僵尸网络：大些并不总是好事

Botnets: Bigger isn’t always better

僵尸网络：大些并不总是好事

Author: Michael Kassner
作者：Michael Kassner

翻译：endurer，2008-11-04 第1版

Category: security, Botnet, anti-spam
分类：安全，僵尸网络，抗垃圾邮件

Tags: Advance, Rootkits, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Michael Kassner, HTTP, Article, Bot
标签：高级，Rootkits，间谍软件，广告软件 & 恶意软件，网络犯罪，安全，病毒和蠕虫，Michael Kassner，文章，僵尸

英文出处：http://blogs.techrepublic.com.com/networking/?p=710&tag=nl.e102

Rootkit and botnet developers are fighting back. It seems that every advance made by security researchers is countered with new and more sophisticated malware. Just what are these new advances and what can the rest of us expect?

Rootkit和僵尸网络开发者正在反击。看来，安全研究人员所取得的每一个进步源自对付新的和更先进的恶意软件。究竟这些新的进步是什么和我们还有什么其它期望？

——————————————————————————————————————-

Last August in my article “Storm Worm: The Energizer Bunny of Botnets,” I mentioned that Storm was making a resurgence as the largest botnet creator in history. Yet for the past few months, Storm’s botnet has been eerily quiet. You may remember the e-mail spam message falsely announcing the start of “World War Three” back in July. That was the last major spam campaign propagated by Storm’s botnet.

去年8月在我的文章“暴风蠕虫：僵尸网络的劲量兔”中，我谈到Storm当时正有要成为史上最大僵尸网络创建者的势头。然而几个月后，Storm僵尸网络却异常地沉寂了。你可能记得七月那些假称“第三次世界战争”开始的电子邮件垃圾信息。那是Storm僵尸网络最后一次传播垃圾邮件传播活动。

《endurer注：1、Energizer Bunny：劲量兔，就是指如劲量电池广告中的兔子一般）。》

Where’s the Storm?

Storm在哪里？

Kelly Jackson Higgins of Darkreading.com raised some compelling reasons why Storm isn’t having much impact in the article “Storm May Finally Be Over“:

Darkreading.com的Kelly Jackson Higgins在文章“Storm可能最终结束”中列举了一些令人不得不接受的、为什么Storm没有带来更多影响的原因：

“Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballa’s estimates. The botnet began a gradual decline in size after Microsoft’s Malicious Software Removal Tool began detecting and cleaning it up late last year.”

按照Damballa的估计，Storm现在大约只有前近10个月前的十分之一大。在微软的恶意软件移除工具在去年末开始检测和清除它以来，该僵尸网络体积开始逐渐缩小。

Another theory in the article mentions that security researchers may have been able to infiltrate the Storm botnet and neutralize it:

该文中其它理论谈到安全研究人员可能已经能够渗透Storm僵尸网络并消除它：

“It’s very possible someone might be interfering with Storm,” Joel Stewart Director of Malware Research for SecureWorks mentioned. “At RSA (Conference), I showed the RSA key that’s used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots.”

“很可能有人能干扰Storm，”SecureWorks公司的恶意软件研究主管Joel Stewart提到。“在RSA(会议)上，我展示了Storm控制者们用来向僵尸电脑认证的RSA密钥。如果能对这个密钥做逆向工程，你就可以成为控制者并接管任何数量的僵尸电脑。”

《endurer注：1、SecureWorks：位于美国亚特兰大、提供信息和网络安全服务的公司。参考：http://www.google.cn/search?hl=zh-CN&newwindow=1&q=SecureWorks&meta=&aq=f&oq=
2、RSA：是一个Internet加密与鉴权系统》

I found the article interesting as it points to Storms’ size and scope as being its downfall. The botnet’s inactivity is certainly welcome news. I’m somewhat cynical though, as I personally haven’t seen any reduction in the amount of spam. In fact, I’m of the opinion that the amount is increasing. Why is that? I have the nagging suspicion that botnet creators are keeping well ahead of the learning curve by using new and less obvious tactics.

我发现该文有趣味是因为它指出Storms的休积和范围正在下降。僵尸网络不活动的确是受欢迎的新闻。我有点与众不同的想法，因为我本人没有看到垃圾邮件数量有任何减少。实际上，我的观点是数量在增加。为什么呢？我唠叨不休的怀疑，僵尸网络创建者们使用新而不明显的策略正在学习曲线上较好地保持着领先。

《endurer注：1、learning curve：学习曲线》

Next generation of botnets

下一代僵尸网络

Paul Royal, Director of Research for Damballa, points out one of the new tactics being used:

Damballa的研究主管Paul Royal指出一个被使用的新策略：

“Rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One http-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects.”

“较之如Storm握着瑞士军刀，更多僵尸网络将代之以更小，并为特定目标而创建。例如，一个基于http的僵尸网络Damballa已经被观察到了，它只有一个单一的任务：从被感染的机器中收集电子邮箱地址。”

Http-based botnets are difficult to trace, as they use port 80, and we all know how much Internet traffic is flowing over that port. Kelly Jackson Higgins has another interesting article “Botnets Don Invisibility Cloaks” that discusses this very subject. The article is almost a year old but more relevant than ever.

基于Http的僵尸网络难于跟踪，因为它们使用80端口，并且我们都知道有多少Internet流量经过这个端口。Kelly Jackson Higgins在另一篇有趣的文章“僵尸网络穿着隐形外衣”，讨论这个非常切题。这篇文章发表几乎有一年了，不过比以往更有价值了。

Another new trend in botnets is peer-to-peer command and control. It’s considered more difficult to detect than http-based command and control traffic as explained in Higgin’s article:

僵尸网络的另一个新趋势是点到点命令和控制。这被认为比基于Http命令和控制流量更难检测，如Higgin的文章所解释的那样：

“Peer-to-peer is difficult because it’s not a centralized network, each bot can send commands on its own. That’s more distributed, making it difficult to isolate the actual bots, where they are, and where the commands originated from.”

点到点难在它不是一个集中式网络，每台僵尸电脑可以自己发送命令。这样更分散，使得分离真实的活动僵尸电脑，它们所在位置，命令原始出处，变得困难。

Georgia Tech Information Security Center’s recent summit
佐治亚理工学院信息安全中心的近期最高级会议

TechRepublic’s Paul Mah in his latest Security News Roundup made mention of Georgia Tech’s Information Security Center (GTISC) and their annual security summit. A great deal of pertinent information about botnets came from the recent summit. For example, in the 2009 report (pdf), Wenke Lee, associate professor at GTISC, collaborates what Paul Royal mentioned about http-based botnets:

TechRepublic的Paul Mah在他的最新安全新闻综述中提到佐治亚理工学院信息安全中心（GTISC）和它们的年度安全最高级会议。大量与僵尸网络相关的信息来自这个近期最高级会议。例如，在2009报告中，GTISC的副教授Wenke Lee，协作了Paul Royal提到的基于Http的僵尸网络是什么：

《endurer注：1、made mention of：说到(写到,提到)》

“A bot actually remains on the machine, maintains a command and control mechanism to enable communication with the bot master, and can update itself based on those communications. The updates enable new bot communication and malicious capabilities, and are often used to avoid detection.

“一个僵尸（程序）真实地保存在机器中，维护一个命令和控制机制，以确保与僵尸主的通讯联系，并能在这个通讯中自我升级。这个升级启用新的僵尸（电脑）通讯和恶意能力，并被经常用来避免检测。

Bot communications are designed to look like normal (Web) traffic using accepted ports, so even firewalls and intrusion prevention systems have a hard time isolating bot messages. It’s very difficult to filter bot traffic at the network edge since it uses http and every enterprise allows http traffic.”

僵尸（电脑）通讯被设计看起来像使用可接受的端口的正常（网页）流量，以致防火墙和入侵检测防御系统很难隔离僵尸（电脑）信息。要在网络边缘过滤出僵尸（电脑）流量是很困难的，因为它使用http，并且每个企业都允许http流量。”

《endurer注：1、Hard times：a time of troubles.艰难时期；时代》

Not just smaller, but sneakier

不仅规模较小，但更卑鄙

So far I tried to point out that botnets are smaller, more sophisticated, and single-purposed. I’d be remiss if I didn’t mention the fourth area of improvement, which is how the bot gets on the unsuspecting user’s computer. Once again, Professor Lee of GTISC explains how this is easier than ever:

我试图指出僵尸网络更小，更老练，且用途单一。我会失职，如果我没有提到第四个方面的改进，这就是僵尸如何得到无戒心用户的电脑。GTISC的Lee教授再次解释这如何比以往更容易：

• Infection can occur even through legitimate Web sites.
  感染甚至可能会出现合法的网站。
  
• Bot exploits/malware delivery mechanisms are gaining sophistication and better obfuscation techniques.
  僵尸漏洞利用/恶意软件交付机制正获得复杂性和更好的迷惑技术。
  
• Users do not have to do anything to become infected; simply rendering a Web page can launch a botnet exploit.
  用户不需要做任何事情，才会受到感染;仅仅渲染一个网页可以发动僵尸网络攻击。
  

Final thoughts
终思

Every article that I read about botnets mentions that this problem is here for the long haul, stating simple economics as the reason. Botnets are big business, making people a great deal of money, and as long as that’s the case botnets aren’t going away.

我阅读的每一篇有关僵尸网络的文章都提到，这个问题在这里拖了很久，说明了简单的经济学原因。僵尸网络是大业务，使人发财，只要这种情况持续，僵尸网络就不会消失。

I sense the frustration, as there’s precious little we the users can do. I wrote my last article, “Spam Relay: Up Close and Personal,” as a vivid personal reminder for me. As I was writing this article, I realized that many of you must have similar experiences, which got me thinking (in trouble now) that we should gather all that hard-earned information in one place and share it. What do you think?

我感到沮丧，因为我们用户可以做的很少。我写了最新文章 “垃圾邮件备用品：很接近和个人化 ”，作为我的一个生动的个人提示。正如我写这篇文章，我意识到，你们许多人一定有类似的经验，这让我想（现处于苦恼中） ，我们应该收集所有这来之不易的信息在同一个地方共享。您觉得呢？