Trojan's Vulnerability Fuzzing Method Based On Reverse Analysis Of Network Protocol

In view of Trojan's control of the popular APT attack's method,this paper presents an active defense idea,namely for fuzzing and paralysis attack of closed source code Trojan.Through deeply analyzing communication protocol of famous Trojan,such as Gh0 st and Poison Ivy,we master the general theory of protocol of Trojan's network protocol,and design the algorithm for analyzing unknown network protocol of Trojan's remote control.We eventually combined our analyzing algorithm with a mature Fuzz Framework to fuzz the vulnerability of Trojan's server code,so as to implement active attack.We first use generalized suffix tree and hierarchical clustering algorithm to learn characteristics of Trojan's network traffic to construct protocol format.After that,we learn the state machine of Trojan's network protocol through Angluin algorithm.We continue to find new state of the state machine,so as to obtain that of Trojan's network protocol.Then we combine Peach with this Fuzz framework,automatically generating configuration file of Fuzz test through the protocol format,so as to largely enhance efficiency of Fuzz test.Finally,after a series of tests through remote control Trojan,we successfully discover several Trojan's crashes.The Trojan's crashes leading to their not providing normal control function illustrates that the Trojan's vulnerability fuzzing method based on reverse analysis of network protocol is a kind of innovative and effective solution.