Botnets: Bigger isn’t always better
僵尸网络:大些并不总是好事
Author: Michael Kassner
作者:Michael Kassner
翻译:endurer,2008-11-04 第1版
Category: security, Botnet, anti-spam
分类:安全,僵尸网络,抗垃圾邮件
Tags: Advance, Rootkits, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Michael Kassner, HTTP, Article, Bot
标签:高级,Rootkits,间谍软件,广告软件 & 恶意软件,网络犯罪,安全,病毒和蠕虫,Michael Kassner,文章,僵尸
英文出处:http://blogs.techrepublic.com.com/networking/?p=710&tag=nl.e102
Rootkit and botnet developers are fighting back. It seems that every advance made by security researchers is countered with new and more sophisticated malware. Just what are these new advances and what can the rest of us expect?
Rootkit和僵尸网络开发者正在反击。看来,安全研究人员所取得的每一个进步源自对付新的和更先进的恶意软件。究竟这些新的进步是什么和我们还有什么其它期望?
——————————————————————————————————————-
Last August in my article “Storm Worm: The Energizer Bunny of Botnets,” I mentioned that Storm was making a resurgence as the largest botnet creator in history. Yet for the past few months, Storm’s botnet has been eerily quiet. You may remember the e-mail spam message falsely announcing the start of “World War Three” back in July. That was the last major spam campaign propagated by Storm’s botnet.
去年8月在我的文章“暴风蠕虫:僵尸网络的劲量兔”中,我谈到Storm当时正有要成为史上最大僵尸网络创建者的势头。然而几个月后,Storm僵尸网络却异常地沉寂了。你可能记得七月那些假称“第三次世界战争”开始的电子邮件垃圾信息。那是Storm僵尸网络最后一次传播垃圾邮件传播活动。
《endurer注:1、Energizer Bunny:劲量兔,就是指如劲量电池广告中的兔子一般)。》
Where’s the Storm?
Storm在哪里?
Kelly Jackson Higgins of Darkreading.com raised some compelling reasons why Storm isn’t having much impact in the article “Storm May Finally Be Over“:
Darkreading.com的Kelly Jackson Higgins在文章“Storm可能最终结束”中列举了一些令人不得不接受的、为什么Storm没有带来更多影响的原因:
“Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballa’s estimates. The botnet began a gradual decline in size after Microsoft’s Malicious Software Removal Tool began detecting and cleaning it up late last year.”
按照Damballa的估计,Storm现在大约只有前近10个月前的十分之一大。在微软的恶意软件移除工具在去年末开始检测和清除它以来,该僵尸网络体积开始逐渐缩小。
Another theory in the article mentions that security researchers may have been able to infiltrate the Storm botnet and neutralize it:
该文中其它理论谈到安全研究人员可能已经能够渗透Storm僵尸网络并消除它:
“It’s very possible someone might be interfering with Storm,” Joel Stewart Director of Malware Research for SecureWorks mentioned. “At RSA (Conference), I showed the RSA key that’s used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots.”
“很可能有人能干扰Storm,”SecureWorks公司的恶意软件研究主管Joel Stewart提到。“在RSA(会议)上,我展示了Storm控制者们用来向僵尸电脑认证的RSA密钥。如果能对这个密钥做逆向工程,你就可以成为控制者并接管任何数量的僵尸电脑。”
《endurer注:1、SecureWorks:位于美国亚特兰大、提供信息和网络安全服务的公司。参考:http://www.google.cn/search?hl=zh-CN&newwindow=1&q=SecureWorks&meta=&aq=f&oq=
2、RSA:是一个Internet加密与鉴权系统》
I found the article interesting as it points to Storms’ size and scope as being its downfall. The botnet’s inactivity is certainly welcome news. I’m somewhat cynical though, as I personally haven’t seen any reduction in the amount of spam. In fact, I’m of the opinion that the amount is increasing. Why is that? I have the nagging suspicion that botnet creators are keeping well ahead of the learning curve by using new and less obvious tactics.
我发现该文有趣味是因为它指出Storms的休积和范围正在下降。僵尸网络不活动的确是受欢迎的新闻。我有点与众不同的想法,因为我本人没有看到垃圾邮件数量有任何减少。实际上,我的观点是数量在增加。为什么呢?我唠叨不休的怀疑,僵尸网络创建者们使用新而不明显的策略正在学习曲线上较好地保持着领先。
《endurer注:1、learning curve:学习曲线》
Next generation of botnets
下一代僵尸网络
Paul Royal, Director of Research for Damballa, points out one of the new tactics being used:
Damballa的研究主管Paul Royal指出一个被使用的新策略:
“Rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One http-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects.”
“较之如Storm握着瑞士军刀,更多僵尸网络将代之以更小,并为特定目标而创建。例如,一个基于http的僵尸网络Damballa已经被观察到了,它只有一个单一的任务:从被感染的机器中收集电子邮箱地址。”
Http-based botnets are difficult to trace, as they use port 80, and we all know how much Internet traffic is flowing over that port. Kelly Jackson Higgins has another interesting article “Botnets Don Invisibility Cloaks” that discusses this very subject. The article is almost a year old but more relevant than ever.
基于Http的僵尸网络难于跟踪,因为它们使用80端口,并且我们都知道有多少Internet流量经过这个端口。Kelly Jackson Higgins在另一篇有趣的文章“僵尸网络穿着隐形外衣”,讨论这个非常切题。这篇文章发表几乎有一年了,不过比以往更有价值了。
Another new trend in botnets is peer-to-peer command and control. It’s considered more difficult to detect than http-based command and control traffic as explained in Higgin’s article:
僵尸网络的另一个新趋势是点到点命令和控制。这被认为比基于Http命令和控制流量更难检测,如Higgin的文章所解释的那样:
“Peer-to-peer is difficult because it’s not a centralized network, each bot can send commands on its own. That’s more distributed, making it difficult to isolate the actual bots, where they are, and where the commands originated from.”
点到点难在它不是一个集中式网络,每台僵尸电脑可以自己发送命令。这样更分散,使得分离真实的活动僵尸电脑,它们所在位置,命令原始出处,变得困难。
Georgia Tech Information Security Center’s recent summit
佐治亚理工学院信息安全中心的近期最高级会议
TechRepublic’s Paul Mah in his latest Security News Roundup made mention of Georgia Tech’s Information Security Center (GTISC) and their annual security summit. A great deal of pertinent information about botnets came from the recent summit. For example, in the 2009 report (pdf), Wenke Lee, associate professor at GTISC, collaborates what Paul Royal mentioned about http-based botnets:
TechRepublic的Paul Mah在他的最新安全新闻综述中提到佐治亚理工学院信息安全中心(GTISC)和它们的年度安全最高级会议。大量与僵尸网络相关的信息来自这个近期最高级会议。例如,在2009报告中,GTISC的副教授Wenke Lee,协作了Paul Royal提到的基于Http的僵尸网络是什么:
《endurer注:1、made mention of:说到(写到,提到)》
“A bot actually remains on the machine, maintains a command and control mechanism to enable communication with the bot master, and can update itself based on those communications. The updates enable new bot communication and malicious capabilities, and are often used to avoid detection.
“一个僵尸(程序)真实地保存在机器中,维护一个命令和控制机制,以确保与僵尸主的通讯联系,并能在这个通讯中自我升级。这个升级启用新的僵尸(电脑)通讯和恶意能力,并被经常用来避免检测。
Bot communications are designed to look like normal (Web) traffic using accepted ports, so even firewalls and intrusion prevention systems have a hard time isolating bot messages. It’s very difficult to filter bot traffic at the network edge since it uses http and every enterprise allows http traffic.”
僵尸(电脑)通讯被设计看起来像使用可接受的端口的正常(网页)流量,以致防火墙和入侵检测防御系统很难隔离僵尸(电脑)信息。要在网络边缘过滤出僵尸(电脑)流量是很困难的,因为它使用http,并且每个企业都允许http流量。”
《endurer注:1、Hard times:a time of troubles.艰难时期;时代》
Not just smaller, but sneakier
不仅规模较小,但更卑鄙
So far I tried to point out that botnets are smaller, more sophisticated, and single-purposed. I’d be remiss if I didn’t mention the fourth area of improvement, which is how the bot gets on the unsuspecting user’s computer. Once again, Professor Lee of GTISC explains how this is easier than ever:
我试图指出僵尸网络更小,更老练,且用途单一。我会失职,如果我没有提到第四个方面的改进,这就是僵尸如何得到无戒心用户的电脑。GTISC的Lee教授再次解释这如何比以往更容易:
-
Infection can occur even through legitimate Web sites.
感染甚至可能会出现合法的网站。
-
Bot exploits/malware delivery mechanisms are gaining sophistication and better obfuscation techniques.
僵尸漏洞利用/恶意软件交付机制正获得复杂性和更好的迷惑技术。
-
Users do not have to do anything to become infected; simply rendering a Web page can launch a botnet exploit.
用户不需要做任何事情,才会受到感染;仅仅渲染一个网页可以发动僵尸网络攻击。
Final thoughts
终思
Every article that I read about botnets mentions that this problem is here for the long haul, stating simple economics as the reason. Botnets are big business, making people a great deal of money, and as long as that’s the case botnets aren’t going away.
我阅读的每一篇有关僵尸网络的文章都提到,这个问题在这里拖了很久,说明了简单的经济学原因。僵尸网络是大业务,使人发财,只要这种情况持续,僵尸网络就不会消失。
I sense the frustration, as there’s precious little we the users can do. I wrote my last article, “Spam Relay: Up Close and Personal,” as a vivid personal reminder for me. As I was writing this article, I realized that many of you must have similar experiences, which got me thinking (in trouble now) that we should gather all that hard-earned information in one place and share it. What do you think?
我感到沮丧,因为我们用户可以做的很少。我写了最新文章 “垃圾邮件备用品:很接近和个人化 ”,作为我的一个生动的个人提示。正如我写这篇文章,我意识到,你们许多人一定有类似的经验,这让我想(现处于苦恼中) ,我们应该收集所有这来之不易的信息在同一个地方共享。您觉得呢?
分享到:
相关推荐
植物大战僵尸ol:bbone资源文件解压脚本
僵尸网络_网络程序杀手 安全的朋友,请仔细阅读
[僵尸网络网络程序杀手].(美)席勒.扫描版 详细miaoshu
机器学习技术在僵尸网络检测领域具有广泛应用,但随着僵尸网络形态和命令控制机制逐渐变化,人工特征选取变得越来越困难。为此,提出基于深度学习的僵尸网络检测系统——BotCatcher,从时间和空间这 2 个维度自动化...
38--[九爷版植物大战僵尸3:决战100秒].zip源码scratch2.0 3.0编程项目源文件源码案例素材源代码38--[九爷版植物大战僵尸3:决战100秒].zip源码scratch2.0 3.0编程项目源文件源码案例素材源代码38--[九爷版植物大战...
僵尸网络僵尸网络 计算机安全僵尸网络 计算机安全
38--[九爷版豌豆大战僵尸4:坚守100秒(超难)].zip源码scratch2.0 3.0编程项目源文件源码案例素材源代码38--[九爷版豌豆大战僵尸4:坚守100秒(超难)].zip源码scratch2.0 3.0编程项目源文件源码案例素材源代码38--...
僵尸网络_图神经网络.pdf
基础僵尸网络介绍,包括僵尸网络的特点、预防等。
介绍了P2P僵尸网络的基本定义和演化历史,对P2P僵尸网络的分类和工作机制进行研究,分析P2P僵尸网络的拓扑结构及其逃避检测的方法,报告对P2P僵尸网络进行跟踪、检测与反制的研究现状,并对各种方法的性能进行了比较...
僵尸网络源码工程,学习研究资料,好东西,不解释
linux抓取僵尸网络进程脚本
针对目前基于网络的P2P僵尸网络检测中特征建模不完善、不深入的问题, 以及僵尸网络中通信具有隐蔽性的特点, 提出一种对通信流量特征进行聚类分析的检测方法。分析P2P僵尸网络在潜伏阶段的通信流量统计特征, 使用结合...
为了能够快速掌握指纹特征并及时准确检测新型僵尸网络,对指纹特征提取算法进行了研究。在已有算法的基础上依据僵尸网络指纹特征分布的特点,提出了适用于该指纹特征自动提取的算法及系统设计框架,使其能够自适应地对...
目录 什么是僵尸网络 僵尸网络是如何被组建的 僵尸网络如何保护自己 僵尸网络的潜在危害 近年一些针对商业网络的大规模DDOS攻击案例 大规模DDOS攻击与防护策略
僵尸网络 Botnet 是指采用一种或多种传播手段,将大量主机感染bot程序(僵尸程序)病毒,从而在控制者和被感染主机之间所形成的一个可一对多控制的网络。
BORG :一个快速进化的僵尸网络 数据安全 工控安全 金融安全 安全威胁 企业安全
自己做的关于僵尸网络基础知识和案例的PPT 和大家共享
介绍了僵尸网络的演化 过程和基本定义,深入剖析了僵尸网络的功能结构与工作机制,讨论了僵尸网络的命令与控制机制和传播模型,并归 纳总结了目前跟踪、检测和防御僵尸网络的最新研究成果,最后探讨了僵尸网络的...
scratch2源码九爷版植物大战僵尸3:决战100秒本资源系百度网盘分享地址