Research And Analysis Of Encrypted Network Software By Reverse Analysis

With the rapid development of Internet technology and the popularization of Internet, network software is becoming more and more important tools to get information and communicate for people. However, at the same time, some encrypted network software is becoming a major threat to individual and enterprise and even national information security, such as Trojans for the purpose of stealing private information from individual or enterprise, proxy software for the purpose of disseminating illegal information and so on.Traditional method of analyzing non-encrypted network software is to monitor their communication data, combined with characteristics of software behavior, guess and verify the specific network behavior corresponding to the specific content. But, for the network software which its communication data was encrypted, most monitored data format is unrecognized, so it is hard to analyze encrypted network software by tradition method.In order to analyze network software effectively, this paper proposed a method to track and analyze encrypted network software by software reverse analysis, and then introduced the relevant knowledge and technology about software reverse analysis, after that gave reverse analysis method from three aspects:initial analysis, encryption algorithm, communication procedure. Then took POISON IVY Trojan horse for example, analyzed its program feature, encryption algorithm and communication procedure in detail.The reverse analysis of encrypted network software focused on encryption algorithm and communication procedure, the encryption algorithm analysis can decrypt captured packets, and the analysis of communication procedure can analyze decrypted packets correctly. This paper made a detailed analysis of SIMPLE_CAMELLIA encrypted algorithm used by POSION IVY Trojan, completed the reduction, verification and crack of this algorithm, then on the basis of above result, analyzed its communication command format and the process of receiving, handling and sending result about the command, completed the reduction and verification of POSION IVY Trojan communication procedure.Based on reverse analysis of POSOIN IVY Trojan, this paper verified the feasibility and effectiveness of reverse analysis method, provided references for other encrypted network software analysis.