and the client can respectively inject a dll into each process of all the processes so as to achieve the purpose of monitoring whether a process inquires user information through the inquiry interface.
Wherein, the process of monitoring whether a process queries user information through a query interface by using dll is realized by hooking dll hook to each process by a client. The essence of hook is a procedure for handling messages, allowing an application to intercept and handle messages or specific events directed to a given window, which it monitors may be a window within the process or a window created by another process. When a process inquires user information through an inquiry interface, dll injected in the process monitors the behavior and informs a client of the behavior, so that the client monitors that a specified event occurs on an information aggregation platform, knows which process has the behavior of inquiring the user information through the inquiry interface, knows that a program using the process inquires the user information through the inquiry interface, and can be a Trojan program.
In step 402, the client sends the verification information of the program corresponding to the specified event to the server.
Wherein, specifying the program corresponding to the event means: when a program is executed to cause the specified event to occur, the program is taken as the program corresponding to the specified event. For example, when the information convergence platform executes the program 1, a specific event occurs on the information convergence platform, and then the program corresponding to the specific event is the program 1.
The verification information may specifically include, but is not limited to, one or any combination of the following: signature information, file name, md5 value, file size, etc. The signature information may also include a publisher.
In addition, the client may also send an identification of the specified event (e.g., event a) to the server.
In one example, the client may send information specifying an identification of the event (e.g., event a), signature information s1 of the program, a file name n1, an md5 value m1, a file size b1, and the like to the server. Moreover, the client can combine the information into a data packet, encrypt the data packet, and send the encrypted data packet to the server, which is not described herein again.
In step 403, the server receives the verification information sent by the client.
In step 404, the server determines whether the program corresponding to the specified event is a dangerous program by using the verification information. If so, go to step 405; if not, the processing flow of the program is ended.
In an example, in the embodiment of the present application, the process of determining, by the server, whether the program corresponding to the specified event is a dangerous program by using the verification information may specifically include, but is not limited to, the following manners: the server side judges whether the verification information exists in a program white list library maintained in advance; if not, the server side determines that the program corresponding to the specified event is a dangerous program; if so, the server side determines that the program corresponding to the specified event is not a dangerous program. The server maintains a program white list library in advance, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
In another example, in the embodiment of the present application, the process of determining, by the server, whether the program corresponding to the specified event is a dangerous program by using the verification information may specifically include, but is not limited to, the following manners: the server side judges whether the currently received verification information contains signature information; if not, the server side determines that the program corresponding to the specified event is a dangerous program; if so, the server side judges whether the signature information contained in the verification information is contained in a program white list library or not; if the signature information is not contained in the program white list library, the server side determines that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, the server side determines that the program corresponding to the specified event is not a dangerous program.
In the embodiment of the application, after the server determines that the program corresponding to the specified event is not a dangerous program, the server can also judge whether other information except the signature information in the verification information is completely contained in the program white list library; if not, the server stores the information of the information aggregation platform into the monitoring list. Further, the server can judge whether a user information leakage event occurs in the information aggregation platform in the monitoring list; if so, the program corresponding to the specified event is determined to be a dangerous program.
Step 404 is described in detail below with reference to an example. In this example, the verification information may include signature information s1, a file name n1, an md5 value m1, a file size b1, and the like. The authentication information of authorized programs capable of inquiring user information (i.e. all authorized third party programs or plug-ins capable of accessing the inquiry interface) recorded in the program white list library comprises: signature information S, file name N, md5 value M, file size B, etc.
In the embodiment of the application, the risk level of the program can be judged according to the characteristics of the program (such as verification information such as signature information). In this example, the program corresponding to the designated event may be divided into four risk levels, and when the program is a first risk level or a second risk level, it indicates that the program is a dangerous program, and when the program is a third risk level or a fourth risk level, it indicates that the program is not a dangerous program.
If the currently received verification information does not include the signature information s1(s1 is NULL), the server directly determines that the program is a dangerous program and that the program is at the first risk level (i.e., the highest risk level).
If the verification information includes the signature information s1, but the signature information s1 is not included in the white list library
Figure GDA0002773589900000131
The server determines that the program is a dangerous program and the program is at a second risk level.
If it is verifiedIf the information includes signature information s1 and signature information s1 is included in the program white list library, the server determines that the program is not a dangerous program and compares the file name n1, the md5 value m1 and the file size b1 with the program white list library. If any one or more are not contained in the program white list library
Figure GDA0002773589900000132
The server determines that the program is of a third risk level, and stores the information (such as the identifier) of the information aggregation platform into the monitoring list.
If the signature information s1 is contained in the verification information and the signature information s1 is contained in the program white list library, the server determines that the program is not a dangerous program and compares whether the file name n1, the md5 value m1 and the file size b1 are completely contained in the program white list library. If the file name N1, the md5 value M1 and the file size B1 are all contained in the program white name list library (S1 ∈ S, N1 ∈ N and M1 ∈ M and B1 ∈ B), the server determines that the program is at the fourth risk level (the lowest risk level), and the program is not necessarily a Trojan program.
The programs for the first and second risk levels may also be stored in a risk repository.
For the program of the third risk level, the server may also query whether the information aggregation platform in the monitoring list has a user information leakage event (for example, periodically query whether the user information leakage event occurs, or, when there is a user information leakage event occurring on the information aggregation platform, query whether the information aggregation platform is in the monitoring list). And if so, the server side determines that the corresponding program is a dangerous program and determines that the program is a first risk level or a second risk level. If not, the server determines that the corresponding program is not a dangerous program, and the program is of a third risk level. If a user reports that the information aggregation platform has a user information leakage event, the user information leakage event of the information aggregation platform is indicated.
Step 405, the server sends a program report command to the client.
The program reporting command is used for instructing the client to report the program corresponding to the specified event.
And step 406, the client sends the program corresponding to the specified event to the server according to the received program reporting command. When receiving a program reporting command, the client analyzes information of a program corresponding to a specified event from the program reporting command and sends the program corresponding to the specified event to the server.
Step 407, the server receives the program corresponding to the specified event sent by the client.
In step 408, the server detects whether the program is a trojan horse program.
After receiving the program, the server may provide the program to an analyst (which may be called a white hat), and the analyst analyzes whether the program is a Trojan program and provides a result of whether the program is the Trojan program to the server, and the server detects whether the program is the Trojan program.
After the server detects that the program is the Trojan program, Trojan characteristics of the Trojan program are analyzed, and the Trojan program is searched and killed in the whole network based on the Trojan characteristics, so that the Trojan program is guaranteed to be deleted in time.
Based on the technical scheme, in the embodiment of the application, the client deployed on the information aggregation platform monitors the specified event and sends the verification information of the program corresponding to the specified event to the server, the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information, and when the program is the dangerous program, the client sends the program corresponding to the specified event to the server, and the server detects whether the program is a Trojan program or not. Based on the mode, aiming at the information leakage Trojan programs, the Trojan programs can be positioned by technical means when the Trojan programs just invade the information convergence platform, the discovery and response time is shortened, so that the Trojan programs can be quickly warned and positioned, the Trojan programs can be timely subjected to whole-network searching and killing before the Trojan programs are spread in a large quantity, and the economic loss caused by information leakage of users is effectively reduced.
Based on the same application concept as the method, the embodiment of the application also provides a detection device of the Trojan horse program, which is applied to the client. The detection device of the Trojan horse program can be realized by software, and also can be realized by hardware or a combination of the hardware and the software. A logical device, implemented in software for example, is formed by reading corresponding computer program instructions in a non-volatile memory by a processor of a client in which the logical device is located. In terms of hardware, as shown in fig. 5, a hardware structure diagram of a client where a detection apparatus of a trojan program provided by the present application is located is shown, except for the processor and the nonvolatile memory shown in fig. 5, the client may further include other hardware, such as a forwarding chip, a network interface, and a memory, which are responsible for processing a packet; from the hardware structure, the client may also be a distributed device, and may include a plurality of interface cards, so as to perform the extension of message processing at the hardware level.
As shown in fig. 6, a structure diagram of a detection apparatus for a trojan program proposed in the present application is provided, where the detection apparatus for the trojan program is applied to a client, and the detection apparatus for the trojan program specifically includes:
the determining module 11 is configured to monitor that a specified event occurs on the information aggregation platform;
the information sending module 12 is configured to send verification information of the program corresponding to the specified event to the server, so that the server determines whether the program corresponding to the specified event is a dangerous program by using the verification information;
and a program sending module 13, configured to send the program corresponding to the specified event to the server according to the received program reporting command, so that the server detects whether the program is a trojan horse program.
The determining module 11 is specifically configured to, in the process of monitoring that a specified event occurs on the information aggregation platform, determine that the specified event occurs on the information aggregation platform when it is monitored that the information aggregation platform queries the user information.
The determining module 11 is specifically configured to, in the process of monitoring that the information aggregation platform queries the user information, inject a dynamic link library dll to each process of the information aggregation platform, where the dll is configured to monitor whether the process has a behavior of querying the user information through a query interface provided by the e-commerce platform; when the behavior that a process inquires user information through the inquiry interface is monitored through dll, the information convergence platform is monitored to inquire the user information through the inquiry interface;
the query interface comprises a Uniform Resource Locator (URL) interface or an Application Programming Interface (API).
In this embodiment of the application, the verification information includes one or any combination of the following: signature information, file name, md5 value, file size.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Based on the same application concept as the method, the embodiment of the application also provides a detection device of the Trojan horse program, which is applied to the server. The detection device of the Trojan horse program can be realized by software, and also can be realized by hardware or a combination of the hardware and the software. Taking a software implementation as an example, a device in a logical sense is formed by reading corresponding computer program instructions in a nonvolatile memory through a processor of a service end where the device is located. From a hardware aspect, as shown in fig. 7, for a hardware structure diagram of a service end where a detection device of a trojan program provided by the present application is located, in addition to the processor and the nonvolatile memory shown in fig. 7, the service end may further include other hardware, such as a forwarding chip, a network interface, and a memory, which are responsible for processing a packet; in terms of hardware structure, the server may also be a distributed device, and may include multiple interface cards, so as to perform an extension of message processing on a hardware level.
As shown in fig. 8, a structure diagram of a detection apparatus for a trojan program proposed in the present application is shown, where the detection apparatus for the trojan program is applied to a server, and the detection apparatus for the trojan program specifically includes:
the information receiving module 21 is configured to receive verification information sent by a client, where the verification information is verification information of a program corresponding to a specified event sent when the client monitors that the specified event occurs on an information aggregation platform;
the judging module 22 is configured to judge whether the program corresponding to the specified event is a dangerous program by using the verification information;
a sending module 23, configured to send a program reporting command to the client when the determination result is yes;
a program receiving module 24, configured to receive a program corresponding to the specified event sent by the client;
and the detection module 25 is configured to detect whether the program is a trojan horse program.
The judging module 22 is specifically configured to, in the process of judging whether the program corresponding to the specified event is a dangerous program by using the verification information, judge whether the verification information exists in a program white list library maintained in advance; if not, determining that the program corresponding to the specified event is a dangerous program; if so, determining that the program corresponding to the specified event is not a dangerous program;
a program white list library is maintained in advance on the server, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
In this embodiment of the application, the verification information includes one or any combination of the following: signature information, file name, md5 value, file size.
The determining module 22 is specifically configured to determine whether the currently received verification information includes signature information in the process of determining whether the program corresponding to the specified event is a dangerous program by using the verification information; if not, determining that the program corresponding to the specified event is a dangerous program; if yes, judging whether the signature information is contained in a program white list library; if the signature information is not contained in the program white list library, determining that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, determining that the program corresponding to the specified event is not a dangerous program.
The judging module 22 is further configured to, after determining that the program corresponding to the specified event is not a dangerous program, judge whether information other than the signature information in the verification information is completely contained in the program white list library; if not, storing the information of the information aggregation platform into a monitoring list;
judging whether a user information leakage event occurs in the information aggregation platform in the monitoring list; and if so, determining that the program corresponding to the specified event is a dangerous program.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present application may be essentially or partially implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present application. Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present application.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The disclosure of the present application is only a few specific embodiments, but the present application is not limited to these, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (18)

1. A method for detecting a trojan horse program, the method comprising the steps of:
the client monitors that a specified event occurs on the information aggregation platform; wherein the specified event comprises an event for inquiring user information through an inquiry interface provided by the e-commerce platform; the information aggregation platform is a seller platform, and the user information is user information of a buyer user;
the client sends verification information of the program corresponding to the specified event to the server, so that the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information;
and the client sends the program corresponding to the specified event to a server according to the received program reporting command so that the server detects whether the program is a Trojan horse program.
2. The method of claim 1,
the client monitors a process of occurrence of a specified event on the information aggregation platform, and specifically includes:
and when the client monitors that the information aggregation platform inquires user information, determining that a specified event occurs on the information aggregation platform.
3. The method of claim 2,
the client monitors the process of the information aggregation platform for inquiring the user information, and specifically comprises the following steps:
the client side injects a dynamic link library dll into each process of the information convergence platform, and the dll is used for monitoring whether the process has a behavior of inquiring user information through an inquiry interface provided by the e-commerce platform; when the dll monitors that a process inquires user information through the inquiry interface, the information aggregation platform is monitored to inquire the user information through the inquiry interface;
the query interface comprises a Uniform Resource Locator (URL) interface or an Application Programming Interface (API).
4. The method of claim 1, wherein the verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
5. A method for detecting a trojan horse program, the method comprising the steps of:
the server receives verification information sent by the client, wherein the verification information is the verification information of a program corresponding to a specified event sent when the client monitors that the specified event occurs on the information convergence platform; wherein the specified event comprises an event for inquiring user information through an inquiry interface provided by the e-commerce platform; the information aggregation platform is a seller platform, and the user information is user information of a buyer user;
the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information; if yes, the server side sends a program reporting command to the client side;
the server receives a program corresponding to the specified event sent by the client;
and the server detects whether the program is a Trojan horse program.
6. The method according to claim 5, wherein the step of the server side determining whether the program corresponding to the specified event is a dangerous program by using the verification information specifically includes:
the server side judges whether the verification information exists in a program white list library maintained in advance;
if not, the server side determines that the program corresponding to the specified event is a dangerous program;
if so, the server side determines that the program corresponding to the specified event is not a dangerous program;
a program white list library is maintained in advance on the server, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
7. The method according to claim 5 or 6, wherein the verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
8. The method according to claim 6, wherein the step of the server side determining whether the program corresponding to the specified event is a dangerous program by using the verification information specifically includes:
the server side judges whether the currently received verification information contains signature information;
if not, the server side determines that the program corresponding to the specified event is a dangerous program;
if so, the server side judges whether the signature information is contained in a program white list library;
if the signature information is not contained in the program white list library, the server side determines that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, the server side determines that the program corresponding to the specified event is not a dangerous program.
9. The method according to claim 8, wherein after the server determines that the program corresponding to the specified event is not a dangerous program, the method further comprises:
the server side judges whether other information except the signature information in the verification information is completely contained in the program white list library or not; if not, storing the information of the information aggregation platform into a monitoring list; the server side judges whether a user information leakage event occurs in the information aggregation platform in the monitoring list or not; and if so, determining that the program corresponding to the specified event is a dangerous program.
10. The detection device for the Trojan horse program is applied to a client, and specifically comprises:
the determining module is used for monitoring that a specified event occurs on the information gathering platform; wherein the specified event comprises an event for inquiring user information through an inquiry interface provided by the e-commerce platform; the information aggregation platform is a seller platform, and the user information is user information of a buyer user;
the information sending module is used for sending the verification information of the program corresponding to the specified event to the server so that the server judges whether the program corresponding to the specified event is a dangerous program or not by using the verification information;
and the program sending module is used for sending the program corresponding to the specified event to the server according to the received program reporting command so as to enable the server to detect whether the program is a Trojan horse program.
11. The apparatus of claim 10,
the determining module is specifically configured to determine that a specified event occurs on the information aggregation platform when the information aggregation platform is monitored to query user information in a process of monitoring that the specified event occurs on the information aggregation platform.
12. The apparatus of claim 11,
the determining module is specifically used for injecting a dynamic link library dll into each process of the information convergence platform in the process of monitoring the information convergence platform to inquire the user information, wherein the dll is used for monitoring whether the process has a behavior of inquiring the user information through an inquiry interface provided by the e-commerce platform; when the behavior that a process inquires user information through the inquiry interface is monitored through dll, the information convergence platform is monitored to inquire the user information through the inquiry interface;
the query interface comprises a Uniform Resource Locator (URL) interface or an Application Programming Interface (API).
13. The apparatus of claim 10, wherein the verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
14. The detection device for the Trojan horse program is applied to a server, and specifically comprises:
the information receiving module is used for receiving verification information sent by a client, wherein the verification information is the verification information of a program corresponding to a specified event sent when the client monitors that the specified event occurs on an information convergence platform; wherein the specified event comprises an event for inquiring user information through an inquiry interface provided by the e-commerce platform; the information aggregation platform is a seller platform, and the user information is user information of a buyer user;
the judging module is used for judging whether the program corresponding to the specified event is a dangerous program or not by utilizing the verification information;
the sending module is used for sending a program reporting command to the client when the judgment result is yes;
the program receiving module is used for receiving a program corresponding to the specified event sent by the client;
and the detection module is used for detecting whether the program is a Trojan horse program.
15. The apparatus of claim 14,
the judging module is specifically configured to judge whether the verification information exists in a program white list library maintained in advance in the process of judging whether the program corresponding to the specified event is a dangerous program by using the verification information; if not, determining that the program corresponding to the specified event is a dangerous program; if so, determining that the program corresponding to the specified event is not a dangerous program;
a program white list library is maintained in advance on the server, and the program white list library records the authorized verification information of the program capable of inquiring the user information.
16. The apparatus according to claim 14 or 15, wherein the verification information comprises one or any combination of the following: signature information, file name, md5 value, file size.
17. The apparatus of claim 15,
the judging module is specifically configured to judge whether the currently received verification information includes signature information in the process of judging whether the program corresponding to the specified event is a dangerous program by using the verification information; if not, determining that the program corresponding to the specified event is a dangerous program; if yes, judging whether the signature information is contained in a program white list library; if the signature information is not contained in the program white list library, determining that the program corresponding to the specified event is a dangerous program; and if the signature information is contained in the program white list library, determining that the program corresponding to the specified event is not a dangerous program.
18. The apparatus of claim 17,
the judging module is further configured to judge whether information other than the signature information in the verification information is completely contained in the program white list library after determining that the program corresponding to the specified event is not a dangerous program; if not, storing the information of the information aggregation platform into a monitoring list;
judging whether a user information leakage event occurs in the information aggregation platform in the monitoring list; and if so, determining that the program corresponding to the specified event is a dangerous program.
CN201610136580.6A 2016-03-10 2016-03-10 Trojan horse program detection method and device Active CN107181719B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610136580.6A CN107181719B (en) 2016-03-10 2016-03-10 Trojan horse program detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610136580.6A CN107181719B (en) 2016-03-10 2016-03-10 Trojan horse program detection method and device

Publications (2)

Publication Number Publication Date
CN107181719A CN107181719A (en) 2017-09-19
CN107181719B true CN107181719B (en) 2021-03-02

Family

ID=59830616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610136580.6A Active CN107181719B (en) 2016-03-10 2016-03-10 Trojan horse program detection method and device

Country Status (1)

Country Link
CN (1) CN107181719B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234484B (en) * 2017-12-30 2021-01-19 广东世纪网通信设备股份有限公司 Computer readable storage medium for tracing Trojan horse source and Trojan horse source tracing system applying same

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8468604B2 (en) * 2005-08-16 2013-06-18 Emc Corporation Method and system for detecting malware
CN100576942C (en) * 2007-05-11 2009-12-30 华中科技大学 A kind of mobile antifogery method and system thereof based on mobile phone
US20100106611A1 (en) * 2008-10-24 2010-04-29 Uc Group Ltd. Financial transactions systems and methods
CN101854335A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Method, system and network device for filtration
US9349006B2 (en) * 2010-11-29 2016-05-24 Beijing Qihoo Technology Company Limited Method and device for program identification based on machine learning
US9081991B2 (en) * 2011-03-23 2015-07-14 Polytechnic Institute Of New York University Ring oscillator based design-for-trust
CN102664875B (en) * 2012-03-31 2014-12-17 华中科技大学 Malicious code type detection method based on cloud mode
CN104573435A (en) * 2013-10-15 2015-04-29 北京网秦天下科技有限公司 Method for terminal authority management and terminal

Also Published As

Publication number Publication date
CN107181719A (en) 2017-09-19

Similar Documents

Publication Publication Date Title
US12081540B2 (en) Configuring access to a network service based on a security state of a mobile device
US20200366702A1 (en) Individual device response options from the monitoring of multiple devices
US10482260B1 (en) In-line filtering of insecure or unwanted mobile device software components or communications
US9582668B2 (en) Quantifying the risks of applications for mobile devices
US10432662B2 (en) Method and system for blocking malicious third party site tagging
US9753796B2 (en) Distributed monitoring, evaluation, and response for multiple devices
CN113574838A (en) System and method for filtering internet traffic through client fingerprints
CN103368957B (en) Method and system that web page access behavior is processed, client, server
US8578174B2 (en) Event log authentication using secure components
WO2021174870A1 (en) Network security risk inspection method and system, computer device, and storage medium
CN110581835B (en) Vulnerability detection method and device and terminal equipment
WO2017190436A1 (en) Data processing method and apparatus
CN116702110A (en) Method, device, equipment and storage medium for sharing big data of supply chain
US10826901B2 (en) Systems and method for cross-channel device binding
CN107181719B (en) Trojan horse program detection method and device
Mohata et al. Mobile malware detection techniques
US10073975B2 (en) Application integrity verification in multi-tier architectures
CN110704867B (en) Integral anti-theft method, system, medium and device
CN112559825B (en) Service processing method, device, computing equipment and medium
CN117640136A (en) Method, equipment and system for secure circulation and development and utilization of cross-domain data
CN117879926A (en) Webpage login security verification method and device and computer equipment
CN117370176A (en) Application security test method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant