臺灣博碩士論文加值系統

近年來網路的攻擊活動讓我們防不勝防，這其中以木馬程式危害個人隱私最甚。許多電腦用戶所仰賴的掃毒程式並不能提供他們甚麼保證，因為要偵測木馬程式實在十分不容易，因此，我們希望藉由本篇論文研究木馬程式所使用的技術，進而瞭解木馬程式的特性，從而達到反制木馬程式的目的，並進一步分析木馬程式與作業系統的弱點的關係，從而加強作業系統的安全掌控。 在資料完成蒐集及研析後，我們將根據木馬程式的特性及所需的規格，實作出一個木馬程式以測試相關商用防毒工具及防火牆之檢測能力

Current commercial antivirus software could not guarantee much, because it is not easy to detect the Trojan program. In this thesis, we focus on the characteristics of the Trojan programs and try to realize their key techniques and the correlation between them and the operating system. The system weakness for invasion are analyzed and the finding can be used to design more secure operation system. After the data collection and analysis, we build a Trojan program on the basis of the regular characteristics and test it against both the commercial antivirus softwares and firewalls.

CHINESE ABSTRACT………………i
ENGLISH ABSTRACT……………ii
ACKNOWLEDGEMENTS………iii
TABLE OF CONTENTS……………iv
LIST OF FIGURES………vi
LIST OF TABLES……vii
CHAPTER
1 Introduction……1
2 Related Researches……3
2.1 Researches of back door and Trojan programs..3
2.2 Research Direction..........5
2.3 Relevant software tool description...6
3 Research Method......8
3.1 Relevant information of techniques and mechanisms of back door and Trojan programs.....8
3.2 Collection of important or famous Trojan programs........8
3.3 Collection and coordination of websites’ information.….......9
3.4 Analysis and comparison of relevant back door and Trojan programs.....13
4 Principles and Attack Methods of Trojan and Back door programs...........15
4.1 Application analysis of Win32 API........15
4.2 The analysis of exploits from the Win32 system.....17
4.3 Study of lurking techniques and attack methods....19
4.4 Planning of attack mechanism and software design..............20
4.5 Mechanism design of Trojan programs...........20
4.6 The writing of design documentation...........20
5 System Test and Confirmation……......22
5.1 Testing environment.......................22
5.2 Testing Procedure..............................22
5.3 Testing procedure of back door and Trojan programs...........24
5.4 Testing results of back door and Trojan programs.................26
5.5 Tesing results of antivirus software and firewalls..................29
6 Conclusions.........................................30
REFERENCES…....39
APPENDIXES
Appendix A........31
Appendix B..................33
Appendix C...............36
LIST OF FIGURES
Figure 4.1 The structure of Win32 systems........................16
Figure 4.2 Procedure of API calling.....................16
Figure 4.3 Memory management of Win98/ME.............17
Figure 4.4 Memory management of WinNT/2K............17
Figure 5.1Client’s waiting for connection.....................23
Figure 5.2 Reconnecting Server in receiving area...............23
Figure 5.3 Prepare to operate.................................24
Figure 5.4 File operation............................................24
Figure 5.5 Process management..............................25
Figure 5.6 CMD Shell operation...........................25
Figure 5.7 Process checking...................................26
LIST OF TABLES
Table 5.1 Characteristic data sheet of the Trojan program....27
Table A.1 The port usage of famous back and Trojan programs……31
Table B.1 Commercial remote control and back door programs source and address…………33
Table B.2 The comparison of commercial remote control and back door programs……………34
Table C.1 The function of Trojan program…………36

REFERENCES
[1] W. A. Arbaugh, D. J. Farber, and J. M. Smith, “A secure and reliable bootstrap architecture,” In Proceedings of 1997 IEEE Symposium on Computer Security and Privacy, pp. 65-71, 1997.
[2] J. Butler and G. Hoglund, “VICE—catch the hookers,” Black Hat USA, July 2004, http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf.
[3] G. H. Kim and E. H. Spafford, “The design and implementation of Tripwire a file system integrity checker,” In Proceedings of 1994 ACM Conference on Computer and Communications Security (CCS), pp. 18-29, November 1994.
[4] David A. Solomon & Mark E. Russionovich, Inside Windows 2000 (Microsoft Programming Series), 3rd Ed., Microsoft Press, September 2000.
[5] Prasad Dabak, Milind Borate & Sandeep Phadke, Undocumented Windows NT, John Wiley & Sons, October 1999.
[6] Sven B. Schreiber, Undocumented Windows 2000 Secrets: A Programmer's Cookbook, Addison-Wesley Pub Co, May 2001.
[7]Gary Nebbett, Windows NT/2000 Native API Reference, New Riders Publishing, February 2000.
[8] R. P. Goldberg, “Survey of virtual machine research,” IEEE Computer, pp. 34–45, June 1974.
[9] D. Gollmann, Computer Security, 2nd edition. John Wiley and Sons, Inc., January 2006.
[10] Halflife, “Abuse of the Linux kernel for fun and profit, ”Phrack, vol. 7, no. 50, April 1997.
[11] J. S. Heidemann and G. J. Popek, “File-system development with stackable layers,” ACM Transactions on Computer Systems, vol. 12, no. 1, pp. 58-89, February 1994.
[12] G. Hoglund and J. Butler, Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005.
[13] A. Joshi, S. T. King, G. W. Dunlap, and P. M.Chen, “Detecting past and present intrusions through vulnerability-specific predicates,” In Proceedings of the 2005 Symposium on Operating Systems Principles (SOSP), pp. 91-104, October 2005.
[14] J. Butler, J. L. Undercoffer, and J. Pinkston, “Hidden processes: The implication for intrusion detection,” In Proceedings of the 2003 Workshop on Information Assurance, pp. 116-121, June 2003.
[15] S. T. King, G. W. Dunlap, and P. M. Chen, “Debugging operating systems with time-traveling virtual machines,” In Proceedings of the 2005 USENIX Technical Conference, pp. 1-15, April 2005.
[16] G. J. Popek and R. P. Goldberg, “Formal requirements for virtualizable third generation architectures,” Communications of the ACM, vol. 17, no. 7, pp.412-421, July 1974.
[17] J. Rutkowska, “Detecting windows server compromises,” In HivenCon Security Conference, November 2003, http://invisiblethings.org/papers/hivercon03_joanna.ppt.
[18] Matt Pietrek, Windows95 System Programming Secrets, Hungry Minds, Inc, November 1995.
[19] Walter Oney, Systems Programming for Windows 95 with Disk, July 1996.
[20] Jeffrey Richter, Programming Applications for Microsoft Windows, 4th Ed., Microsoft Press, September 1999.
[21] P. M. Chen and B. D. Noble, “When virtual is better than real,” In Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS), pp. 133–138, May 2001.
[22] G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen, “ReVirt: Enabling intrusion analysis through virtual-machine logging and replay,” In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), pp. 211–224, December 2002.
[23] Fuzen Op, “The fu rootkit,” http://www.rootkit.com/project.php?id=9.
[24] R. Goldberg, “Architectural principles for virtual computer systems,” Ph.D. dissertation, Harvard University, February 1973.
[25] MIL-STD-498, Software Development and Documentation, 1994.
[26]尤焙麟 譯，駭客現形 — 網路安全之秘辛與解決方案，美商麥格羅希爾國際股份有限公司，2000年4月。
[27] Kenny H. 編著，網路系統 — 入侵與保護，長諾圖書，1999年1月。
[28]秘密客 著，對不起，駭到你，第三波資訊股份有限公司，2001年1月。