What is a Botnet?

Botnet refers to a one-to-many control network formed between a controller and an infected host by infecting a large number of hosts with one or more means of transmission (bot) ^. .

Botnet's work process includes three stages of dissemination, joining and control.

A Botnet first needs a controlled computer with a certain size, and this size is gradually formed with the proliferation of bot programs that use one or more means of propagation. There are several means in this process of propagation. :

(1)

Botnet can have many different classifications according to different classification criteria.

By bot program type

(1) Agobot / Phatbot / Forbot / XtremBot. This is probably the most famous zombie tool. Antivirus vendor Spphos lists more than 500 known different versions of Agobot (Sophos virus analysis), and this number is steadily increasing. The zombie tool itself is written in cross-platform C ++. Agobot's latest available version of the code is clear and has a good abstract design. It is combined in a modular manner. It is very simple to add commands or other vulnerabilities to scanners and attack functions. It also provides the ability to hide root files such as files and processes. Hide yourself in. It is difficult to reverse engineer this sample after getting it, because it includes monitoring debuggers (Softice and O11Dbg) and

Research on Botnet has only begun gradually in recent years, and relevant research has been done from anti-virus companies to academic research institutions. The first to research and respond to Botnet were anti-virus vendors. From the bot program

Summary

For the currently popular research methods of Botnet based on the IRC protocol, honeynet technology, network traffic research, and IRC server identification technology are mainly used.

Use honeynet technology

Honeynet technology is based on bot programs, which can deeply track and analyze the properties and characteristics of Botnet. Honeynet has three core requirements: data control, data capture and data analysis ^[1]

Web filtering service

Web filtering services are the most powerful weapon against botnets. These services scan Web sites for unusual behavior, or scan for known malicious activity, and prevent these sites from reaching users.

Websense, Cyveillance, FaceTime are all good examples. They can all monitor the Internet in real time and look for sites that engage in malicious or suspicious activity, such as downloading JavaScript or performing screen scrapes and other scams other than normal web browsing. Cyveillance and Support Intelligence also provide another service: Notifying Web site operators and ISPs that malicious software has been found, so hacked servers can be repaired, they say.

Conversion browser

Another strategy to prevent botnet infections is to standardize the browser, rather than relying solely on Microsoft's Internet Explorer or Mozilla's Firefox. Of course, these two are indeed the most popular, but because of this, malware authors are usually happy Write code for them. The same strategy applies to the operating system. According to statistics, Macs are rarely harassed by botnets, just like the desktop Linux operating system, because the capital of most bots is targeting the popular Windows.

Disable script

Another more extreme measure is to completely disable the browser's scripting feature, although this can sometimes be detrimental to productivity, especially if employees use custom, web-based applications in their work. .

Deploy a defense system

Another method is to adjust your IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to find zombie-like activities. For example, repeated connections to external IP addresses or illegal DNS address connections are quite suspicious. Although difficult to find, another sign that can reveal zombies is the sudden rise in SSL communication in a machine, especially on some ports. This may indicate that a zombie-controlled channel has been activated. You need to find machines that route email to other servers rather than to your own email server, they are also suspicious. Gadi Evron, a botnet expert, further suggested that you should learn to monitor guys who access the Web at high levels. They activate all links on a Web page, and a high-level access may indicate that a machine is being controlled by a malicious Web site.

An IPS or IDS system can monitor abnormal behaviors that indicate hard-to-find, HTTP-based attacks and attacks from remote processes, Telnet and address resolution protocol (ie, ARP) spoofing, and more. However, it is worth noting that many IPS detectors use feature-based detection techniques, that is, the features at the time these attacks are discovered are added to a database and cannot be detected without the relevant features in the database. Therefore, IPS or IDS must frequently update its database to identify relevant attacks, and the detection of criminal activities requires continuous efforts.

Protect user-generated content

You should also protect your web operators from becoming accomplices in "slim" malware crimes. If you are not moving towards the WEB 2.0 social network, your company's public blogs and forums should be limited to text only. This is also the view of Michael Krieg, vice president of Web Crossing, who is a social networking software and hosting service. Creator.

Krieg said, "I don't know which of our tens of thousands of users allows JavaScript in the message text, and I don't know who has embedded code and other HTML tags in it. We don't allow people to do this. We Applications strip these things out by default. "

Dan Hubbard, vice president of security research at Websense, added, "That's a serious problem with user-created content sites, the Web 2.0 phenomenon. How can you do that with the power of allowing people to upload content and not allowing them to upload bad stuff? Seeking a balance between them? "

The answer to this question is clear. If your site requires members or users to exchange files, you should set it up to allow only limited and relatively secure file types, such as those. Files with jpeg or mp3 extensions. (However, the authors of the malware have begun to write a number of worms for player types such as MP3. And with the discovery of their technical level, it is possible that the original safe file types will also become the accomplice of malware.)

Use a remediation tool

If you find an infected computer, an important step in a temporary emergency is how to remedy it. Companies like Symantec have claimed that they can detect and remove even the deepest rootkit infections. Symantec here indicates the use of Veritas and VxMS (Veritas Mapping Service) technology, especially the VxMS API that allows anti-virus scanners to bypass the file system of Windows (the API is controlled by the operating system and therefore vulnerable to manipulation by rootkits) . Other anti-virus vendors are also trying to protect systems from rootkits, such as McAfee and FSecure.

However, Evron believes that the detection of so-called malware after the fact is a mistake! Because it convinces IT experts that they have cleared the zombies, in fact, the real zombies code still resides on the computer. He said, "Anti-virus is not a solution because it is a naturally reactive thing. Anti-viruses can identify related problems, so the anti-viruses themselves can also be manipulated and used." This is not to say that you should not Try to implement the best rootkit tool in anti-virus software, but you should be aware that doing so is like buying a safe after you lose your valuables. In an idiom, this is called "repairing the dead sheep." Evron believes that the way to keep a computer absolutely secure and clean from zombies is to be thoroughly aware of the original system and install the system from scratch.

Don't let your users visit known malicious sites, monitor suspicious behavior on the network, protect your public sites from attacks, and your network is basically in good shape. This is the consensus view of security experts.

It can be noticed that if a network worker is puzzled by network security and will have the feeling of "What should I do with these millions of zombies?". "Actually, the answer is very simple. As Chris Boyd, FaceTime's director of malware research, said," Just disconnect your network from infectionsviruses, Trojans, spyware, adware, etc ... Think of it as a rogue file on a PC to clean it up (however, who can guarantee it?). That's all you need to do.

Mobile botnet characteristics

There is always insufficient mobile phone traffic, automatic installation of unknown software, and advertisements in the notification bar. You may have encountered the largest Android mobile phone botnet attack in China.

This is a backdoor program called Android.Troj.mdk (MDK for short), the infection rate is as high as seven thousandths, and a total of no less than 1.05 million smartphones are infected. After the user's mobile phone is recruited, traffic consumption increases sharply, advertisements pop up frequently, the machine becomes slower, privacy is stolen, and there is even a hidden danger of being monitored and tracked.

Mobile botnets are built by attackers through mobile bots, which can be remotely controlled through a one-to-many command control channel, and can only be coordinated with mobile phone groups. "Mobile bots" are particularly prominently built on mobile platforms; "One-to-many "Command and control channel" is an essential feature of botnets that distinguish them from other network attacks. It is this one-to-many control relationship that allows attackers to control and serve a large number of resources at the polar cost. It is used to highlight the unique attack methods of botnets based on their scale, such as DDos et al. ^[3] .

Mobile botnet transmission

Malicious ad authors repackage normal game applications and popular applications and then publish them to the market. Due to the normal game or normal application functions, it is difficult for users to find problems, and they may recommend the game to friends around you. At the same time, malicious ad authors will conduct background flashing to increase user popularity, and users will lose traffic.

Difference between mobile botnets and traditional botnets

The particularity of the mobile platform determines the particularity of mobile botnets compared to traditional botnets.

1. The mobile phone platform is different from the desktop system.

Mobile botnets must be built and maintained with the help of traditional servers. In addition to 3G / Wifi access to the Internet for communication between mobile phones, mobile phone botnets can also use inherent communication methods such as SMS / MMS and Bluetooth and infrared light local communication protocols. It provides flexibility for setting up mobile botnets ^[3] .

1. As a personal communication tool, mobile phones are uniquely harmful compared to desktop systems.

Mobile botnets are more likely to cause users 'property damage, and mobile botnets can pose greater threats to users' privacy and security ^[3] .

IN OTHER LANGUAGES

• English
• Čeština
• Dansk
• Deutsch
• Svenska
• Français
• Italiano
• Nederlands
• Norsk
• Polski
• Português
• Español
• 日本語
• 한국어