TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests

Trojan is a well-known hidden tunnel protocol widely used to bypass Internet censorship and thus presents a big challenge to transparent network management and forensics. As claimed by the protocol designer, Trojan maintains its anti-identifiability by proxying real HTTPS/TLS traffic to react to unauthenticated requests, eliminating any subtle differences between the Trojan traffic and the legitimate HTTPS. Despite such a protocol seeming unidentifiable by design, the diverse Trojan implementations adopting very different programming languages will likely have varied coding logic and networking API calls, opening a new door to be identified and fingerprinted from the implementation level. In this paper, we propose TrojanProbe, a new class of active probing methods that can be used to fingerprint Trojan implementations by triggering their identifiable responses. Our basic idea is to audit the source code of the Trojan programs and discover the subtle logic discrepancy compared with the legitimate HTTPS counterparts, to craft specific HTTP requests as probes to trigger these differences for fingerprinting. By this idea, we choose the five most popular open-source Trojan programs off-the-shelf as our targets to audit, covering the majority of Trojan market share and the mainstream programming languages from traditional C++ to the cutting-edge Go and Rust, and design a suite of novel HTTP probes to differentiate them from their web server masquerades. Our probes exploit either the different responding/buffering logic to the malformed HTTP requests and the different HTTP versions, or the varied timeouts set in the different networking APIs by default. To this end, we have conducted extensive experiments to evaluate the TrojanProbe against a comprehensive set of configuration and networking conditions. The experimental results show that our TrojanProbe can effectively fingerprint our selected Trojan targets in most conditions, but leave a single Rust implementation with a minority market occupied that can only be identified in some constraint cases. Despite such an exception, our research sheds light on a new kind of possibility to fingerprint Trojans at their implementation level, even if such a hidden tunnel is widely known as unidentifiable at the protocol level.