A Multifaceted Approach to Undrstanding the Botnet Phenomenon為了了解僵尸網(wǎng)絡(luò)現(xiàn)象的一個(gè)多方面的方法

1、a multifaceted approach to understanding the botnetphenomenonauthors :moheeb abu rajab, jay zarfoss, fabian monrose, andreas terziscomputer science departmentjohns hopkins universitypresented at : internet measurement conference, imc06, brazil, october 2006presented by :ramanarayanan ramanioutlinenw

2、orking of botnetsnmeasuring botnetsninference from measurementnstrengthsnweaknessesnsuggestionsbotnetsna botnet is a network of infected end-hosts (bots) under the command of a botmaster.n3 different protocols used:qircqhttpqp2pbotnets (contd.)3 steps of authenticationnbot to irc servernirc server t

3、o botnbotmaster to bot(*) : optional stepmeasuring botnetsnthree distinct phasesqmalware collectioncollect as many bot binaries as possibleqbinary analysis via gray-box testingextract the features of suspicious binariesqlongitudinal trackingtrack how bots spread and its reachmeasuring botnetsdarknet

4、 : denotes an allocated but unused portion of the ip address space.malware collectionnnepenthes is a low interaction honeypot nnepenthes mimics the replies generated by vulnerable services in order to collect the first stage exploitnmodules in nepenthesqresolve dns asynchronous qemulate vulnerabilit

5、ies qdownload files done here by the download stationqsubmit the downloaded files qtrigger events qshellcode handler malware collectionnhoneynets also used along with nepenthesncatches exploits missed by nepenthesnunpatched windows xp are run which is base copyninfected honeypot compared with base t

6、o identify botnet binarygatewaynrouting to different componentsnfirewall : prevent outbound attacks & self infection by honeypotsndetect & analyze outgoing traffic for infections in honeypotnonly 1 infection in a honeypotnseveral other functionsbinary analysisntwo logically distinct phasesqderive a

7、network fingerprint of the binaryqderive irc-specific features of the binarynirc server learns botnet “dialect” - templatenlearn how to correctly mimic bots behavior - subject bot to a barrage of commandsirc trackernuse template to mimic bot nconnect to real irc serverncommunicate with botmaster usi

8、ng bot “dialect”ndrones modified and used to act as irc client by the tracker to cover lot of ip addresssdns trackernbots issue dns queries to resolve the ip addresses of their irc serversntracker uses dns requestsnhas 800,000 entries after reductionnmaintain hits to a servermeasuring botnetsdarknet

9、 : denotes an allocated but unused portion of the ip address space.botnet traffic sharebotnet traffic sharedns tracker resultsbot scan methodn2 typesqimmediately start scanning the ip space looking for new victims after infection : 34 / 192qscan when issued some command by botmasterbotnet growth - d

10、nsbotnet growth irc trackerbotnet online populationbotnet online populationbotnet software taxonomyservices launched in victim machine os of exploited hostbotmaster analysisstrengthsnall aspects of a botnet analyzednno prior analysis of botsnability to model various types of botsweaknessnonly microsoft windows system