The Process-oriented Dynamic Analysis Of APT Trojan Behavior

Along with the progress of the information age,cyber warfare among countries are staged every day.Advanced Persistent Threat(APT)attacks,which aim to steal information in an organized and premeditated way,have tremendous consequences for the information security of the government and enterprises in China and pose a great challenge to our cyberspace sovereignty.Trojans used in the APT attacks,the essential tool in the attack,take an indispensable part in such sector as controlling,penetrating and stealing information.In this respect,it is necessary for the promotion of defense capability in cyberspace to clarify the network attacking technique and communication elements of APT Trojan horse samples,including the research on the Trojans technologies of startup and hidden and the dynamical analysis on the execution of Trojan horse samples to identify malicious behavior both in the host and in the network.Current research on how to start up Trojans rarely involves COM hijacking,a relatively new technology technology.Most of the analysis on Trojans focuses on the obtainment of API sequences by Hook.Two limitations arise with these approaches:one is that HOOK destructs the integrity of samples,which make it more vulnerable for the Trojan horse detection;the other is that some best designed Trojan horses turn to system call in the realization of functions,since the fine-grained components of API sequences cannot meet the requirement of the behavioral analysis on APT Trojan horses.This article studies APT attacks reports released in recent year,and makes thoroughly analyze on how to initiate Trojan horses by service facility,registry entries,autostart application directory,DLL hijacking and COM hijacking technology,as well as such Trojan horses hiding technology as DLL injection,sophisticated memory injection,APC injection and process hollowing.Through the analysis on the system call and internal data structures,here comes the research scheme to describe the Trojans'behavior in the host according to sequence patterns of system calls and in the network according to network communication log as well as communication data.Based on the deep understanding of principles and plug-in architectures of the dynamic binary analytical platform PANDA,this paper constructed a APT Trojan horse behavior analysis system named Left Eye.It contains seven modules,including virtual execution environment,users interactive web page,server control,key system calls,memory diagnostics,the capture of certain network behavior and the capture of domain names.The module of users interactive web page for task release and examining of results is designed to ensure the practicability and the automatization.The module of server control programmed in Python enables the system to analyze automatically following the information of the task configuration,which provides a method for QEMU virtual machine and PANDA plug-in control.The plug-in in the module of key system calls based on the dynamic binary analytical platform PANDA makes it convenience to obtain the sequence patterns of system calls during the execution of samples.It is possible to invoke PANDA plug-ins automatically to obtain Record to replay the memory image in a virtual machine when one user locks the specified percentage and perform API HOOK analysis using the memory diagnostics tool of Volatility,while to obtain network communication data which can be analyzed by WireShark.Moreover,it is also possible to obtain network communication logs,with the help of interactions among Trojan horses activated by InetSim,the simulation Trojan horse communication server.The system of Left Eye has been constructed and put into use.The test result indicates that it is qualified to accomplish the process of analysis automatically according to the task configuration users sumbitted.It can identify the samples process,as well as its logical subprocess,and capture the concerned sequence patterns of system calls.It is also capable of detect API Hook from Snapshots intercepted during the system execution,and obtain network logs and communication data between sample virtual machine and simulation Trojan horse controller.It proved that the system plays a positive role in the analysis of APT Trojan horse samples.