TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-10-15 DOI:10.1016/j.cose.2024.104147

Liuying Lv, Peng Zhou

{"title":"TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests","authors":"Liuying Lv, Peng Zhou","doi":"10.1016/j.cose.2024.104147","DOIUrl":null,"url":null,"abstract":"<div><div>Trojan is a well-known hidden tunnel protocol widely used to bypass Internet censorship and thus presents a big challenge to transparent network management and forensics. As claimed by the protocol designer, Trojan maintains its anti-identifiability by proxying real HTTPS/TLS traffic to react to unauthenticated requests, eliminating any subtle differences between the Trojan traffic and the legitimate HTTPS. Despite such a protocol seeming unidentifiable by design, the diverse Trojan implementations adopting very different programming languages will likely have varied coding logic and networking API calls, opening a new door to be identified and fingerprinted from the implementation level. In this paper, we propose <em>TrojanProbe</em>, a new class of active probing methods that can be used to fingerprint Trojan implementations by triggering their identifiable responses. Our basic idea is to audit the source code of the Trojan programs and discover the subtle logic discrepancy compared with the legitimate HTTPS counterparts, to craft specific HTTP requests as probes to trigger these differences for fingerprinting. By this idea, we choose the five most popular open-source Trojan programs off-the-shelf as our targets to audit, covering the majority of Trojan market share and the mainstream programming languages from traditional C++ to the cutting-edge Go and Rust, and design a suite of novel HTTP probes to differentiate them from their web server masquerades. Our probes exploit either the different responding/buffering logic to the malformed HTTP requests and the different HTTP versions, or the varied timeouts set in the different networking APIs by default. To this end, we have conducted extensive experiments to evaluate the TrojanProbe against a comprehensive set of configuration and networking conditions. The experimental results show that our TrojanProbe can effectively fingerprint our selected Trojan targets in most conditions, but leave a single Rust implementation with a minority market occupied that can only be identified in some constraint cases. Despite such an exception, our research sheds light on a new kind of possibility to fingerprint Trojans at their implementation level, even if such a hidden tunnel is widely known as unidentifiable at the protocol level.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104147"},"PeriodicalIF":4.8000,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004528","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Trojan is a well-known hidden tunnel protocol widely used to bypass Internet censorship and thus presents a big challenge to transparent network management and forensics. As claimed by the protocol designer, Trojan maintains its anti-identifiability by proxying real HTTPS/TLS traffic to react to unauthenticated requests, eliminating any subtle differences between the Trojan traffic and the legitimate HTTPS. Despite such a protocol seeming unidentifiable by design, the diverse Trojan implementations adopting very different programming languages will likely have varied coding logic and networking API calls, opening a new door to be identified and fingerprinted from the implementation level. In this paper, we propose TrojanProbe, a new class of active probing methods that can be used to fingerprint Trojan implementations by triggering their identifiable responses. Our basic idea is to audit the source code of the Trojan programs and discover the subtle logic discrepancy compared with the legitimate HTTPS counterparts, to craft specific HTTP requests as probes to trigger these differences for fingerprinting. By this idea, we choose the five most popular open-source Trojan programs off-the-shelf as our targets to audit, covering the majority of Trojan market share and the mainstream programming languages from traditional C++ to the cutting-edge Go and Rust, and design a suite of novel HTTP probes to differentiate them from their web server masquerades. Our probes exploit either the different responding/buffering logic to the malformed HTTP requests and the different HTTP versions, or the varied timeouts set in the different networking APIs by default. To this end, we have conducted extensive experiments to evaluate the TrojanProbe against a comprehensive set of configuration and networking conditions. The experimental results show that our TrojanProbe can effectively fingerprint our selected Trojan targets in most conditions, but leave a single Rust implementation with a minority market occupied that can only be identified in some constraint cases. Despite such an exception, our research sheds light on a new kind of possibility to fingerprint Trojans at their implementation level, even if such a hidden tunnel is widely known as unidentifiable at the protocol level.

查看原文本刊更多论文

TrojanProbe：通过主动探测伪造的 HTTP 请求，对木马隧道实现进行指纹识别

特洛伊木马是一种著名的隐藏隧道协议，被广泛用于绕过互联网审查制度，因此给透明网络管理和取证带来了巨大挑战。正如协议设计者所称，木马通过代理真正的 HTTPS/TLS 流量来应对未经验证的请求，消除木马流量与合法 HTTPS 流量之间的任何细微差别，从而保持其反识别性。尽管这样的协议在设计上看似不可识别，但采用不同编程语言的各种木马实现可能会有不同的编码逻辑和网络 API 调用，这就为从实现层面进行识别和指纹识别打开了一扇新的大门。在本文中，我们提出了 TrojanProbe，这是一类新的主动探测方法，可通过触发木马的可识别响应来对木马实现进行指纹识别。我们的基本思路是审计木马程序的源代码，发现其与合法 HTTPS 程序在逻辑上的细微差别，然后制作特定的 HTTP 请求作为探针，触发这些差异以进行指纹识别。根据这一思路，我们选择了现成的五种最流行的开源木马程序作为审计目标，涵盖了木马市场的大部分份额，以及从传统的 C++ 到前沿的 Go 和 Rust 等主流编程语言，并设计了一套新颖的 HTTP 探测器，以将它们与其网络服务器伪装区分开来。我们的探针利用了对畸形 HTTP 请求和不同 HTTP 版本的不同响应/缓冲逻辑，或者利用了不同网络 API 默认设置的不同超时。为此，我们进行了大量实验，针对一系列配置和网络条件对 TrojanProbe 进行评估。实验结果表明，我们的 TrojanProbe 可以在大多数条件下有效地对我们选定的木马目标进行指纹识别，但留下了一个单一的 Rust 实现，其市场被少数人占领，只能在某些限制情况下识别。尽管存在这样的例外情况，但我们的研究揭示了一种新的可能性，即从木马的实现层面对其进行指纹识别，即使这种隐藏隧道在协议层面是众所周知无法识别的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.