| Ferry Trojan mainly focused on the classified local area networks,which isolated from theInternet, It works through USB flash disk, mobile hard disk and other removable storagemedia for transfer file data between the two networks.The Trojan implanted throughremovable storage media, then search the classified documents in classified computernetworks, and send the searched files into the removable storage media, at last,the Trojanwill send the classified documents to the specified locations of the internet as soon as theremovable storage media mobile access to networked computer. With such a technique,Trojans can penetrate into the isolated internet systems and establish a solid attacking pointwithin, thus paving a clear safety passage for attacking.This thesis will move on to analyze in detail the chain behavior of ferry Trojansincluding injecting mode, searching algorithm,detection of removable storage,sending whichis based on SMTP protocol. These functions contain a complete chain behavior of ferry Trojan.In this thesis, for the requirement of depth hidden, the dynamic link library (DLL) technologywill be used for designing ferry Trojan,it is use Trojan DLL to replace the system DLL,rewritethe original functions of the system DLL,the rewritten functions not only contains the originalfunctions but also contains ferry Trojan functions,the Trojan will be running as soon as thefunctions in the DLL be called.Then,do chain scission handling of the file,furthermore,findthe location where the system get a file’s name through Virtual Address Descriptor, and do fill0processing to the buffer,this kind of handling could ensure the file will not beenumerated,achieved hidden effect.Moreover,do series of avoidable clean handling such asadd junk code,add shell,change signatures to make sure the anti-virus software can’t identifythe Trojan.This way,On the basis of Achieved the ferry Trojan function,this thesis alsoAchieved depth hidden,Improved the survival rate of the Trojan.The author establishes a simulation network with resources from the laboratory andequips every host computer with a main-stream safe guarding system or antivirus software totest the capability of ferry Trojans in stealing information. By repeatedly testing for differenthosts, as well as in the case of different settings for the same anti-virus software protectionsystem,Actually verified the validity of this thesis about ferry Trojan design method.Theexperiment shows that the antivirus software can not find it when the Trojan horse is notrunning.After its running, a small number of anti-virus software or protection system would prompt suspected Trojan functionality,But most of the antivirus software or protective systemcan not find it.Trojan could deliver the information smoothly. |
PDF Full Text Request