A botnet is refers to using one or more means of dissemination, the amount hosting infection bot program (zombies program) virus and in controller and infected host can be formed between a couple more control network. The attacker through various channels spread on the Internet zombies program infection of host, and infected host will receive channel through a control attacker's instructions, form a botnet. They used a botnet this name, is to let people know more image to this kind of harm features: numerous computer in imperceptible in China as if the legends of ancient zombie group as were driven and command, become to use a tool.
Concept introduction
In Botnet concepts have so few words. "Bot program" is the abbreviation of robot, it is to point to realize malicious code control functions, "Zombie computer" is implanted bot computer; "Control Server" refers to Control and communication center of the Server, based on IRC (Internet protocol of the chat) the Botnet, Control means providing IRC chat services servers. A botnet is a kind by engine drive malicious Internet behavior: DDoS attack is to use service request to deplete attacked network system resources, thus make attacked network cannot handle a legitimate user request. DDoS attack a variety of forms, but can see the most typical is flow overflow, it can consume large amounts of bandwidth, but don't consume the application resources. DDoS attack is not a fresh things. In the past decade, with the rise of the botnet, it obtained a rapid growth and the widespread application. For DDoS attack botnet provides the required "fire" bandwidth and computer and management attack needed infrastructure.
Network characteristics
first
Is a control network that does not mean the physical sense has the topological structure of the network, it has a certain distribution sex, with the continuous transmission bot procedure continually is new position zombie computer added to the network. Zombie virus was person put on the computer when machine will drip ring on 2 seconds
secondly
The network is adopted some malicious and means, such as active holes formed attack, email virus, etc. Various kinds of virus and worm transmission methods, can be used to practice the spread of Botnet, in this sense, malicious programs bot is also a kind of virus or worms.
finally
Also is the main characteristics of Botnet, is that it can be a pair of much executes the same malicious behaviour, such as on a target site can also be distributed denial of service (DDos) attack, sent simultaneously of spam, etc., and it is this pair of control relation, make an attacker can with extremely low cost efficient control a lot of resources for its service, this also is Botnet attack mode in recent years by hackers favour basic reason. In the implementation of the malicious behavior, acted as a Botnet attacks platform role, making it Botnet is different from simple viruses and worms, also with common-sense meaning of Trojan horse is different.
Here we can quote the domestic and foreign some researchers some definition. A botnet is attackers from malicious purpose, spread to control large zombies program bot computer, and through a pair of command and control networks composed of the channel, we will call the botnet, botnet.
Emergence reason
A botnet is the Internet by hackers centralized control of a group of computer, often by the hacker to wage large-scale network attack, such as distributed denial of service attack (DDoS), mass spam etc., and control of these computer hackers held by the information, such as bank account passwords and social security number to wait to also can be hackers optional "access". Therefore, whether for network security operation or user data security protection is concerned, a botnet is extremely threat hidden trouble. The botnet threat thus becomes currently a international pay much attention to the problem. However, I found a botnet is very difficult because hacker usually remote control, concealed scattered on the web bots ", "the host of users are not informed. Therefore, a botnet is at present the most popular Internet hackers commit crime tools.
For net friend is concerned, "zombie virus infection is very easy." On the Internet, all sorts of beauty coquettishly interesting little game, attracts netizen gently little mouse. But in fact, click after nothing, originally everything just scam, intended to lure netizens have downloaded problem of software. Once this poisonous software into the net friend computer, remote host can give orders, with computers manipulation. Download only an antivirus software check out.
Experts say, on average every week added hundreds of thousands of zombies to be remote control, let a remote host command, all kinds of illegal activities. Most of the time, zombies to master didn't realize he has been selected, acted upon.
Botnet appear, high-speed Internet access at home is more and more common are also factors. High-speed Internet access can handle (or manufacturing) more traffic, but high-speed Internet access family habits will reboot the computer for a long time, but the computer boot, remote host can to zombies to command.
Network expert said: "important hardware facilities although very seriously antivirus, prevent hackers, but network real security vulnerabilities from home users, these soho lack ego to protect the knowledge, let network full of mines in China, and other users a threat.
Development process
Botnet is along with the application of automatic intelligence programs and gradually develops. In the early years of the IRC chat network, some service is repeated, such as to prevent abuse, management authority channel, and channel series of events recorded by management functions can be accomplished by written intelligence programs. So in 1993, the IRC chat network in appeared Bot tools - Eggdrop, this is the first Bot program, which can help users easily using IRC chat network. This bot function is benign, is out of the service purpose, however, the design thought for hackers but used by, they write a malicious bot tools, start of massive victimized hosts for control, use their resources to achieve the malicious goals.
At the end of 1990s, with a distributed denial of service attack concept of mature, there appear a large number of distributed denial of service attack tools such as TFN, TFN2K and Trinoo, and attacker using these tools to control a lot of infected host, launched a distributed denial of service attack. And these were accused of host in a certain sense has the rudiment of Botnet.
In 1999, in the eighth DEFCON annual meeting SubSeven 2.1 version released start using IRC protocol to construct the attacker bots control channel, also become the first truly bot program. Then based on IRC bot program agreement of a large presence, such as GTBot, Sdbot etc, making based on IRC protocol of Botnet become mainstream.
Since 2003, with worms technology continues to mature, the spread of bot start using worms of active communication technologies, thus can be quickly build large-scale Botnet. Famous 2004 outbreaks of Agobot/Gaobot and rBot/Spybot. In the same year Phatbot is Agobot appear on the basis of independent use P2P structure, start building control channels.
From benign bot appear to malicious bot realization, from passive to active spread by shutting technology, from the use of simple spread IRC agreement constitutes control channel to construct complex and changeable P2P structure of the control mode, Botnet gradually developed into gigantic scale and functional diversity, difficult to test the malicious network, the network security threats brought nots allow to ignore.
Working process
The working process of the Botnet spread, join and control includes three stages.
A Botnet is the first need of a certain size was charged with computer, and this scale is gradually as adopt some certain kinds of means of dissemination of or the spread of bot program formed in this propagation process in the following several means:
(1) attack loopholes. Its principle is through the attack which exists in the system, and gain access to loopholes in Shellcode execution bot program into code, will be against system infection become bots. The most basic belongs to such infection way is the attacker manually by using a series hack tools and scripts to attack and gain access after download bot program execution. Attackers will also be zombies procedures and worms technology make combined, thus make bot program can perform automatic transmission, famous bot sample AgoBot is realized automatic transmission program will bot.
(2) email virus. Bot program will also sent through a lot of email virus spread itself, usually appears as in E-mail attachments carried in a zombie program as well as in the mail contents contains links to download execution bot procedures, and through a series of social engineering skills induces receiver execution attachment or click on a link, or through the use of mail client vulnerabilities automatically execute, thus make the recipients host infected become bots.
(3) instant communication software. Use instant communication software to send a friends list zombies program execution links, and through social engineering skills lure its click, and thus for the infections, such as the outbreak in early 2005 MSN sexy chicken (Worm. MSNLoveme) is used in this manner.
(4) malicious website scripts. The attacker in providing Web service website in HTML page binding malicious script, when the visitor to these Web sites will execute malicious script, makes the bot program download to host, and was executed automatically.
(5) the Trojan horse. Disguised as a useful software at the site, FTP server, P2P networks provide, cajoles users download and execution.
Through the above several communication means it can be seen in the formation of Botnet spread way and the worms and viruses and function of complex spyware is similar.
Before joining stage, each infected host city with hidden in itself on the attack of bot program to join Botnet to join way according to the control mode and the communication protocol varies. Based on IRC protocol of Botnet infections among the main chance bot program to log on to the server and channel in designated to login after the success in the channel wait in the controllers from malicious instructions. Figure 2 for in actual Botnet see constantly have new bot to join the Botnet behavior.
In control stage, the attacker through the center of the server sends a predefined control instruction, let infected host execution malicious behaviour, such as launch DDos attack, steals host sensitive information, the renewal upgrade malicious programs etc. Figure 3 for observed in control phase to the internal network spread malicious programs of Botnet behavior.
Classified introduction
According to the classification standard Botnet different, can have many types of classification.
According to the bot program types
(1) Agobot/Phatbot/Forbot/XtremBot. This is probably the most famous bots. Anti-virus vendors Spphos outlined more than 500 known species of different versions of Agobot (Sophos virus analysis), this number has been growing steadily. Bots itself use cross-platform c + + etc. Agobot latest available version code clearly and have very good abstract design, with modular combinations, add commands or other bugs scanner and attack function is very simple, and provide such as file and processes are hidden Rootkit ability in compromised machines in hide themselves. In acquiring the sample after to reverse engineering can be difficult, because it contains a monitoring debugger (Softice and O11Dbg) and Virtual machine (PC) VMware and order the function.
(2) SDBot/RBot/UrBot/SpyBot /. This family of malicious software is currently the most active bot program software, SDBot by written in C language. It provides and Agobot the same function characteristics, but not so big command set, realize and less complex. It is based on IRC protocol class of bot program.
(3) GT - Bots. GT - Bots are based on current popular IRC client program mIRC preparation, and GT is (Threat) is the abbreviation of Global optimisation techniques. This kind of bots with script and other binary file to open a mIRC chat client, but will hide the original mIRC window. By implementing mIRC script connected to the designated server channel, waiting for malicious command. This kind of bot program because bound mIRC program, so volume is relatively large, often more than 1MB.
According to the Botnet control mode
(1) IRC Botnet. Refers to control and communication mode for using the IRC protocol of this kind of Botnet, form the main bot Botnet programs have spybot, GTbot and SDbot, at present, most Botnet belong to this category.
(2) AOL Botnet. And IRC Bot similar, AOL for AOL provide a kind of instant communication service, this kind of Botnet is relying on this kind of instant communication service form networks and the establishment, infected host login to fixed on the server receives control command. AIM - Canbot and Fizzer had adopted AOL Instant Messager realize to Bot control.
(3) P2P Botnet. This kind of Botnet used in bot program itself contains a P2P client, can be concatenation adopted Gnutella technology (an open source file sharing technology) server, using arrive file-sharing protocols for communication. Because of this agreement to connect, distributed makes every bots can be easily find other bots and communicate, and when some bot be killing, will not affect the Botnet survival, so this kind of Botnet has not exist single-point failure but achieve comparatively complicated characteristics. Agobot and Phatbot adopted P2P mode.
Bring harm
review
Botnet constituted an attack platform, use of this platform can effectively launching a variety of aggression, can cause the whole foundation information networks or important application system paralyze, also can cause significant confidential or personal privacy, still can be used in Internet fraud or other illegal and criminal activities. Below is discovered by Botnet launched an attack. As the future appear all sorts of new attacks type, Botnet also could be used to launch a new unknown attacks.
Denial-of-service attack
Use Botnet launch DDos attack is the most main threats, and attacker can to control ourselves all bots sends commands, let them at a specific time begin at the same time continuous access a specific network target, thus achieved the purpose of DDos. Due to the large scale Botnet can be formed, and of its DDos attack can do better synchronous control instruction, so in the announcement, can make a bigger threat DDos, preventing more difficult.
Sending spam
Some bots can be established, sockv4 v5 agent, so as to take advantage of spam Botnet sent, and the sender can well hidden own IP information.
Steal secrets
Botnet controller of bots can steal from the customers' different in sensitive information and other secrets, such as individual account, confidential data etc. Meanwhile bot program can use sniffer observation network data of interest, thus obtains the secrets of network flow.
abuses
The attacker using Botnet engaged in various costs of network resources activities, which the user's network performance is affected, even bring economic losses. For example: planting adware, click the designated website, Use bots resources storage of large data and illegal data etc, use bots build fake bank website engaged in network fishing of illegal activities.
Can see, both for the entire network or Botnet to users themselves, have caused a serious harm, we should take effective way to reduce the harm of Botnet.
Research status
For Botnet research is in recent years gradually began to, from antivirus companies to academic research institutions make the correlative research work. The first study and coping Botnet is antivirus companies. They from bot program malicious sex, will start by it as a backdoor tools, worms, and technology combining malware and as a virus killing range. The famous each big antivirus companies will have several important bot program written to virus signature repository. Symantec beginning from 2004, in its semi-annual issued a safety trend analysis report, in separate sections are given to Botnet activities observations. Kaspersky also in malware trend analysis report, the prevalence of zombies program is 2004 virus field of the most significant changes.
In the academic circle in 2003 started to pay attention to the development of Botnet. International on some of the honeynet project and honeynet research consortium some members of the honeynet analysis technique to use Botnet activity thorough tracking and analyzed, such as Azusa Pacific university Bill McCarty, France honeynet project Richard Clarke, university of Washington Dave Dittrich and Germany honeynet project team. Especially in Germany, honeynet project team in November 2004 to January 2005 through the deployment of honeypot Win32 machine found nearly 100 Botnet tracked and released a Botnet tracking technical report.
A major threat is Botnet attacks platform of designated as target launched DDos (distributed denial of service attack) attack, so DDos researchers also made on Botnet research work. By foreign DDosVax organizations "Bots in Internet Relay Chat Detecting by telephone under 0120-2714540" project, analyzes on IRC protocol of bot program behavior characteristic, in network traffic his chosen corresponding relation to detect the Botnet existence. The organization of this research methods through plantlab set in a Botnet the experimental environment to test, based on the data from the statistical analysis can be verified effectively Botnet feature flow analysis about results, but there are certainly the rate of false positives.
No comments:
Post a Comment