Botnet botnet Botnet refers to the use of one or more means of communication, the large number of hosts infected with bot programs (bots), so in the control and those being formed between the infected host a one to many control network. The concept of the botnet have several key words. "Bot program" is short for robot, is the control function to achieve malicious code; "zombie computer" is to be implanted in a computer bot; "control server (control server)" refers to the control and communications to a central server, based on irc (Internet Relay Chat) protocol to control the botnet, the means to provide irc chat server. botnet The first is a controlled network, the network has a physical sense does not refer to the network topology, it has a certain distribution, with the continuous spread of bot program there have been new positions added to the zombie computers to the network . Second, this network is to use a certain form of malicious means of communication, such as active exploits, mail viruses, and other means of virus and worm propagation, botnet can be used to spread this sense, a malicious bot program is a virus or worm. Lastly and most important features of botnet that can carry the same one to many malicious acts, such as the target site can be of a distributed denial of service (ddos) attack, and send a lot of spam, and are this is the control-to-many relationship, so the attacker can control the low cost and efficient services to its vast resources, which is botnet attack mode favored by hackers in recent years, the root cause. When in the implementation of malicious behavior, botnet attacks served as a platform for the role, which also makes the botnet is different from simple viruses and worms, Trojan horse also different from the usual sense. Of users, the infected "zombie virus" is very easy. Behavior among the beauties on the network, a variety of fun games, attracting users in one click. But in fact, nothing happened after clicking, the original all just a hoax, intended to lure users to download the software in question. Once this toxic to the users computer software into the remote host can give orders to the computer control. Experts say hundreds of thousands of average weekly fancy new remote control zombie computers, despite the remote host command, a variety of illegal activities. Most of the time, zombie computers do not know they had been _select_ed, the mercy of others. The emergence of botnets, high-speed Internet access at home is becoming increasingly common reason. High-speed Internet can handle (or create) more traffic, but high-speed Internet access for a long time the family used to boot the computer, only computer on, the remote host computer can issue orders to the zombies. Internet expert said: "It is important though hardware attaches great importance to anti-virus, anti-hacker, but the real network security vulnerabilities from home users, the lack of self-protection knowledge of the self-employed, so that the network is full of landmines, and then pose a threat to other users." the development of botnet botnet, with the application of intelligent programs automatically and gradually developed. In the early irc chat network, some services are recurring, such as to prevent the channel from being abused, management rights, record a series of functions such as channel events can be prepared by the managers of the intelligence process to complete. So in 1993, appeared in irc bot chat network tools - eggdrop, this is the first of a bot program to help users to easily use the irc chat network. The bot features are benign, is out of the purpose, but this design concept was used by the hackers, they write a malicious bot with the tools to begin to control a large number of the victim host, the use of their resources to achieve malicious goals. The late 20th century, 90, with the concept of a distributed denial of service attacks mature, there has been a large number of distributed denial of service attack tools such as tfn, tfn2k and trinoo, attackers use these tools to control a large number of infected hosts to launch distributed denial of service attack. Those charged with a certain sense, the host already has a prototype of botnet. In 1999, the annual meeting of the eighth defcon subseven 2.1 version released protocol started with irc bots build attacker's control channel, also became the first true sense of the bot program. Then irc protocol based on the proliferation of bot programs, such as gtbot, sdbot other, making agreement on irc botnet into the mainstream. After 2003, as technology continues to mature worm, bot started the spread of active worms spread of technology to be able to quickly build a large botnet. Notably the 2004 outbreak agobot / gaobot and rbot / spybot. In the same year in the agobot phatbot based on the structure began to build an independent control channel using p2p. From the appearance of benign to malicious bot bot implementation, from the passive use of the worm spread to the active dissemination of technology, from simple irc Agreement constitutes the control channel to build the structure of complex p2p control mode, botnet gradually developed into a large, versatile and difficult to detect malicious network, to bring the current Internet security threats can not be ignored. the working process of botnet the working process, including botnet communication, adherence to and control of the three phases. A botnet is a needed first charged with a certain amount of computers, and this scale is gradually with the introduction of a means of communication or a bot program of several proliferation of the formation, in the communication process there are several means of : (1) active attack vulnerability. The principle is to attack the loopholes in the system to obtain access, and bot program implementation in the shellcode into the code, the system will be infected with a zombie attack the host. Such infections are the most basic way is to manually attacker hacking tools and scripts using a series of attacks, access permissions to download bot program execution. Attacker bots and worms also will combine technology, enabling automated bot programs to spread the famous bot sample agobot, the bot program is to realize the automatic transmission. (2) e-mail virus. bot program also e-mail by sending a large number of transmission of the virus itself, usually presents in the mail attachment in the message carried bots and download the content contains a link to the implementation of bot programs, and through a series of social engineering techniques to induce the recipient execution attachment or click on a link, or through the use of loopholes in mail client automatically, so that the recipient host was infected as bots. (3) instant messaging software. Using instant messaging software to buddy list send a link to the implementation of bots, and skills through social engineering trick of their visit to the infection, such as the outbreak in early 2005 msn sexy chicken (worm.msnloveme) is used in this way. (4) malicious site scripting. Attacker in the provision of web services, website html page, bound in a malicious script, when a visitor accesses these sites will run a malicious script, making the bot program is downloaded to the host, and automatically executed. (5) Trojan horse. Disguised as useful software on the site, ftp servers, p2p networks provide to entice users to download and execute. Several of the above means of communication can be seen in the formation of botnet way worms and viruses spread and functional complex is similar to spyware. Prior to joining phase, each host will be infected with bot hidden programs on their own to join the botnet attacks to go, way to join under the control and communication protocols vary. Irc protocol-based botnet, the bot program's host will be infected with log to the specified server and channel to go, the login is successful, the controller waits in the channels sent to the malicious command. Figure 2 shows the actual botnet constantly see added to the new bot in the botnet behavior. In the control phase, the attacker through the central server to send pre-defined control instructions, so that the infected host malicious behavior, such as launching ddos attacks, theft of the host sensitive information, updates and other malicious programs to upgrade. Figure 3 is observed in the control phase of inward spread of malware botnet network behavior. the classification of botnet botnet based on different classification criteria, can have many kinds of classification. Classification by type of bot program (1) agobot / phatbot / forbot / xtrembot. This is probably the most well-known bots. Anti-virus vendors spphos lists more than 500 known species of different versions of agobot (sophos virus analysis), this number is steadily growing. Bot itself using the cross-platform c + + language. agobot latest available version of the code clear and have a good abstract design, combined in a modular fashion, adding the command or other vulnerabilities and attack capabilities of the scanner is very simple, and provides as a hidden rootkit files and processes the ability to capture host to hide themselves. After obtaining the samples in reverse engineering it is quite difficult, because it contains the monitor debugger (softice and o11dbg) and virtual machines (vmware and virtual pc) function. (2) sdbot / rbot / urbot / spybot /. This family of malware is currently the most active bot software, sdbot written by the c language. It provides the same functional characteristics and agobot, but the command _set_ is not so big, to achieve was not so complicated. It is based on a class of protocol irc bot program. (3) gt-bots. gt-bots are based on current popular irc client mirc prepared, gt is the (global threat) acronym. Such bots and other binary files with a script to open a mirc chat client, but it will hide the original mirc window. Mirc script by executing the server to connect to the specified channel and wait for malicious commands. Because of these bundles mirc bot program, and therefore it will be relatively large size, often larger than 1mb. Classification by botnet control mode (1) irc botnet. Refers to the control and communication protocol for the use of irc botnet, the formation of such a major botnet bot program has spybot, gtbot and sdbot, most botnet currently fall within this category. (2) aol botnet. Similar with irc bot, aol to provide an AOL instant messaging services, such botnet is formed based on this real-time network communication service established, the infected host on the server to log on to the fixed receive control commands. aim-canbot and fizzer on the use of a bot aol instant messager to achieve control. (3) p2p botnet. Used in this type of botnet bot program itself contains a p2p client, gnutella can be connected to the use of technology (an open source file sharing technology) server, using file-sharing protocols waste communicate with each other. Because of this protocol to connect a distributed manner to make each of bots can easily find other bots and communicate, and when the bot is killing some time and will not affect the survival of the botnet, so it class botnet has no single point of failure but achieve relatively complex features. agobot and phatbot using p2p manner. hazards botnet constitute a platform for botnet attacks, the use of this platform can be effectively launched a variety of attacks, the whole basis of the information could lead to important applications of network or system failures, can also lead to substantial leakage of confidential or personal privacy can also be used in network fraud and other criminal activities. The following are already discovered using botnet to launch the attacks. With the future emergence of various new types of attacks, botnet can be used to initiate new and unknown attacks. (1) denial of service attacks. Used to launch ddos botnet attacks is currently one of the most important threat, an attacker can control all the bots to send their own commands, so that they start at a specific time while continuous access to specific network objectives, so as to achieve the purpose of ddos. Since the formation of large-scale botnet can, and use its to ddos attack can do a better sync, so the release of control commands, can make an even greater risk ddos, prevention more difficult. (2) to send spam. Some bots will _set_ up sockv4, v5 proxy, so that they can use the botnet to send bulk spam and may well hide the sender's own ip information. (3) to steal secrets. control of botnet zombie host can steal from a variety of sensitive information and other secrets, such as personal accounts, and other confidential data. At the same time observing bot program can use the sniffer network data of interest to gain the secrets of network traffic. (4) abuse of resources. Attacker takes advantage of botnet network resources in a variety of activities, so that the user's network performance be affected, and even economic losses. For example: planting adware, click on the designated site; use of the resources bots and illegal storage of data such as large data, the use of bots to build a fake banking websites in phishing illegal activities. It can be seen, botnet, or both for the entire network of users themselves, have caused serious harm, we must adopt effective methods to reduce the harm botnet. Research Status botnet Academic interest in the 2003 botnet development. Some international Honeynet Project and Honeynet Research Alliance, some members of the Honeynet analysis using the activities of botnet-depth tracking and analysis, such as azusa pacific university bill mccarty, the French Honeynet Project's richard clarke, University of Washington dave dittrich and the German Honeynet Project. Germany in particular, Honeynet Project in November 2004 to January 2005 through the deployment of honeypot win32 machine botnet discovery and nearly 100 have been followed, and issued a technical report botnet tracking. A botnet is a major threat to attack the specified target platform launch ddos (Distributed Denial of Service attack) attack, so ddos researchers also done research on the botnet. Organized by foreign ddosvax "detecting bots in internet relay chat systems" project, analyzed the irc protocol based on the behavioral characteristics of bot program, _select_ the network traffic in the corresponding relationship between _select_ed to detect the presence of botnet. The organization of the research methodology adopted to build a botnet in plantlab in the experimental environment for testing, data obtained by statistical analysis can verify the characteristics of traffic on the botnet analysis, but there are some false positives. When China began in 2005, the preliminary research botnet. Institute of Computer Science and Technology, Peking University in January 2005 began with the Honeynet project tracking botnet, the collected malware samples, using a sandbox, Honeynet technologies have advantages both for its analysis confirm whether the bot, bots and botnet control channel to be connected to the information extraction and, ultimately, more than 60,000 bot sample analysis reports, and more than 500 of which are still active botnet tracking, the statistics of their respective National distribution, size distribution and other information. National Emergency Response Center network security monitoring platform through 863-917, were monitored in 2005 to more than 1,000 nodes in the botnet size and number of statistics shown in Figure 4. These data and the activities of both shows, China's online more serious threat botnet, network users need to attract attention. ccert malicious code research group in July 2005 began on botnet research work on a large number of already know botnet actual tracking and in-depth analysis, based on irc protocol botnet server-side features were classified extraction, the formation of the botnet judge rules on the server side, so the network can be the nature of the irc server to identify. Design and initial realization of the botnet automatic identification system, used in Chinese education and research computer network environment. It can be seen, from domestic to foreign countries, since 2004 research on the botnet network security by more and more attention to researchers, research work has been greatly enhanced. But that work is not enough, in the detection and disposal of botnet there is still much work to do. botnet research methods Based on the current popular botnet irc protocol research methods, the main use of honeynet technology, research, and irc server network traffic identification technology. (2) of network traffic. Network traffic analysis is based on research ideas is through the zombie botnet irc protocol behavior characteristics of the host, the bots are divided into two categories: long trance-type and quickly join type. Specifically, the bots in the botnet, there are three obvious behavioral characteristics, one of the bot worm propagation through a large number of infected computers by their very short time to the same irc server; II zombie computer is usually a long line; Third, irc chat as a zombie computer users in the chat channels in a long time not speak, remains idle. The first is behavioral characteristics will be summarized for the rapid accession type, the second, grouped into three behavioral characteristics of long-term trance type. Of the corresponding behavior of the two types of zombie computer network traffic changes, the use of both offline and online methods, you can achieve on the botnet judgments. (3) irc server Recognition Technology. By logging a lot of the actual protocol-based botnet irc server side, you can see, as the attacker in order to hide their own server to deliberately conceal the irc server, part of the property. Meanwhile, the analysis of bot source code that, when added to the control of the infected host server, the server can show many characteristics with regularity. Through these features are summarized, to form that can be used to determine the agreement based botnet irc server-side rules, so that you can directly determine the location of their botnet size, distribution and other properties, for the next step to provide effective response measures positioning support. These three methods are based on irc protocol for the botnet. P2p botnet structure for the study less, due to its implementation more complex, does not occupy too much in the proportion of the network, but also because of the way in controlling the distribution of the research makes it more difficult. But with the development of botnet, botnet structure for p2p research will be further deepened.
Translated by Google
No. 2
僵尸网络
僵尸网络
Botnet Botnet Botnet refers to the use of one or more means of communication, the large number of hosts infected with bot programs (bots), so in the control and those being formed between the infected host a one to many control network. Attacker bots spread through various channels on the Internet, a large number of infected hosts, and the infected host through a control channel to receive the attacker's command to form a botnet. The reason to use the name of botnets is to let more people realize the image of the characteristics of such hazards: a large number of computers unknowingly as the ancient Chinese legend of the zombie group as being driven and in command, as was use of a tool. The concept of the Botnet have several key words. "Bot program" is short for robot, is the control function to achieve malicious code; "zombie computer" is to be implanted in a computer bot; "Control Server (Control Server)" refers to the control and communications to a central server, based on IRC (Internet Relay Chat) protocol to control the Botnet, the means to provide IRC chat server. Botnet The first is a controlled network, this network does not mean that has the physical meaning of the network topology, it has a certain distribution, with the continuous spread of bot program there have been new positions added to the zombie computers to the network . Second, this network is to use a certain form of malicious means of communication, such as active exploits, e-mail viruses and worms, viruses and other means of communication, can be used for the spread of Botnet, in this sense, the malicious bot program is a virus or worm. Lastly and most important features of Botnet, is that we can implement the same one to many malicious acts, such as the target site can be of a distributed denial of service (DDos) attack, and send a lot of spam, and are this is the control-to-many relationship, allows an attacker to a very low price for a lot of resources to efficiently control their services, which is the Botnet attack mode favored by hackers in recent years, the root cause. When in the implementation of malicious behavior, Botnet attacks served as a platform for the role, which also makes the Botnet different from the simple viruses and worms, Trojan horse also different from the usual sense. Of users, the infected "zombie virus" is very easy. Behavior among the beauties on the network, a variety of fun games, attracting users in one click. But in fact, nothing happened after clicking, the original all just a hoax, intended to lure users to download the software in question. Once this toxic to the users computer software into the remote host can give orders to the computer control. Experts say hundreds of thousands of average weekly fancy new remote control zombie computers, despite the remote host command, a variety of illegal activities. Most of the time, zombie computers do not know they had been _select_ed, the mercy of others. The emergence of botnets, high-speed Internet access at home is becoming increasingly common reason. High-speed Internet can handle (or create) more traffic, but high-speed Internet access for a long time the family used to boot the computer, only computer on, the remote host computer can issue orders to the zombies. Internet expert said: "It is important though hardware attaches great importance to anti-virus, anti-hacker, but the real network security vulnerabilities from home users, the lack of self-protection knowledge of the self-employed, so that the network is full of landmines, and then pose a threat to other users." The development of Botnet Botnet is a process with the Intelligent Application of automatic and gradually developed. IRC chat network in the early, some services are recurring, such as to prevent the channel is the abuse of management authority, recording a series of functions Pindao events can be prepared by the managers completed intelligent programs. So in 1993, the IRC chat network appeared Bot tools - Eggdrop, this is the first bot program that can help users easily use IRC chat networks. The bot features are benign, is out of the purpose, but this design concept was used by the hackers, they write a malicious Bot with tools to begin to control a large number of the victim host, the use of their resources to achieve malicious goals. The late 20th century, 90, with the concept of a distributed denial of service attacks mature, there has been a large number of distributed denial of service attack tools such as TFN, TFN2K and Trinoo, attackers use these tools to control a large number of infected hosts to launch distributed denial of service attack. Those charged with a certain sense, the host already has a prototype of Botnet. In 1999, the annual meeting of the eighth DEFCON released SubSeven 2.1 version of agreement to start using IRC bots build attacker's control channel, also became the first true sense of the bot program. Bot based on IRC protocol followed by the large numbers of procedures, such as GTBot, Sdbot, etc., making agreement on IRC Botnet into the mainstream. After 2003, as technology continues to mature worm, bot started the spread of active worms spread of technology to be able to quickly build a large-scale Botnet. Notably the 2004 outbreak Agobot / Gaobot and rBot / Spybot. In the same year in the Agobot Phatbot, based on the structure began to build an independent control channel using P2P. From the appearance of benign to malicious bot bot implementation, from the passive use of the worm spread to the active dissemination of technology, from the use of a simple IRC Agreement constitutes the control channel to build the structure of complex P2P control mode, Botnet evolved into large, versatile and difficult to detect malicious network, to bring the current Internet security threats can not be ignored. Botnet work process Botnet work process, including communication, adherence to and control of the three phases. A Botnet is needed first charged with a certain amount of computers, and this scale is gradually with the introduction of a means of communication or a bot program of several proliferation of the formation, in the communication process has the following several means : (1) active attack vulnerability. The principle is to attack the loopholes in the system to obtain access, and bot program implementation in Shellcode injection code, the system will be infected with a zombie attack the host. Such infections are the most basic way is to manually attacker hacking tools and scripts using a series of attacks, access permissions to download bot program execution. Attacker bots and worms also will combine technology, enabling automated bot programs to spread the famous bot sample AgoBot, the bot program is to realize the automatic transmission. (2) e-mail virus. bot program also e-mail by sending a large number of transmission of the virus itself, usually presents in the mail attachment in the message carried bots and download the content contains a link to the implementation of bot programs, and through a series of social engineering techniques to induce the recipient execution attachment or click on a link, or through the use of loopholes in mail client automatically, so that the recipient host was infected as bots. (3) instant messaging software. Using instant messaging software to buddy list send a link to the implementation of bots, and skills through social engineering trick of their visit to the infection, such as the outbreak in early 2005 MSN sexy chicken (Worm.MSNLoveme) is used in this way. (4) malicious site scripting. Web services in the provision of the attacker's Web site to bind the malicious HTML script on the page, when a visitor accesses these sites will run a malicious script, making the bot program is downloaded to the host, and automatically executed. (5) Trojan horse. Disguised as useful software, the Web site, FTP server, P2P networks offer to entice users to download and execute. Several of the above means of communication can be seen in the formation of Botnet way to spread worms and viruses, and spyware functionality is very similar to the complex. Prior to joining phase, each host will be infected with the bot hidden in its own procedures to Botnet attack to go, way to join under the control and communication protocols vary. Botnet-based IRC protocol, the infected host bot program to log on to the designated server and channel to go, the login is successful, the controller waits in the channels sent to the malicious command. Figure 2 shows the actual Botnet constantly see new bot to the behavior of Botnet. In the control phase, the attacker through the central server to send pre-defined control instructions, so that the infected host malicious behavior, such as launch DDos attacks, theft of the host sensitive information, updates and other malicious programs to upgrade. Figure 3 is observed in the control phase of inward spread of malicious programs Botnet network behavior. Botnet classification Botnet based on different classification criteria, can have many kinds of classification. Classification by type of bot program (1) Agobot / Phatbot / Forbot / XtremBot. This is probably the most well-known bots. Anti-virus vendors Spphos lists more than 500 known species of different versions of Agobot (Sophos virus analysis), this number is steadily growing. Bot itself using the cross-platform C + + language. Agobot the latest version of the code clear and available to have a good abstract design, combined in a modular fashion, adding the command or other vulnerabilities and attack capabilities of the scanner is very simple and provides the hidden files and processes as the ability to capture host Rootkit to hide themselves. After obtaining the samples in reverse engineering it is quite difficult, because it contains the monitor debugger (Softice and O11Dbg) and virtual machine (VMware and Virtual PC) the function. (2) SDBot / RBot / UrBot / SpyBot /. This family of malware is currently the most active bot software, SDBot written by the C language. It provides the same functionality and features of Agobot, but the command _set_ is not so big, to achieve was not so complicated. It is based on IRC protocol of a class of bot programs. (3) GT-Bots. GT-Bots are based on current popular mIRC IRC client written in, GT is the (Global Threat) acronym. Such bots and other binary files with a script to open a mIRC chat client, but it will hide the original mIRC window. MIRC script by executing the server to connect to the specified channel and wait for malicious commands. Bot program such as mIRC program bundled, so the volume will be relatively large, often larger than 1MB. Botnet classification according to the control mode (1) IRC Botnet. Refers to the control and communication protocol for the use of IRC Botnet, the formation of the major bot programs such Botnet has spybot, GTbot and SDbot, present, most of Botnet fall into this category. (2) AOL Botnet. Similar with IRC Bot, AOL is an AOL instant messaging services, such Botnet is based on the formation of this network of IM services established, infected hosts on the server to log on to the fixed receive control commands. AIM-Canbot and Fizzer using AOL Instant Messager to achieve control of Bot. (3) P2P Botnet. Botnet bot used in such program itself contains a P2P client, Gnutella can be connected to the use of technology (an open source file sharing technology) server, using file-sharing protocol WASTE communicate with each other. Because of this protocol to connect a distributed manner to make each of bots can easily find other bots and communicate, and when the bot is killing some time and will not affect the survival of Botnet, so it Botnet class with no single point of failure but achieve relatively complex features. Agobot and Phatbot using P2P approach. Botnet hazards Botnet attacks constitute a platform for the effective use of this platform can initiate a variety of attacks, can lead to the important applications of basic information networks or system failures, can also lead to substantial leakage of confidential or personal privacy can also be used in network fraud and other criminal activities. The following are already discovered the use of Botnet attack behavior. With the future emergence of various new types of attacks, Botnet can also be used to initiate new and unknown attacks. (1) denial of service attacks. Launch a DDos attack using Botnet is currently one of the most important threat, an attacker can control all the bots to send their own commands, so that they start at a specific time while a continuous network access to specific targets to achieve DDos purposes. Since the formation of large-scale Botnet can, and use its to DDos attack can do a better sync, so the release of control commands, can make an even greater risk DDos, prevention more difficult. (2) to send spam. Some bots will _set_ up sockv4, v5 proxy, so that you can use Botnet send large amounts of spam and the sender can be well hidden its own IP information. (3) to steal secrets. Botnet control can steal from the zombie host a variety of sensitive information and other secrets, such as personal account numbers, confidential data. At the same time observing bot program can use the sniffer network data of interest to gain the secrets of network traffic. (4) abuse of resources. Attacker takes advantage of Botnet network resources in a variety of activities, so that the user's network performance be affected, and even economic losses. For example: planting adware, click on the designated site; use of the resources bots and illegal storage of data such as large data, the use of bots to build a fake banking websites in phishing illegal activities. It can be seen, Botnet either for the entire network or on the users themselves, have caused serious harm, we must adopt effective methods to reduce the harm Botnet. Botnet Research Status In 2003, concerned about the academic development of Botnet. Some international Honeynet Project and Honeynet Research Alliance, some members of the Honeynet analysis using the activities of Botnet depth tracking and analysis, such as Azusa Pacific University, Bill McCarty, the French Honeynet Project's Richard Clarke, the University of Washington Dave Dittrich and the German Honeynet Project. Germany in particular, Honeynet Project in November 2004 to January 2005 through the deployment of honeypot machines found in Win32 and nearly 100 Botnet tracked, and released a Botnet tracking the technical report. Botnet is a major threat to the attack on the specified target platform launch DDos (Distributed Denial of Service attack) attack, so DDos researchers also did research on the Botnet. Organized by foreign DDosVax "Detecting Bots in Internet Relay Chat Systems" project, analyzed the IRC protocol based on the behavioral characteristics of bot program, _select_ the network traffic in the corresponding relationship between _select_ed to detect the presence of Botnet. The organization of this research method by plantlab build a Botnet in the experimental environment for testing, data obtained by statistical analysis features can be effectively verified on the Botnet traffic analysis, but there are some false positives. When China began in 2005, the preliminary research Botnet. Institute of Computer Science and Technology, Peking University in January 2005 began with the Honeynet project tracking Botnet, the collected malware samples, using a sandbox, Honeynet technologies have advantages both for its analysis confirm whether it is bots, and bots Botnet control channel to be connected to the information extraction and, ultimately, more than 60,000 bot sample analysis reports, and more than 500 of which are still active Botnet tracking, the statistics of their respective National distribution, size distribution and other information. National Emergency Response Center network security monitoring platform through 863-917, were monitored in 2005 to more than 1,000 nodes in the Botnet and Statistics of the scale shown in Figure 4. These data and the activities of both shows, China's online Botnet more serious threat, need to attract Internet users are highly valued. CCERT malicious code research group in July 2005 began Botnet research work on a large number of already know Botnet actual tracking and in-depth analysis, based on IRC protocol Botnet server-side features were classified extraction, the formation of the Botnet judge rules on the server side, so the network can be the nature of the IRC Server to identify. Botnet design and initial realization of the automatic identification system, used in China Education and Research network environment. It can be seen, from domestic to foreign countries, since 2004 research on the Botnet be more and more attention to network security researchers, research work has been greatly enhanced. But that work is not enough, in the detection and disposal of Botnet there is still much work to do. Botnet research methods Based on the current popular IRC protocol Botnet research methods, the main use of honeynet technologies, network traffic identification technology research, and IRC Server. (2) of network traffic. Network traffic analysis is based on research ideas is through in the Botnet IRC protocol behavioral characteristics of bots, the bots are divided into two categories: long trance-type and quickly join type. Specifically, the zombies in the Botnet in the host, there are three obvious behavioral characteristics, one of the bot worm propagation through a large number of infected computers by their very short time to an IRC Server in the same; II zombie computer is usually a long line; Third, the computer as an IRC chat bot user, in the chat channels in a long time not speak, remain idle. The first is behavioral characteristics will be summarized quickly add type, a second, three behavioral characteristics of long-term trance induction type. Of the corresponding behavior of the two types of zombie computer network traffic changes, the use of both offline and online methods, you can achieve on Botnet judgments. (3) IRC Server Recognition Technology. By logging a lot of the actual protocol-based Botnet IRC server side, you can see, as the attacker in order to hide their own server to deliberately conceal the IRC server, part of the property. Meanwhile, the analysis of bot source code that, when added to the control of the infected host server, the server can show many characteristics with regularity. Through these features are summarized, to form that can be used to determine the Botnet based IRC protocol server-side rules, so that you can directly determine the location of Botnet their scale, distribution and other properties, for the next step to provide effective response measures positioning support. These three methods are based on IRC protocol for Botnet. Botnet P2P structure for less study, due to its implementation more complex, does not occupy too much in the proportion of the network, but also because of its control on the distribution of the research makes it more difficult. But with the development of Botnet, the structure of the P2P Botnet research will be further deepened.
Translated by Google
Related Phrases
brain Security
rouji
defend cockhorse
Containing Phrases
storm corpse network
corpse network
Cockhorse and Corpse network Monitoring And Dispose mechanism
