CN110855705A - Non-port hidden communication method facing network attack and protection - Google Patents

Non-port hidden communication method facing network attack and protection Download PDF

Info

Publication number
CN110855705A
CN110855705A CN201911160410.1A CN201911160410A CN110855705A CN 110855705 A CN110855705 A CN 110855705A CN 201911160410 A CN201911160410 A CN 201911160410A CN 110855705 A CN110855705 A CN 110855705A
Authority
CN
China
Prior art keywords
port
communication
file
socket
control agent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911160410.1A
Other languages
Chinese (zh)
Inventor
陈剑
刘玮瑶
朱赟
王军
袁桂平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gannan Normal University
Original Assignee
Gannan Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gannan Normal University filed Critical Gannan Normal University
Priority to CN201911160410.1A priority Critical patent/CN110855705A/en
Publication of CN110855705A publication Critical patent/CN110855705A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Abstract

The invention discloses a non-port covert communication method facing network attack and protection, which summarizes and analyzes the development process of covert communication technology and analyzes and compares the advantages and disadvantages of various covert communication technologies. Aiming at the defects of various hiding technologies, a novel hiding communication mechanism is provided, key technologies of the communication mechanism are intensively explained, a non-port Trojan horse is realized based on the mechanism, a frame structure of the non-port Trojan horse is provided, and finally the technical advantages and expansibility of the mechanism are analyzed and compared, so that the non-port Trojan horse based on the mechanism has very good hiding performance and killing-free performance.

Description

Non-port hidden communication method facing network attack and protection
Technical Field
The invention belongs to the technical field of communication, and particularly relates to an application of a non-port concealed communication mechanism, a non-port Trojan horse and the like.
Background
The most applied covert communication technology at present mainly belongs to the field of hackers, such as Trojan horse, virus and the like, and also comprises part of remote monitoring software. Originally, the covert communication technology is not needed, but as network security is more and more emphasized, various firewalls and intrusion detection systems are developed successively, Trojan horses, viruses and other communication mechanisms which are simple to use can not survive any more, and the covert communication technology is developed gradually. A brief discussion of the evolution of covert communication technology follows.
(1) Listening port
This way is to bind and listen on one port waiting for a connection on the control side. This is the initial communication mode, has no concealment effect, and is not included in the scope of covert communication technology. This is also the communication mode originally used by trojan horse, and is designed according to the requirement that the control end has no fixed IP and needs to control a plurality of target machines. Such as a glacier, etc.
The advantages are that: the control end does not need to fix an IP (Internet protocol), so that the controlled end cannot track the control end and the control end is not easy to find; and selectively establishing connection with certain controlled terminals.
The disadvantages are as follows: at present, many firewalls limit the opening of ports of untrusted programs; if the controlled terminal is in the NAT environment, the corresponding connection request cannot be carried out.
(2) Reverse connection
This way, no monitoring is performed on a certain port, but a connection request is actively initiated to the control end. The method is developed on the basis of a 'listening port' technology, and is developed for breaking the limitation that a firewall forbids an untrusted program to open a port. Such as a wide girl, etc.
The advantages are that: the part of the firewall does not limit the connection which is actively initiated outwards, so that the part of the firewall can be broken through; the controlled terminal can still be normally used if the controlled terminal is located in the NAT environment.
The disadvantages are as follows: if the control end is not on-line, the control agent needs to continuously try to initiate a connection request to the control end, and the connection request is easy to find; a fixed control end address needs to be set in the control agent, so that the control agent is easy to track and discover; if the control end is positioned in the NAT environment, the control end cannot be normally used; currently, some firewalls limit connections that untrusted applications may actively initiate to the outside.
(3) Parasitic in trusted processes + reverse connection
This way, the control agent thread is hosted in the trust process (e.g., IE), and the port can be freely used by using the rule that the firewall does not block the trust process from opening the port. Such as gray pigeons and the like.
The advantages are that: most of the firewall can be penetrated; because an independent control agent process is not provided, the hiding performance is further improved; with the additional advantage of reverse connection.
The disadvantages are as follows: although there is no independent control agent process, the control agent still remains in the trust process, and the unlawful trust process is easy to cause doubts of users; with the other disadvantage of reverse connection.
(4) RAW _ SOCKET listen + reverse connect
In this way, the port is not opened at ordinary times, only one RAW _ SOCKET is created for monitoring, and when the appointed message is monitored, the port is actively connected to the control end. Such as NameLess BackDoor, etc.
The advantages are that: the port is not opened at ordinary times, so that doubts are not easily caused, and the hiding performance is further improved on the basis of reverse connection; with the additional advantage of reverse connection.
The disadvantages are as follows: in the monitoring process, a RAW _ SOCKET is created, and the control proxy process can be easily found by using tools such as ice blades and the like; a new port still needs to be opened in the communication process, and the doubts of users are easily caused; with the other disadvantage of reverse connection.
(5) The system port is reused. The method is to monitor the opened TCP port of the system, and when the appointed message is monitored, the established TCP connection is used for communicating with the control terminal. Such as a hacker's door, etc. The method is a very covert and effective covert communication technology at present, and has a very good effect if used together with a parasitic trust process. However, this technology is not disclosed at present, and the author of the hacker gate only mentions the reuse of the system port, and details are not mentioned.
The advantages are that: before and during communication, a new port is not opened, and the system port can be used for passing through the firewall lightly.
The disadvantages are as follows: the controlled terminal can not actively initiate connection to the control terminal, and if the controlled terminal is located in the NAT environment, the controlled terminal cannot be used normally. In the communication process, 2 RAW _ SOCKET are established, and although the technical details are not known, the whereabouts of the control agents are still exposed, and the control agents can still be found easily by using tools such as ice blades.
(6) With the development of network attack and defense technology, the development of covert communication technology is more and more perfect, the concealment ability is more and more strong, and the concealment is more and more high from the monitoring port to the reverse connection, to the RAW _ SOCKET monitoring, and then to the reuse system port. From open TCP port to not open TCP port, the goal is to leave as little information as possible from the user or security software to perceive. However, the above techniques leave more or less spider-web streaks, which can still be easily found if the user is somewhat safety conscious or carefully examined.
Disclosure of Invention
Aiming at the characteristics that the cobweb trails are easily left in the prior art of hiding a TCP port of a communication technology, such as establishing RAW _ SOCKET and the like, the section provides a non-port hiding communication method facing network attack and protection, the mechanism well solves the defects, the mechanism is applied to the reality, a Trojan without a port is designed and realized, and a good experimental effect is obtained through testing and analysis.
In order to solve the above invention, the whole process is divided into two stages: the method comprises the key technology of a non-port covert communication mechanism and the design and realization of a non-port Trojan horse by utilizing the non-port covert communication technology.
1. Key technology of non-port concealed communication mechanism
After the control agent runs, the control agent does not directly participate in communication, but injects a control agent thread (mainly comprising a code responsible for communication with a control terminal) into other normal processes (host processes) and destroys the control agent thread, the control agent thread in the host processes does not open any port and does not create any new socket, but searches the created socket in the host processes, if a port of an opposite side connected with the socket (TCP type) is an appointed port (such as 8888) or receives appointed data, the opposite side can be judged to be a trusted control terminal, address information of the control terminal is obtained according to the connection or a data packet, the communication code of the control agent thread starts working, and the socket and the obtained address information of the control terminal are utilized to communicate with the control terminal.
Therefore, by using the mode, no new port is generated in the communication process, no new socket is created, and the concealment is very high; meanwhile, the control agent thread works in a host process trusted by the user and the firewall, so that the purpose of process hiding is achieved, and the process is not easy to find. A non-ported covert communication mechanism framework is shown in fig. 1.
2. Design and realization of non-port trojan horse by using non-port covert communication technology
At present, the hidden communication technology is commonly used for trojans, and the non-port hidden communication technology is applied to practice and is designed as follows:
(1) design of hobbyhorse end
By utilizing the non-port concealed communication technology, various non-port hobbyhorse can be designed according to the type of the socket, the authentication mode, the completed function and the like, and the following design scheme is that:
the completed functions are as follows: the control agent acquires the password file of the controlled end machine, the windows system generally does not allow a process to access the password file SAM, but the windows usually puts the backup file of the SAM under a% windows root% \ repair directory, and the file is freely accessible, and we take the file as an example and transmit the file.
socket type: TCP type to guarantee the reliability of the transmitted file.
The authentication method comprises the following steps: the method is simple and easy to implement, although the safety is poor, the non-port Trojan horse is only used for testing, and the requirement on the safety is not high. In actual use, a more secure authentication method can be used.
Design details: using a non-port covert communication technology, injecting a code responsible for communication with a control terminal into a process (host process) for opening a TCP port, searching the host process for an established TCP connection, if a port of a counterpart is an agreed port 8888, opening a password file backed up under% windows root% \ repair, and transmitting the file content to the control terminal by using the established TCP connection.
The control end is designed to have fewer functions and is also simple, the function completed by the control end initiates connection to a TCP port of the controlled end, then waits for the agent thread to transmit the SAM file content, and stores the SAM file content in a local file, and a block diagram for implementing the non-port trojan is shown in fig. 2.
(2) Realization stage of non-port Trojan horse
In order to achieve better results for the non-ported trojan, the trojan end is implemented completely in assembly language. According to the design schematic diagram in section 2.2, the work flow chart of the non-port Trojan horse is shown as 2, and the work flow chart of the control end is shown as 3.
Drawings
FIG. 1 is a non-ported covert communication mechanism framework;
FIG. 2 is a flow chart of the operation of an endless Trojan horse;
FIG. 3 is a control end workflow diagram;
FIG. 4 is a graph of a least squares fit of covert communication success rates;
fig. 5 shows packet loss rate test of covert communication software under UDP port.
Detailed Description
The invention is further described with reference to the accompanying drawings and examples.
Fig. 1 is a non-ported covert communication mechanism framework. After the control agent runs, the control agent does not directly participate in communication, but injects a control agent thread (mainly comprising a code responsible for communication with a control terminal) into other normal processes (host processes) and destroys the control agent thread, the control agent thread in the host processes does not open any port and does not create any new socket, but searches the created socket in the host processes, if a port of an opposite side connected with the socket (TCP type) is an appointed port (such as 8888) or receives appointed data, the opposite side can be judged to be a trusted control terminal, address information of the control terminal is obtained according to the connection or a data packet, the communication code of the control agent thread starts working, and the socket and the obtained address information of the control terminal are utilized to communicate with the control terminal.
Fig. 2 is a flow chart of the work of a designed multiport trojan. The SAM backup file of the controlled end machine is obtained through the control agent, in order to guarantee the reliability of the transmitted file, a TCP type is selected for communication, and appointed port authentication is used as an authentication mode. The code responsible for communicating with the control end is injected into a process (host process) for opening a TCP port, an established TCP connection is searched in the host process, if the opposite port is an agreed port 8888, a password file backed up under% windows root% \ repair is opened, and the file content is transmitted to the control end by using the established TCP connection.
Fig. 3 shows a control end work flow chart. After the control end creates the connection file, the control end initiates connection to a TCP port of the controlled end, and then waits for the agent thread to transmit the SAM file content and store the SAM file content in a local file.
Fig. 4 shows a result of least square fitting of covert communication success rate, in order to test performance of a non-ported covert communication technology, a non-ported trojan is designed and implemented, a plurality of communication indexes are set as references of covert communication completion degree, if the trojan successfully injects into a thread, a control end is connected with a controlled end, a file is successfully transmitted to the control end, whether an agent thread is found or not is judged, and when all the indexes are reached, a successful covert communication event is considered. In contrast, the controlled end is placed in the NAT network environment, 100 times of simulation covert communication tests are carried out, statistical data obtained by experiments are subjected to least square fitting, and the result shows that the covert communication success rate is approximately distributed between 0.8 and 0.9, which shows that the Trojan horse realized by the non-port covert communication mechanism has extremely high concealment and non-killing performance.
Fig. 5 demonstrates the feasibility of non-ported covert communications in practical applications. The Windows system is often provided with more open UDP ports and is easy to use, and the better hiding performance can be achieved due to the fact that no connection state exists, so that the UDP ports can be fully utilized. For transfers that do not involve large amounts of data, only a few brief instructions are transferred, and the use of UDP ports is sufficient. Here, we verify the feasibility by experimentally testing the packet loss rate of the non-port covert communication under the UDP port, and the experimental results are shown in table 1.
Further testing was made of the concealment of this non-ported covert communication mechanism. The lengths of the covert communication traffic packets are counted by testing the covert communication HTTP session process through the Trojan horse program mentioned above. The experimental results are shown in table 1, the lengths of the experimental data packets are mainly distributed in the range of 691 to 1094 bytes, and the data packets are too large and are easily detected as abnormal traffic in the network traffic. In order to reduce the probability of detecting abnormal traffic while ensuring the transmission efficiency of covert communication, it is considered to improve the concealment of communication by reducing the redundancy of the control protocol.
Figure DEST_PATH_IMAGE001
TABLE 1
The non-ported covert communication mechanism is currently implemented on windows 2K sp4 and windows XP sp2 platforms and passes the test. Experiments show that the Trojan horse realized by the mechanism has extremely strong concealment and killing-free performance. The non-port covert communication mechanism is mainly characterized by utilizing the existing resources, generating no redundant information, and having great progress in the aspects of concealment and expandability, a network protection technology can simply and easily identify the covert communication mechanism at present, the non-port covert communication mechanism can be applied to a plurality of fields, particularly the network security field such as secret communication, firewall-crossing communication, Trojan horse communication and the like, and the application prospect is wide.

Claims (3)

1. A network attack and protection oriented non-port covert communication method is characterized in that a new covert communication mechanism is provided, key technology of the communication mechanism is mainly explained, a non-port Trojan horse is realized based on the mechanism, and a frame structure of the non-port Trojan horse is provided.
2. The network attack and defense-oriented non-ported covert communication method of claim 1, the method is characterized in that after a control agent (namely a designed non-port Trojan horse) runs, the control agent does not directly participate in communication, but injects a control agent thread (mainly comprising a code responsible for communication with a control end) into other normal processes (host processes) and destroys the control agent thread, the control agent thread in the host processes does not open any port and create any new socket, but searches the created socket in the host processes, if the opposite port connected to the socket (TCP type) is a contract port (e.g. 8888) or after receiving contract data, the other party can be judged to be a trustable control end, the address information of the control end is obtained according to the connection or the data packet, the communication code of the control agent thread starts to work, and the socket and the obtained address information of the control end are utilized to communicate with the control end.
Therefore, by using the mode, no new port is generated in the communication process, no new socket is created, and the concealment is very high; meanwhile, the control agent thread works in a host process trusted by the user and the firewall, so that the purpose of process hiding is achieved, and the process is not easy to find.
3. The network attack and protection oriented non-port covert communication method of claim 1, which realizes a non-port trojan and provides a frame structure of the non-port trojan, and is characterized in that by using a non-port covert communication technology, various functions of the non-port trojan and the trojan can be designed according to the type, the authentication mode, the completed function and the like of a socket: the password file of the controlled end machine is obtained by the control agent, the windows system generally does not allow a process to access the password file SAM, but the windows usually puts the backup file of the SAM under a% windows root% \ reparir directory, the file can be freely accessed, and the file is taken as an example and transmitted;
socket type: TCP type, to guarantee the reliability of the transmitted file,
the authentication method comprises the following steps: the method is simple and easy to implement, although the safety is poor, the non-port Trojan horse is only used for testing, the requirement on the safety is not high, and in actual use, the authentication method with higher safety can be used.
Design details: using a non-port covert communication technology, injecting a code responsible for communication with a control terminal into a process (host process) for opening a TCP port, searching an established TCP connection in the host process, if a port of the opposite side is an agreed port 8888, opening a password file backed up under the% windows root% \ repair, and transmitting the file content to the control terminal by using the established TCP connection;
the control end initiates connection to a TCP port of the controlled end, and then waits for the agent thread to transmit the SAM file content and stores the SAM file content in a local file.
CN201911160410.1A 2019-11-23 2019-11-23 Non-port hidden communication method facing network attack and protection Pending CN110855705A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911160410.1A CN110855705A (en) 2019-11-23 2019-11-23 Non-port hidden communication method facing network attack and protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911160410.1A CN110855705A (en) 2019-11-23 2019-11-23 Non-port hidden communication method facing network attack and protection

Publications (1)

Publication Number Publication Date
CN110855705A true CN110855705A (en) 2020-02-28

Family

ID=69603871

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911160410.1A Pending CN110855705A (en) 2019-11-23 2019-11-23 Non-port hidden communication method facing network attack and protection

Country Status (1)

Country Link
CN (1) CN110855705A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770767A (en) * 2005-09-01 2006-05-10 武汉思为同飞网络技术有限公司 System and its method for carrying out TCP application layer protocol package for VPN message
CN101286995A (en) * 2008-05-23 2008-10-15 北京锐安科技有限公司 Long-range control method and system
CN101388061A (en) * 2008-11-05 2009-03-18 山东中创软件工程股份有限公司 Progress protection technology based on Windows system remote thread monitor
CN102394859A (en) * 2011-07-27 2012-03-28 哈尔滨安天科技股份有限公司 Method and system for detecting file stealing Trojan based on thread behavior
US20140325650A1 (en) * 2013-04-26 2014-10-30 Kaspersky Lab Zao Selective assessment of maliciousness of software code executed in the address space of a trusted process
EP3021252A1 (en) * 2014-11-17 2016-05-18 Samsung Electronics Co., Ltd. Method and apparatus for preventing injection-type attack in web-based operating system
CN105897728A (en) * 2016-04-27 2016-08-24 江苏警官学院 Anti-virus system based on SDN (Software Defined Network)
CN107800705A (en) * 2017-11-02 2018-03-13 北京邮电大学 A kind of wooden horse implantation approach based on Information Hiding Techniques
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109543466A (en) * 2018-10-31 2019-03-29 北京航空航天大学 A kind of hardware Trojan horse menace analysis method based on functional characteristic expansion

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770767A (en) * 2005-09-01 2006-05-10 武汉思为同飞网络技术有限公司 System and its method for carrying out TCP application layer protocol package for VPN message
CN101286995A (en) * 2008-05-23 2008-10-15 北京锐安科技有限公司 Long-range control method and system
CN101388061A (en) * 2008-11-05 2009-03-18 山东中创软件工程股份有限公司 Progress protection technology based on Windows system remote thread monitor
CN102394859A (en) * 2011-07-27 2012-03-28 哈尔滨安天科技股份有限公司 Method and system for detecting file stealing Trojan based on thread behavior
US20140325650A1 (en) * 2013-04-26 2014-10-30 Kaspersky Lab Zao Selective assessment of maliciousness of software code executed in the address space of a trusted process
EP3021252A1 (en) * 2014-11-17 2016-05-18 Samsung Electronics Co., Ltd. Method and apparatus for preventing injection-type attack in web-based operating system
CN105897728A (en) * 2016-04-27 2016-08-24 江苏警官学院 Anti-virus system based on SDN (Software Defined Network)
CN107800705A (en) * 2017-11-02 2018-03-13 北京邮电大学 A kind of wooden horse implantation approach based on Information Hiding Techniques
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109543466A (en) * 2018-10-31 2019-03-29 北京航空航天大学 A kind of hardware Trojan horse menace analysis method based on functional characteristic expansion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ADMIN: "无进程无端口DLL木马的设计与实现", 《豆丁网》 *

Similar Documents

Publication Publication Date Title
Panchal et al. Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures
US8869279B2 (en) Detecting web browser based attacks using browser response comparison tests launched from a remote source
Harris et al. TCP/IP security threats and attack methods
US8082578B2 (en) Intelligent firewall
US8095983B2 (en) Platform for analyzing the security of communication protocols and channels
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
Dissanayake DNS cache poisoning: A review on its technique and countermeasures
Rødfoss Comparison of open source network intrusion detection systems
Khosravifar et al. An experience improving intrusion detection systems false alarm ratio by using honeypot
Alturfi et al. A combination techniques of intrusion prevention and detection for cloud computing
Diebold et al. A honeypot architecture for detecting and analyzing unknown network attacks
Chen et al. An inline detection and prevention framework for distributed denial of service attacks
CN110855705A (en) Non-port hidden communication method facing network attack and protection
Van Antwerp Exfiltration techniques: An examination and emulation
Ali et al. Wireshark window authentication based packet captureing scheme to pervent DDoS related security issues in cloud network nodes
CN112769731A (en) Process control method, device, server and storage medium
Cao et al. Mimichunter: A general passive network protocol mimicry detection framework
KR102621652B1 (en) Server computer equipped with DRDoS attack response method, DRDoS attack response program and DRDoS attack response method
Iacob Data security for e-learning platforms
G. Quilantang et al. Exploiting Windows 7 vulnerabilities using penetration testing tools: A case study about Windows 7 vulnerabilities
KR102082889B1 (en) Apparatus and method for analyzing protocol
Rice et al. A genealogical approach to analyzing post-mortem denial of service attacks
Asaka et al. Public information server for tracing intruders in the Internet
Bisht Web Applications Security Re-engineering in Cloud with Machine Learning
Iacob et al. Information Security for Web Services-Proactive and Reactive Security Techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200228