僵尸网络会被击败吗?

Can botnets be beaten?
僵尸网络会被击败吗?

Date: February 19th, 2008
Author: Justin Fielding
作者：Justin Fielding
翻译：endurer，2008-02-28 第1版
Category: security, Botnet, cybercrime
分类：安全，僵尸网络，网络犯罪
Tags: Network, Command, Instruction, Bot, Analysis, BotSniffer, Networking, Justin Fielding
标签：网络，命令，指令，僵尸，分析，BotSniffer，网络，Justin Fielding
英文来源：http://blogs.techrepublic.com.com/networking/?p=443&tag=nl.e101

This week, Georgia Tech unveiled BotSniffer, a prototype system designed to detect and disable botnets. Using traffic analysis the BotSniffer tries to identify botnet members by looking for command and control channels.Apparently the BotSniffer detector has been built as an independent plug-in for the popular open source intrusion detection system Snort. With a host system that’s as widely used as Snort, there could be a good possibility of such a system eventually making it in to the real-world. The paper released by Georgia Tech’s School of Computer Science says, “We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.”

本周，Georgia Tech（佐治亚理工学院）公开了BotSniffer，这是一个设计用于检测和禁用僵尸网络的原型。利用流量分析，BotSniffer试图通过寻找指挥和控制通道来鉴别僵尸网络成员。显然，BotSniffer检测器已建成为流行的开源入侵检测软件系统Snort的一个独立插件。借助一个如Snort这样的广泛使用的宿主系统，该系统极有可能进入现实世界。佐治亚理工学院的计算机科学学校公布的文件称：“我们使用一些真实世界中的网络跟踪来评估BotSniffer。结果显示BotSniffer可以以高精确度和极低误报率检测真实世界中的僵尸网络。”

《endurer注：1。佐治亚理工学院简称Georgia Tech，1885年建校，是美国顶尖的理工学院，排名仅次于麻省理工学院（MIT）和加州理工学院(CalTech)。学院位于亚特兰大市中心，隔壁就是可口可乐公司总部。
2。Snort是一个开源的、跨平台的软件包，用作监视小型TCP/IP网的嗅探器、日志记录、侵入探测器。它可以运行在Linux/UNIX和Win32系统上。官方网站：http://www.snort.org/
3。good possibility:极有可能》

The paper suggests that botnets’ command and control mechanism may be their Achilles heel. These command and control channels are used by botmasters to relay instructions to the infected hosts. Instructions are either delivered ‘live’ via IRC channels or via HTTP where the bot will connect at pre-specified intervals and collect instructions from a Web server. If these channels of communication are detected and cut off then the botmaster no longer has control of his zombies: “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network.”

该文件提出僵尸网络的指挥和控制机制可能是其致命弱点。这些指挥和控制通道被僵尸主控机用来向受感染的主机传达指示。指示也可以通过IRC频道或通过HTTP实时交付，bot每隔一段时间会连接到这些预先指定的网页服务器收集指示。如果这些通信通道被检测并切断，那么僵尸主控机就不能再控制他的僵尸：“如果我们能关闭一个活动指挥和控制或简单的中断指挥和控制通讯，僵尸主控机将不能控制其僵尸网络。而且，指挥和控制通道的检测将揭示被监视网络中的指挥和控制服务器和bot。”

《endurer注：1。Achilles` heel：Achilles（阿喀琉斯）是是希腊联军里最英勇善战的骁将，也是荷马史诗Iliad里的主要人物之一。传说他是希腊密耳弥多涅斯人的国王珀琉斯和海神的女儿西蒂斯所生的儿子。阿基里斯瓜瓜坠地以后，母亲想使儿子健壮永生，把他放在火里锻炼，又捏着他的脚踵倒浸在冥河(Styx)圣水里浸泡。因此阿基里斯浑身象钢筋铁骨，刀枪不入，只有脚踵部位被母亲的手捏住，没有沾到冥河圣水，成为他的唯一要害。在特洛伊战争中，阿基里斯骁勇无敌，所向披靡，杀死了特洛伊主将，著名英雄(Hector(赫克托耳)，而特洛伊的任何武器都无法伤害他的身躯。后来，太阳神阿波罗(Apollo)把阿基里斯的弱点告诉了特洛伊王子Paris(帕里斯），阿喀琉斯终于被帕里斯诱到城门口，用暗箭射中他的脚踵，负伤而死。Achilles` heel遂用于指代唯一弱点；薄弱环节；要害》

There are normally multiple bots on a network so thorough analysis of traffic or host activity can pick out behavioural traits and detect bot-like activity: “We observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command — obtain system information, scan the network — and report to the command and control server with the progress/result of the task.”

一个网络中通常存在多个bot，所以通过对流量或主机行为进行分析，可以拣出行为的特性并检测bot类活动：“我们观察意到傀儡网络中的bots基于预先编程响应控制命令的活动的本质展示了时空关联和相似之处。这有助于我们在网络在网络流量中鉴别指挥和控制。例如，在相似的时间里，傀儡网络中的bots将执行相同的命令——获取系统信息，扫描网络——并向指和控制服务器报告任务的进度/结果。”

《endurer注：1。behavioural trait:行为的特性》

BotSniffer is certainly not the only attempt to stamp out what has quickly become one of the Internets biggest problems. Desktop antivirus and security packages from all of the big brand security vendors are incorporating features aimed at locking out botnets by detecting and removing the malicious software that turns so many desktop computers in to evil zombies.I think this highlights an important point-if botnets can be beaten then the problem has to be attacked from several different angles. ISPs trying to detect command and control channels will most likely never have complete success. Once ISPs or network admins start to detect and isolate infected hosts, bots will undoubtedly find ways to avoid detection in just the same way that viruses do. They can encrypt communications, randomize behaviour, and so on. The analysis will get smarter, but it becomes a game of catch-up. If botnets are losing hosts due to improved desktop protection, then they come under pressure on several fronts and will find it hard to grow.

botsniffer当然不是抑制已迅速成为互联网一个最大的问题的唯一试图。所有的大品牌安全厂商的台式机反病毒和安全软件包正在把具体功能锁定在，通过检测和清除可以将这么多的台式电脑拉入邪恶的僵尸网络恶意软件，将僵尸网络拒之门外。我认为，这点出了一个重点-如果僵尸网络可以被打击，那么问题已从几个不同的角度被化解。ISP（互联网服务供应商）尝试侦查指挥和控制渠道将极有可能永远无法取得圆满成功。一旦ISP或网络管理员开始检测和隔离被感染的主机，bots必定将寻求与计算机病毒相同的方法躲避检测。它们可以对通讯加密，使行为随机，等等。分析将更聪明，但它成了追逐游戏。如果僵尸网络由于桌面保护增强而丢失主机，那么它们将在几个方面受到压力，并会发觉很难成长。

《endurer注：1。stamp out:踩灭,消灭
2。lock out:把...关在外面
3。turn in:向里弯曲(进去,归还,缴还,上床就寝)；turn in to:了解,熟悉(自己或别人的感情)》

Spam blocking would be a good example of how various types of filtering can work together to block unsolicited junk e-mail. Around 85 percent of all incoming e-mail is blocked by my Barracuda Spam Firewall. This is achieved by combining techniques such as virus scanning, user policies, rate control, Bayesian analysis, rule-based scoring, and IP reputational analysis. Alone, no one of these forms of detection would be adequate-however, once combined they form a sturdy defence blocking 90-95 percent of the unwanted junk mail thrown at our servers daily.

拦截垃圾邮件将是一个好例子，说明各类型的过滤能够共同努力，阻止来路不明的垃圾电子邮件。大约85%的来件被我的Barracuda Spam Firewall（梭子鱼垃圾邮件防火墙）拦截。实现这个目标，是通过联合技术，如病毒扫描，用户策略，速率控制，贝叶斯过滤分析，基于规则的评分技术和IP地址信誉评价。不必说，这个检测组合中的无一能单独胜任——然而一旦联合，它们结成了一个强健的防线，每天在我们的服务器上拦截了90-95%的有害垃圾邮件。

Network based detection of botnets seems like a very good idea and with programs like BotSniffer able to plug in to existing Intrusion Detection Systems, we could well see that tables turn on Botmasters. I could see this type of traffic analysis being very effective at an ISP level-they already analyse traffic for illegal downloads, so I couldn’t see that listening for bots would be much of an additional burden.

基于网络的僵尸网络检测看起来像是一个很好的主意，并且有像BotSniffer这样可用作现有入侵检测系统插件的程序，我们会看到僵尸主控机扭转局势。我可以理解这类流量分析在ISP级非常有效——他们已经针对非法下载分析流量，所以我不能理解bots将会是太大的额外负担的说法。

Do you currently take any measures to detect or block unwanted and potentially dangerous network traffic? Bots or even P2P and other rogue applications can have a massive impact on network security and performance. If you do, I’d be interested to know what techniques you use-leave a comment and share your experience.

现在你采取一些措施来检测或拦截不必要的或潜在危险的网络流量？Bots或P2P和其它流氓应用程序可能对网络安全和性能有巨大的影响。如果你做了，我想知道你使用什么技术——留下评论并分享你的经验。

《endurer注：1。impact on:对...之影响
2。be interested to:愿意(想)》