您的位置:首页 > 理论基础 > 计算机网络


2008-11-04 21:52 267 查看
Botnets: Bigger isn’t always better


Author: Michael Kassner
作者:Michael Kassner

翻译:endurer,2008-11-04 第1版


Category: security, Botnet, anti-spam


Tags: Advance, Rootkits, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Michael Kassner, HTTP, Article, Bot
标签:高级,Rootkits,间谍软件,广告软件 & 恶意软件,网络犯罪,安全,病毒和蠕虫,Michael Kassner,文章,僵尸




Rootkit and botnet developers are fighting back. It seems that every advance made by security researchers is countered with new and more sophisticated malware. Just what are these new advances and what can the rest of us expect?



Last August in my article “Storm Worm: The Energizer Bunny of Botnets,” I mentioned that Storm was making a resurgence as the largest botnet creator in history. Yet for the past few months, Storm’s botnet has been eerily quiet. You may remember the e-mail spam message falsely announcing the start of “World War Three” back in July. That was the last major spam campaign propagated by Storm’s botnet.




《endurer注:1、Energizer Bunny:劲量兔,就是指如劲量电池广告中的兔子一般)。》

Where’s the Storm?


Kelly Jackson Higgins of Darkreading.com raised some compelling reasons why Storm isn’t having much impact in the article “Storm May Finally Be Over“:


Darkreading.com的Kelly Jackson Higgins在文章“Storm可能最终结束”中列举了一些令人不得不接受的、为什么Storm没有带来更多影响的原因:

“Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballa’s estimates. The botnet began a gradual decline in size after Microsoft’s Malicious Software Removal Tool began detecting and cleaning it up late last year.”



Another theory in the article mentions that security researchers may have been able to infiltrate the Storm botnet and neutralize it:



“It’s very possible someone might be interfering with Storm,” Joel Stewart Director of Malware Research for SecureWorks mentioned. “At RSA (Conference), I showed the RSA key that’s used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots.”


“很可能有人能干扰Storm,”SecureWorks公司的恶意软件研究主管Joel Stewart提到。“在RSA(会议)上,我展示了Storm控制者们用来向僵尸电脑认证的RSA密钥。如果能对这个密钥做逆向工程,你就可以成为控制者并接管任何数量的僵尸电脑。”



I found the article interesting as it points to Storms’ size and scope as being its downfall. The botnet’s inactivity is certainly welcome news. I’m somewhat cynical though, as I personally haven’t seen any reduction in the amount of spam. In fact, I’m of the opinion that the amount is increasing. Why is that? I have the nagging suspicion that botnet creators are keeping well ahead of the learning curve by using new and less obvious tactics.



《endurer注:1、learning curve:学习曲线》

Next generation of botnets


Paul Royal, Director of Research for Damballa, points out one of the new tactics being used:

Damballa的研究主管Paul Royal指出一个被使用的新策略:

“Rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One http-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects.”



Http-based botnets are difficult to trace, as they use port 80, and we all know how much Internet traffic is flowing over that port. Kelly Jackson Higgins has another interesting article “Botnets Don Invisibility Cloaks” that discusses this very subject. The article is almost a year old but more relevant than ever.


基于Http的僵尸网络难于跟踪,因为它们使用80端口,并且我们都知道有多少Internet流量经过这个端口。Kelly Jackson Higgins在另一篇有趣的文章“僵尸网络穿着隐形外衣”,讨论这个非常切题。这篇文章发表几乎有一年了,不过比以往更有价值了。

Another new trend in botnets is peer-to-peer command and control. It’s considered more difficult to detect than http-based command and control traffic as explained in Higgin’s article:



“Peer-to-peer is difficult because it’s not a centralized network, each bot can send commands on its own. That’s more distributed, making it difficult to isolate the actual bots, where they are, and where the commands originated from.”



Georgia Tech Information Security Center’s recent summit

TechRepublic’s Paul Mah in his latest Security News Roundup made mention of Georgia Tech’s Information Security Center (GTISC) and their annual security summit. A great deal of pertinent information about botnets came from the recent summit. For example, in the 2009 report (pdf), Wenke Lee, associate professor at GTISC, collaborates what Paul Royal mentioned about http-based botnets:


TechRepublic的Paul Mah在他的最新安全新闻综述中提到佐治亚理工学院信息安全中心(GTISC)和它们的年度安全最高级会议。大量与僵尸网络相关的信息来自这个近期最高级会议。例如,在2009报告中,GTISC的副教授Wenke Lee,协作了Paul Royal提到的基于Http的僵尸网络是什么:


《endurer注:1、made mention of:说到(写到,提到)》

“A bot actually remains on the machine, maintains a command and control mechanism to enable communication with the bot master, and can update itself based on those communications. The updates enable new bot communication and malicious capabilities, and are often used to avoid detection.



Bot communications are designed to look like normal (Web) traffic using accepted ports, so even firewalls and intrusion prevention systems have a hard time isolating bot messages. It’s very difficult to filter bot traffic at the network edge since it uses http and every enterprise allows http traffic.”



《endurer注:1、Hard times:a time of troubles.艰难时期;动乱时代》

Not just smaller, but sneakier


So far I tried to point out that botnets are smaller, more sophisticated, and single-purposed. I’d be remiss if I didn’t mention the fourth area of improvement, which is how the bot gets on the unsuspecting user’s computer. Once again, Professor Lee of GTISC explains how this is easier than ever:



Infection can occur even through legitimate Web sites.

Bot exploits/malware delivery mechanisms are gaining sophistication and better obfuscation techniques.

Users do not have to do anything to become infected; simply rendering a Web page can launch a botnet exploit.

Final thoughts

Every article that I read about botnets mentions that this problem is here for the long haul, stating simple economics as the reason. Botnets are big business, making people a great deal of money, and as long as that’s the case botnets aren’t going away.



I sense the frustration, as there’s precious little we the users can do. I wrote my last article, “Spam Relay: Up Close and Personal,” as a vivid personal reminder for me. As I was writing this article, I realized that many of you must have similar experiences, which got me thinking (in trouble now) that we should gather all that hard-earned information in one place and share it. What do you think?


我感到沮丧,因为我们用户可以做的很少。我写了最新文章 “垃圾邮件备用品:很接近和个人化 ”,作为我的一个生动的个人提示。正如我写这篇文章,我意识到,你们许多人一定有类似的经验,这让我想(现处于苦恼中) ,我们应该收集所有这来之不易的信息在同一个地方共享。您觉得呢?
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息