基于IRC协议的异步木马系统的设计与实现
|
摘要
随着计算机网络技术的高速发展,木马攻击常使信息安全受到侵害,但木马攻击本身又是一种强大的反攻击武器。异步木马系统由于具有异步通信的特点和分布式攻击的能力而受到广泛的利用和重视。但常见的异步木马系统,由于木马本身不具有传播性,因此不仅其种植效率低,且通信时的特殊数据流量易被防火墙侦测和拦截。为解决上述问题,本文设计了基于IRC协议的异步木马系统。
该系统结合了Bot、IRC和蠕虫技术的优点,由主体功能模块和辅助功能模块两部分构成。主体功能模块由通信模块、命令控制模块和传播模块构成。其中通信模块实现IRC协议的一个子集,使木马命令能够以普通聊天消息为表征在IRC隐藏通道中传输;命令控制模块实现了定义木马命令的IRCPEP协议,使IRC Server和Zombie以隐语的形式交互;传播模块借助网页蠕虫携带木马源定位信息,使感染蠕虫的主机自动连接木马源,下载运行木马并形成Zombie。当实施攻击时,Attacker通过一个隐藏模式的IRC聊天通道先将攻击命令送到Bot Server,接着Bot Server通过另一隐藏模式的IRC聊天通道对一组Zombie发出攻击指令。辅助功能模块主要用于Botnet攻击能力测试,包括测试Botnet攻击能力的垃圾邮件发送功能、升级木马程序的自动更新功能等。
本文的主要工作和创新点是:
(1)系统使用IRC双隐藏通道模式,以Bot Server代理Attacker攻击,使攻击者位于Botnet外,身份更隐蔽管理更灵活;
(2)定义了新的IRC解析执行协议(IRCPEP),实现了攻击命令的标准化和加密,使木马命令以普通聊天消息形式在IRC伪装下通信,增强了系统的抗查杀能力,系统只实现IRC协议的一个子集,减少了木马大小,使木马便于传输;
(3)利用蠕虫技术传播木马,使木马种植由被动变为主动且更加高效,并实现了木马程序的自动更新功能,提高了木马的自适应性。
With the rapid development of network technology, information security has often been invaded by Bot attacking. Whereas Bot attacking is also a powerful anti-attacking weapon. Therefore, asynchronism Botnet systems are widely used and intensely emphasized due to their asynchronous communicating characteristic and distributed attacking ability. However, planting an current Botnet system is very inefficient because Bot can not transmit itself. In addition. Firewalls can easily detect and block the special data streams from ordinary Bot communicating. In order to solve the above-mentioned problems, an IRC-based Botnet System is developed in this paper.
This system is composed of a main function module and an auxiliary function module, with the combination of advantages of Bot, IRC and Worm technology. The main function module is constituted by communication module, command control module and dissemination module. The communication module implements a subset of IRC protocol, which can transmit disguised Bot commands through hidden IRC channel like normal chat messages. The command control module implements the IRCPEP protocal, which defines a set of Bot command to support IRC Server communicate with Zombie in argot. The dissemination module insert the Bot location into webpages, which tempts the worm-infected host to initiate connecting to Bot source, download and auto-run Bot program, and become a Zombie. On attacking, firstly attacker sends the attack command through a hidden pattern IRC chat channel to Bot Server, and then Bot Server disseminates the attack command to a group of Zombie through another hidden model IRC chat channel. The auxiliary module is mainly used to test Botnet attacking ability, which includs sending spam, updating Bot program, etc.
In this paper, the main work and innovations are as following:
(1) Using double hidden model IRC channel in the system made Bot Server act as the agent of Attacker, which can isolate the attacker from Botnet so as to hide the attacker's identity and improve the flexiblity of management;
(2) A new IRCPEP protocal was defined to standardize and encrypt attack command, which can disguise Bot command like normal chat messages so as to enhance the system's anti-kill ability, moreover, only implementing a subset of IRC protocol reduced the size of Bot and accelerated the dissemination of Botnet;
(3) Recuring to worm technique disseminating Bot can make Bot be planted more active and efficient. In addition, auto-updating function enhanced Bot's self-adaptability.
该系统结合了Bot、IRC和蠕虫技术的优点,由主体功能模块和辅助功能模块两部分构成。主体功能模块由通信模块、命令控制模块和传播模块构成。其中通信模块实现IRC协议的一个子集,使木马命令能够以普通聊天消息为表征在IRC隐藏通道中传输;命令控制模块实现了定义木马命令的IRCPEP协议,使IRC Server和Zombie以隐语的形式交互;传播模块借助网页蠕虫携带木马源定位信息,使感染蠕虫的主机自动连接木马源,下载运行木马并形成Zombie。当实施攻击时,Attacker通过一个隐藏模式的IRC聊天通道先将攻击命令送到Bot Server,接着Bot Server通过另一隐藏模式的IRC聊天通道对一组Zombie发出攻击指令。辅助功能模块主要用于Botnet攻击能力测试,包括测试Botnet攻击能力的垃圾邮件发送功能、升级木马程序的自动更新功能等。
本文的主要工作和创新点是:
(1)系统使用IRC双隐藏通道模式,以Bot Server代理Attacker攻击,使攻击者位于Botnet外,身份更隐蔽管理更灵活;
(2)定义了新的IRC解析执行协议(IRCPEP),实现了攻击命令的标准化和加密,使木马命令以普通聊天消息形式在IRC伪装下通信,增强了系统的抗查杀能力,系统只实现IRC协议的一个子集,减少了木马大小,使木马便于传输;
(3)利用蠕虫技术传播木马,使木马种植由被动变为主动且更加高效,并实现了木马程序的自动更新功能,提高了木马的自适应性。
With the rapid development of network technology, information security has often been invaded by Bot attacking. Whereas Bot attacking is also a powerful anti-attacking weapon. Therefore, asynchronism Botnet systems are widely used and intensely emphasized due to their asynchronous communicating characteristic and distributed attacking ability. However, planting an current Botnet system is very inefficient because Bot can not transmit itself. In addition. Firewalls can easily detect and block the special data streams from ordinary Bot communicating. In order to solve the above-mentioned problems, an IRC-based Botnet System is developed in this paper.
This system is composed of a main function module and an auxiliary function module, with the combination of advantages of Bot, IRC and Worm technology. The main function module is constituted by communication module, command control module and dissemination module. The communication module implements a subset of IRC protocol, which can transmit disguised Bot commands through hidden IRC channel like normal chat messages. The command control module implements the IRCPEP protocal, which defines a set of Bot command to support IRC Server communicate with Zombie in argot. The dissemination module insert the Bot location into webpages, which tempts the worm-infected host to initiate connecting to Bot source, download and auto-run Bot program, and become a Zombie. On attacking, firstly attacker sends the attack command through a hidden pattern IRC chat channel to Bot Server, and then Bot Server disseminates the attack command to a group of Zombie through another hidden model IRC chat channel. The auxiliary module is mainly used to test Botnet attacking ability, which includs sending spam, updating Bot program, etc.
In this paper, the main work and innovations are as following:
(1) Using double hidden model IRC channel in the system made Bot Server act as the agent of Attacker, which can isolate the attacker from Botnet so as to hide the attacker's identity and improve the flexiblity of management;
(2) A new IRCPEP protocal was defined to standardize and encrypt attack command, which can disguise Bot command like normal chat messages so as to enhance the system's anti-kill ability, moreover, only implementing a subset of IRC protocol reduced the size of Bot and accelerated the dissemination of Botnet;
(3) Recuring to worm technique disseminating Bot can make Bot be planted more active and efficient. In addition, auto-updating function enhanced Bot's self-adaptability.
引文
[1]罗森林,潘丽敏.一种信息系统对抗过程模型的建立.通信学报.2004(7):121-127
[2]朱建军,李家春,张凌,施洪华.Huigezi2004的清除及新一代木马的介绍.计算机工程.2006(5):146-148
[3]朱敏.IPS主动防入侵.中国传媒科技.2005(9):16
[4]http://www.nsfocus.com
[5]沈伟锋.面向攻击的网络漏洞扫描技术研究及系统实现.西安:西北工业大学硕士学位论文,2004
[6]http://post.baidu.com/f?kz=85222115
[7]商海波,蔡家楣,胡永涛,江颉.一种基于行为分析的反木马策略.计算机工程.2006(5):151-153
[8]潘勉,薛质,李建华,李生红.基于DLL技术的特洛伊木马植入新方案.计算机工程.2004(9):110-112,161
[9]徐永红,张琨,杨云,刘凤玉.Smurf攻击及其对策研究.南京理工大学学报.2002(10):512-516
[10]陈伟.网络攻击行为及蜜罐技术研究.成都:电子科技大学硕士学位论文.2004
[11]刘成光.基于木马的网络攻击技术研究.西安:西北工业大学硕士学位论文.2004
[12]贾浩.基于网络远程控制的研究与设计.成都:电子科技大学硕士学位论文.2005
[13]王吉军,张玉亭,周维续译.黑客大曝光(第5版).[美]Stuart McClure Joel Scambray George Kurtz著
[14]齐立博译.信息安全原理(第2版).清华大学出版社,2006:48
[15]李冬,宋里宏,王璐,雷志东.战场网络攻击效能分析.网络安全技术与应用.2007(3):78-80
[16]张友生,米安然.计算机病毒与木马程序剖析.北京:科海电子出版社.2003年:328
[17]史俊镐,郑辉,黄驰,金双民.僵尸网络用于DDoS攻击的案例分析.中国教育网络.2007(5):50-51
[18]陈明奇,崔翔.电信网络的新威胁--“僵尸网络”及其生命周期的研究.电信科学.2006(2):39-42
[19]CERT/CC.Overview of Attack Trends.CERT Coordination Center.2002http://www.cert.org/archive/pdf/attack_trends.pdf
[20]黄鑫,沈传宁,吴鲁加编著.网络安全技术教程--攻击与防范.中国电力出版社,2002
[21]刘东苏,杨波.网络信息资源的安全威胁与对策.情报学报.2001(10):545-549
[22]朱东辉.一种基于木马程序的远程控制与实现.湘潭大学自然科学学报.2005(6):54-58
[23]颜源.常见网络攻击技术原理简析.和田师范专科学校学报(汉文综合版).2007(1):190-191
[24]于海.基于树型结构的多层网络攻击事件分类方法.网络安全技术与应用.2006(6):36-38
[25]管海明,陈爱民.计算机网络对抗的四个层次[EB/OL].http://www.pcworld.cn/99/9934/3437d.asp.
[26]孙彦东,李东.僵尸网络综述[J].计算机应用.2006(7):1628-1630,1633
[27]余少云.Botnet的传播与研究.教学交流.2007(7):46-47
[28]Zou CC,Gong W,Towsley D.Code red worm propagation modeling and analysis.In:Atluri V,ed.Proc.of the 9th ACM Conf.on Computer and Communications Security(CCS 2002).New York:ACM Press,2002.138-147
[29]Kim J,Radhakrishnan S,Dhall SK.Measurement and analysis of worm propagation on Internet network topology.In:Proc.of the IEEE Int'l Conf.on Computer Communications and Networks(ICCCN 2004).2004.495-500
[30]Zou CC,Gong W,Towsley D.Worm propagation modeling and analysis under dynamic quarantine defense.In:Staniford S,ed.Proc.of the ACM CCS Workshop on Rapid Malcode (WORM 2003).New York:ACM Press,2003.51-60
[31]Dagon D,Zou CC,Lee W.Modeling botnet propagation using time zones.In:Proc.of the 13th Annual Network and Distributed System Security Symp.(NDSS 2006).San Diego,2006
[32]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07215057.html
[33]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07211475.html
[34]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07216503.html
[35]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07213518.html
[36]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07216684.html
[37]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07214516.html
[38]Barford P,Blodgett M,Toward botnet mesocosms.In:Proc.of the 1st Workshop on Hot Topics in Understanding Botnets(HotBots 2007).Boston,2007
[39]Zou CC,Towsley D,Gong W.On the performance of Internet worm scanning strategies.Elsevier Journal of Performance Evaluation,2005,63(7):700-723
[40]Dagon D,Zou CC,Lee W.Modeling botnet propagation using time zones.In:Proc.of the 13th Annual Network and Distributed System Security Symp.(NDSS 2006).San Diego,2006
[41]J.Oikarinen,D.Reed.Internet Relay Chat Protocol[DB/OL].RFC1459.IETF,1993-5.
[42]王治,范明钰,王光卫.信息安全领域中的社会工程学研究[J].信息安全与通信保密.2005(7):229-231
[43]社会工程学在计算机信息安全中的重要性[EB/OL].http://www.host01.Com/article/InterNet/00100004/20060727021717102.htm
[44]木马帝国.没有硝烟的战争--社会工程学.[EB/OL].http://article.mmbest.com/article/2/2006/2006032712964_2.html.
[45]计算机世界报.2005年07月25日.第28期.D8
[46]周勇林.Botnet的威胁和应对措施.国家计算机网络应急技术处理协调中心.2005
[47]Barford P,Yegneswaran V.An inside look at botnets.In:Christodorescu M,Jha S,Maughan D,Song D,Wang C,eds.Advances in Information Security,Malware Detection,Vol.27.Springer-Verlag,2007
[48]Holz T.A short visit to the bot zoo.IEEE Security & Privacy,2005,3(3):76-79
[49]Canavan J.The evolution of malicious IRC bots.In:Proc.of the 2005 Virus Bulletin Conf.(VB 2005).2005
[50]Wen WP,Qing SH,Jiang JC,Wang YJ.Research and development of Internet worms.Journal of Software,2004,15(8):1208-1219(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/15/1208.htm
[51]Arce I,Levy E.An analysis of the slapper worm.IEEE Security & Privacy,2003,1(1):82-87
[52]诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究.软件学报.2008(3):702-715
[53]Duncan J.Watts,Stever H.Strogatz,"Collective dynamics of 'small-world' networks",Nature 393,440-442(1998)
[54]Han XH,Guo JP,Zhou YL,Zhuge JW,Cao DZ,Zou W.An investigation on the botnets activities.In:Proc.of the Chinese Symp.on Network and Information Security(NetSec).Qingdao.2007(in Chinese with English abstract)
[55]Bacher P,Holz T,Kotter M,Wicherski G.Know your enemy:tracking botnets.2005.http://www.honeynet.org/papers/bots
[2]朱建军,李家春,张凌,施洪华.Huigezi2004的清除及新一代木马的介绍.计算机工程.2006(5):146-148
[3]朱敏.IPS主动防入侵.中国传媒科技.2005(9):16
[4]http://www.nsfocus.com
[5]沈伟锋.面向攻击的网络漏洞扫描技术研究及系统实现.西安:西北工业大学硕士学位论文,2004
[6]http://post.baidu.com/f?kz=85222115
[7]商海波,蔡家楣,胡永涛,江颉.一种基于行为分析的反木马策略.计算机工程.2006(5):151-153
[8]潘勉,薛质,李建华,李生红.基于DLL技术的特洛伊木马植入新方案.计算机工程.2004(9):110-112,161
[9]徐永红,张琨,杨云,刘凤玉.Smurf攻击及其对策研究.南京理工大学学报.2002(10):512-516
[10]陈伟.网络攻击行为及蜜罐技术研究.成都:电子科技大学硕士学位论文.2004
[11]刘成光.基于木马的网络攻击技术研究.西安:西北工业大学硕士学位论文.2004
[12]贾浩.基于网络远程控制的研究与设计.成都:电子科技大学硕士学位论文.2005
[13]王吉军,张玉亭,周维续译.黑客大曝光(第5版).[美]Stuart McClure Joel Scambray George Kurtz著
[14]齐立博译.信息安全原理(第2版).清华大学出版社,2006:48
[15]李冬,宋里宏,王璐,雷志东.战场网络攻击效能分析.网络安全技术与应用.2007(3):78-80
[16]张友生,米安然.计算机病毒与木马程序剖析.北京:科海电子出版社.2003年:328
[17]史俊镐,郑辉,黄驰,金双民.僵尸网络用于DDoS攻击的案例分析.中国教育网络.2007(5):50-51
[18]陈明奇,崔翔.电信网络的新威胁--“僵尸网络”及其生命周期的研究.电信科学.2006(2):39-42
[19]CERT/CC.Overview of Attack Trends.CERT Coordination Center.2002http://www.cert.org/archive/pdf/attack_trends.pdf
[20]黄鑫,沈传宁,吴鲁加编著.网络安全技术教程--攻击与防范.中国电力出版社,2002
[21]刘东苏,杨波.网络信息资源的安全威胁与对策.情报学报.2001(10):545-549
[22]朱东辉.一种基于木马程序的远程控制与实现.湘潭大学自然科学学报.2005(6):54-58
[23]颜源.常见网络攻击技术原理简析.和田师范专科学校学报(汉文综合版).2007(1):190-191
[24]于海.基于树型结构的多层网络攻击事件分类方法.网络安全技术与应用.2006(6):36-38
[25]管海明,陈爱民.计算机网络对抗的四个层次[EB/OL].http://www.pcworld.cn/99/9934/3437d.asp.
[26]孙彦东,李东.僵尸网络综述[J].计算机应用.2006(7):1628-1630,1633
[27]余少云.Botnet的传播与研究.教学交流.2007(7):46-47
[28]Zou CC,Gong W,Towsley D.Code red worm propagation modeling and analysis.In:Atluri V,ed.Proc.of the 9th ACM Conf.on Computer and Communications Security(CCS 2002).New York:ACM Press,2002.138-147
[29]Kim J,Radhakrishnan S,Dhall SK.Measurement and analysis of worm propagation on Internet network topology.In:Proc.of the IEEE Int'l Conf.on Computer Communications and Networks(ICCCN 2004).2004.495-500
[30]Zou CC,Gong W,Towsley D.Worm propagation modeling and analysis under dynamic quarantine defense.In:Staniford S,ed.Proc.of the ACM CCS Workshop on Rapid Malcode (WORM 2003).New York:ACM Press,2003.51-60
[31]Dagon D,Zou CC,Lee W.Modeling botnet propagation using time zones.In:Proc.of the 13th Annual Network and Distributed System Security Symp.(NDSS 2006).San Diego,2006
[32]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07215057.html
[33]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07211475.html
[34]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07216503.html
[35]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07213518.html
[36]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07216684.html
[37]http://www.pujiwang.com/Html/safe-bd-mm/2006-7/21/07214516.html
[38]Barford P,Blodgett M,Toward botnet mesocosms.In:Proc.of the 1st Workshop on Hot Topics in Understanding Botnets(HotBots 2007).Boston,2007
[39]Zou CC,Towsley D,Gong W.On the performance of Internet worm scanning strategies.Elsevier Journal of Performance Evaluation,2005,63(7):700-723
[40]Dagon D,Zou CC,Lee W.Modeling botnet propagation using time zones.In:Proc.of the 13th Annual Network and Distributed System Security Symp.(NDSS 2006).San Diego,2006
[41]J.Oikarinen,D.Reed.Internet Relay Chat Protocol[DB/OL].RFC1459.IETF,1993-5.
[42]王治,范明钰,王光卫.信息安全领域中的社会工程学研究[J].信息安全与通信保密.2005(7):229-231
[43]社会工程学在计算机信息安全中的重要性[EB/OL].http://www.host01.Com/article/InterNet/00100004/20060727021717102.htm
[44]木马帝国.没有硝烟的战争--社会工程学.[EB/OL].http://article.mmbest.com/article/2/2006/2006032712964_2.html.
[45]计算机世界报.2005年07月25日.第28期.D8
[46]周勇林.Botnet的威胁和应对措施.国家计算机网络应急技术处理协调中心.2005
[47]Barford P,Yegneswaran V.An inside look at botnets.In:Christodorescu M,Jha S,Maughan D,Song D,Wang C,eds.Advances in Information Security,Malware Detection,Vol.27.Springer-Verlag,2007
[48]Holz T.A short visit to the bot zoo.IEEE Security & Privacy,2005,3(3):76-79
[49]Canavan J.The evolution of malicious IRC bots.In:Proc.of the 2005 Virus Bulletin Conf.(VB 2005).2005
[50]Wen WP,Qing SH,Jiang JC,Wang YJ.Research and development of Internet worms.Journal of Software,2004,15(8):1208-1219(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/15/1208.htm
[51]Arce I,Levy E.An analysis of the slapper worm.IEEE Security & Privacy,2003,1(1):82-87
[52]诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究.软件学报.2008(3):702-715
[53]Duncan J.Watts,Stever H.Strogatz,"Collective dynamics of 'small-world' networks",Nature 393,440-442(1998)
[54]Han XH,Guo JP,Zhou YL,Zhuge JW,Cao DZ,Zou W.An investigation on the botnets activities.In:Proc.of the Chinese Symp.on Network and Information Security(NetSec).Qingdao.2007(in Chinese with English abstract)
[55]Bacher P,Holz T,Kotter M,Wicherski G.Know your enemy:tracking botnets.2005.http://www.honeynet.org/papers/bots