Method and device for actively finding malicious code control end

Abstract

The invention discloses a method for actively finding a malicious code control end, which comprises the following steps of: scanning host information, namely finding a host computer in an on-line state of which the operating system is Windows and which is provided with open ports in an IP address range needing to be scanned and determining at least one open ports of the host computer; and scanning control end information, namely establishing network connection with the open ports of the host computer, simulating a network behavior of a controlled end host computer corresponding to the known type of the malicious code control end, sending data to the host computer, analyzing the received return data, and if the data meets the characteristic of the known type of the malicious code control end, indicating that the type of the malicious code control end exists in the host computer. The method can effectively identify the malicious code control end, is suitable for large-scale scanning of the host computer in the Internet and has great practical significance for guaranteeing information security. Correspondingly, the invention also provides a device for actively finding the malicious code control end.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to a method and a device for actively discovering and identifying a malicious code control terminal in the Internet. [0002] Terminology Explanation [0003] ICMP: full name Internet Control Message Protocol, Chinese translation Internet Control Message Protocol, is a kind of network protocol, used to transmit control information between hosts. There are many types of ICMP frames. The ICMP echo request, ICMP echo response, ICMP timestamp, and ICMP subnet mask mentioned in this article are all different types of ICMP frames. [0004] TCP: The full name is Transmission Control Protocol, which is a Chinese translation of Transmission Control Protocol. It is a kind of network protocol and is used to establish network connections between hosts. The establishment process of a TCP connection is divided into three steps, commonly known as the three-step handshake p...

AI Technical Summary

Problems solved by technology

[0021] 1. Existing solutions are aimed at scanning a single host or a small range of hosts, without considering the actual needs of large-scale scanning, so there is no special consideration and optimization of scanning efficiency

If the existing technology is used to scan a large number of Internet hosts and all their ports, the time overhead will be huge, so the output of the results is no longer practical

[0022] 2. Existing solutions are all aimed at scanning a single host or a small range of hosts, without considering the pressure caused by large-scale batch scanning tasks on the system resources of the local environment where the scanning tasks are performed

[0023] 3. Disadvantages of the ICMP echo method: with firewalls, security protection software, or specially configured hosts, ICMP echo requests will not generate ICMP echo responses, that is, the results obtained by ICMP echo methods are wrong.

[0024] 4. Disadvantages of the port inference method: For hosts that have been specially configured, the common open ports are not necessarily in the open listening state, that is, to judge whether the host is online, which will cause missed judgments on such online hosts

[0025] 5. Disadvantages of TCP connection scanning: Establishing a TCP connection requires a three-step handshake communication, which requires a certain amount of time overhead

In addition, each connection requires a certain amount of local memory

[0026] 6. Disadvantages of TCP FIN scanning and TCP NULL scanning: After sending a TCP FIN frame or TCP NULL frame, it is judged that the port is open after a period of time when there is still no return frame, so the time overhead is relatively large

In addition, because the implementation details of the network protocol of the Windows operating system are different from the standard specifications, these two methods are invalid for Windows hosts

Images