木马的控制端和被控端要通信，首先要建立传输的通道，常见的传输通道构建需要通过IP地址、端口等信息、第三方网站地址实现。建立通信的方式包括两类：

• 正向连接
• 反向连接

In order to communicate between the control end and the controlled end of the Trojan, the transmission channel must be established first. The common transmission channel construction needs to be realized by IP address, port and other information, and the address of the third party website. There are two types of ways to establish communication:

- Forward connection

- Reverse connection

正向连接

正向连接是指控制端主动去连接被控制端，需要被控制端开放相关端口来供控制端连接。首先，控制端会去连接被控端，然后发送相关的控制指令，被控端会将主机上的相关信息反馈给控制端，通常包括IP地址、MAC地址、计算机名称、内存大小等。

这种连接会存在一个问题，如果对方系统存在防火墙的话，通常会进行拦截。正向连接的优缺点如下：

• 优点攻击者无需外部IP地址，只要能够上网，就能够去连接远程主机木马样本不会泄露攻击者IP地址，木马不会主动去对外连接，不会泄露IP
• 缺点可能被防火墙阻挡被攻击者必须具备外部IP地址定位被攻击者相对困难，比如被攻击者IP是否变化？目标主机何时上线？当然有些木马，在目标主机主机能够上网时，会给指定邮箱发送IP地址信息，攻击者收到IP地址后会去主动连接主机。

Forward connection means that the control end takes the initiative to connect to the controlled end, and the controlled end needs to open the relevant port for the control end to connect. First, the control terminal will connect to the controlled terminal, and then send the relevant control instructions. The controlled terminal will feed back the relevant information on the host to the control terminal, usually including IP address, MAC address, computer name, memory size, etc.

One problem with this connection is that it is usually blocked if the other system has a firewall. The advantages and disadvantages of forward joins are as follows:

Pros

The attacker does not need an external IP address to connect to a remote host, as long as he has Internet access

Trojan samples will not leak the attacker's IP address, Trojan will not take the initiative to connect to the outside world, will not leak the IP

Cons

It may be blocked by a firewall

The attacker must have an external IP address

It is relatively difficult to locate the attacker, for example, does the attacker IP change? When is the target host online? Of course, some Trojan horses will send IP address information to the designated mailbox when the target host can access the Internet, and the attacker will actively connect to the host after receiving the IP address.

反向连接

第一种方式是右边的被控端（服务端）主动连接控制端主机，这种情况下防火墙一般会允许通过，尤其是目前很多木马程序采用80端口作为远程连接的端口，防火墙会非常信任。

第一种方式的优缺点如下：

• 优点通过防火墙相对容易可以控制局域网内的目标攻击目标随时上线，攻击者可以进行随时控制，因为攻击者控制服务器一直在线，只要被控端上线就会连接过来，甚至可以通过短信等方式告知。
• 缺点样本会暴露控制服务器信息（域名或IP）攻击者通常应当具有外部IP

关于反向连接，还有另外一种方式，被控端和控制端之间有个第三方的傀儡机，它们都和第三方通信，比如肉J、Web服务器。

• 优点可绕过防火墙，自动连接上线，不易被发现（代理）
• 缺点傀儡机的稳定性需要保障

The first way is that the right side of the controlled end (server) take the initiative to connect to the control host, in this case, the firewall will generally allow through, especially at present many Trojans use port 80 as the remote connection port, the firewall will be very trusted.

Pros and Cons of the first option:

Pros

Getting through a firewall is relatively easy

Can control the target within the LAN

The attack target is online at any time, and the attacker can control it at any time, because the attacker controls that the server is always online. As long as the controlled end is online, it will connect to it, and even inform it through SMS.

Cons

The sample exposes control server information (domain name or IP)

The attacker should usually have an external IP address

As for the reverse connection, there is another way. There is a third party dummy machine between the controlled side and the control side. They both communicate with a third party, such as a server or a Web server.

Pros

Can bypass the firewall, automatically connect online, not easy to be found (proxy)

Cons

The stability of the dummy machine needs to be guaranteed

通信协议

• TCP协议稳定、易被发现HTTP协议伪装
• UDP协议和TCP一样也有正向、反向两种方式负载比TCP少，但是可靠性低
• ICMP＋TCP／UDP该方式平时不开启端口，但会监听ICMP报文，以感知木马数据。当攻击者想对这台主机控制时，可以发送ICMP报文，发过来之后控制端监听到特定报文时，就知道到想要进行监听并开启相关端口。ICMP报文是由系统内核或进程直接处理而不是通过端口，其方式比较一笔，一般不会被防火墙过滤。

下图展示了冰河写的后门程序，叫BITS（Background Intelligent Transfer Service），是一种难以觉察的后门，采用ICMP＋TCP／UDP方式实现。进程管理器首先看不到，另外平时没有端口，只是在系统中充当卧D的角色，并且提供正向连接和反向连接两种功能，适用于不同的操作系统（Windows2000/XP/2003），通过其提供的Shell，你能做很多事情。

对于攻防的角度来说，防守方需要通过流量检测手段IDS、VDS、IPS、VPS 、UTM、防火墙、SIEM (安全信息和事件管理)等来发现木马。而攻击者者需要逃避流量的检测，各大免杀加载器，编码，分离等技术。

- TCP protocol

Stable and easy to find

HTTP spoofing

- UDP protocol

As with TCP, there are both forward and reverse options

Less load than TCP, but less reliable

- ICMP+TCP/UDP

This mode does not open the port at ordinary times, but it will listen to ICMP packets to sense the Trojan data. When the attacker wants to gain control of the host, he can send ICMP packets, and when the controller listens for specific packets, it knows it wants to listen and open the relevant port. ICMP packets are processed directly by the system kernel or process rather than through the port, which is relatively trivial and generally not filtered by the firewall.

The figure below shows the backdoor program written by Glacier, called BITS (Background Intelligent Transfer Service), which is an imperceptible backdoor implemented by ICMP+TCP/UDP. The process manager cannot be seen at first, and usually there is no port, just acting as a lying D in the system, and providing two functions of forward connection and reverse connection, suitable for different operating systems (Windows2000/XP/2003), through the Shell provided by it, you can do a lot of things.

From the perspective of attack and defense, the defender needs to find Trojans through traffic detection methods such as IDS, VDS, IPS, VPS, UTM, firewall, SIEM (security information and event management), etc. The attacker needs to evade the detection of the traffic, the major avoid kill loader, encoding, separation and other techniques.

参考

http://blog.csdn.net/eastmount/

http://element-ui.cn/article/show-27425.aspx?action=onClick

原文始发于微信公众号（Eonian Sharp）：[YA-11] APT攻击之木马系列—木马的通讯方式