翻译 2008年04月27日 21:42:00

Kraken: The biggest, baddest botnet yet

《endurer注:1。Kraken: 相传在挪威海中出现的怪物。详见:

Author: Michael Kassner
作者:Michael Kassner

翻译:endurer,2008-04-27 第1版

Category: General, security, Botnet, anti-spam, cybercrime, antivirus

Tags: Technique, Researcher, Server, Zombie, Computer, Damballa, Kraken BotArmy-Twice, Storm, Productivity, Wiki
标签:技术,研究人员,服务器,僵尸,电脑,Damballa,Kraken BotArmy-Twice,Storm,生产率,维基


At the recent RSA 2008 gathering Damballa, an Internet security company devoted solely to researching botnet technology, is reporting some “not so good news.” In the article, “Kraken BotArmy-Twice as Big as Storm; Evades over 80% of Installed Antivirus Software” (pdf) Ashley Vandiver of Damballa explains:

在近期的RSA 2008上,一家独自投身于研究僵尸网络技术的互联网安全公司Damballa,正报道一个“不怎么好的消息”。在文章“Kraken僵尸网络队伍-有Storm僵尸网络的两倍大;可躲避超过80%的已安装的反病毒软件”中,Damballa的Ashley Vandiver说明:

《endurer注:1。Damballa:由Dagon和Wenke Lee成立的一家的公司,致力于开发能够保护用户的计算机不受这种类型攻击的方法。Damballa标榜自己是反僵尸网络的供应商,能够通过追踪计算机是否与那些已知是恶意的DNS服务器通讯,来鉴别出受到侵害的计算机。
2。Storm:2007年1月据国外媒体最新报道,名为“Storm worm”的木马开始传播,攻击了至少1600万台计算机,组建了一个大型僵尸网络。》

This new BotArmy, named “Kraken,” is twice as big as Storm, with over 400,000 distinct victims observed daily as compared to Storm’s 200,000 victims. Kraken has gone undetected on 80% of computers with antivirus software installed.


Remember Storm botnets?

For those not familiar with Storm, up until now it had the honor of being the largest and most notorious botnet to date. Experts consider the Storm botnet to be powerful enough to knock entire countries off the Internet. The Wikipedia entry “Storm botnet” gives an accurate accounting of how the Storm Worm — a trojan horse that spreads through e-mail — is used to recruit infected computers (zombies) into the Storm botnet. Estimates have the number of zombies to be around 200,000. The Wiki entry also does a nice job of explaining what a botnet is and how it can be such a threat.

对那些不熟悉Storm僵尸网络的人,直到现在,它是到迄今止存在的最大和最臭名昭著的僵尸网络之冠。专家们认为Storm僵尸网络足以中止整个国家的互联网。维基百科上的“Storm botnet”条上给出了Storm蠕虫的确切的记录—一个通过电子邮件传播的特洛伊木马—被用来将被感染的电脑(僵尸电脑)补充到Storm僵尸网络。估计拥有200,000台左右的僵尸电脑。维基百科条目也友好地解释了什么是僵尸网络,以及它如何造成如此的威胁。

Some very sophisticated coding goes into botnet programs. For example, servers controlling the botnet automatically change the software code at pre-determined times to avoid detection by antivirus applications. On top of that, all botnet management traffic is encrypted and uses peer-to-peer control techniques, which make monitoring and disabling the botnet very difficult.


On that same Wiki entry there is a very interesting quote from IBM researcher Joshua Corman:

在同一维基条目中,有一个对IBM研究员Joshua Corman的有趣引述:

“This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit. Researchers are still unsure if the botnet’s defenses and counter attacks are a form of automation, or manually executed by the system’s operators.If you try to attach a debugger, or query sites it’s reporting to, it knows and punishes you instantaneously. Over at SecureWorks, a botnet DDoS-ed a researcher.”

“这是我的记忆中第一次看到研究人员对研究一个漏洞利用感到害怕。研究人员仍不清楚,僵尸网络的防御和反攻击,是一种自动化的形式,还是该系统的操作者手动执行的。如果您尝试附加调试,或查询报道的网站,它知悉并立即惩罚你。看看SecureWorks ,一个僵尸网络DDoS过的研究人员。”

Kraken builds on Storm

Both Storm and Kraken rely on social engineering to propagate. Damballa believes that the preferred attack venue is to have the malware appear as an image file. When a user attempts to view the file, it’s all over. For those wondering if they may be infected, Damballa lists compromised public IP addresses on its Web site that it updates regularly. If perchance, you find a public IP address on the list that you are concerned about, Damballa has remediation instructions that explain how to identify the process and remove the malware.


《endurer注:1。be all over:全部结束(四处传播,奉承,占压倒优势)
2。concern about:对…的关心/忧虑》

What’s different about Kraken?

Instead of using peer-to-peer techniques to control the botnet, Kraken uses command and control (C&C) servers that are located in different parts of the world. Each infected computer has a list of the C&C servers. If the current C&C server is disabled, the zombies check in with the next server on the list. Using this approach eliminates the problem of having a portion of the botnet go down if one of the peers is taken off-line.


Now the scary stuff

It appears that infected computers don’t just belong to what researchers like to call the non-tech-savvy computer users. At last count, 50 Fortune 500 companies have compromised computers. Paul Royal, principal researcher at Damballa commented that Damballa is trying to figure out how the bot infestation is getting past the perimeter defenses of some of the best-protected networks in the world:

看来好像被感染的电脑不再属于研究人员喜欢称之为无技术常识电脑用户的人了。最新的统计,50个财富500强公司有受害的电脑。Damballa首席研究员Paul Royal评论说, damballa正试图弄清楚僵尸网络侵扰是如何越过一些世界上最佳保护网络的周边防御的:

《endurer注:1。It appears that:ad. 看来(看来好像)》

“Somehow, this thing is evading the canonical defense techniques that the enterprises use, such as intrusion detection systems and intrusion prevention systems. It should be caught by IDSes, IPSes and firewalls and it’s not.”


Final thoughts

For now, it appears that the Kraken botnet is just delivering massive amounts of spam. Damballa claims to have seen some infected machines sending over 500,000 spam messages per day. I do not even want to think about what a half a million infected machines sending 500,000 messages per day would do to most anti-spam services.

现在,看来kraken僵尸网络只是提供了发送的垃圾邮件。 Damballa声称已看到一些受感染的机器每天发送超过五十万的垃圾邮件。我甚至不敢想像50万受感染机器每天发送500000个邮件会给大多数反垃圾邮件服务带来什么。

《endurer注:1。do to:给与,加以,伤害》


不寻常的新型Linux恶意软件 Linux被视作最安全的操作系统之一,然而随着网络罪犯用最新的工具装备自己,情况似乎有变。具体而言,最近,来自Dr .Web(大蜘蛛杀毒软件)的研究者们发现了一种Li...
  • 2016年08月23日 11:29
  • 781

QQ 鼻祖立功!世界最大僵尸网络 Andromeda 为祸七年终被捣毁

逍遥许久终被逮捕,目前,臭名昭著的 Andromeda 恶意软件已被成功移除。
  • csdnnews
  • csdnnews
  • 2017年12月08日 09:16
  • 13656

Python 黑客 004 用Python构建一个SSH僵尸网络 01 简介

用Python构建一个SSH僵尸网络 01 简介一. 构建一个SSH僵尸网络的流程图:Created with Raphaël 2.1.0手动操作,实现通过SSH连接目标服务器(手动)用 Pexpec...
  • github_35160620
  • github_35160620
  • 2016年09月08日 00:19
  • 14379


了解你的敌人:跟踪僵尸网络 利用蜜网对僵尸主机了解更多 蜜网项目组 & 蜜网研究联盟http://www .honeynet.org最后修改日期 : 2005 年 3 月 13 日 翻译者artemi...
  • iiprogram
  • iiprogram
  • 2006年04月22日 01:40
  • 3045


一、Botnet的起源与定义   起源及演化过程   Botnet是随着自动智能程序的应用而逐渐发展起来的。在早期的 IRC聊天网络中,有一些服务是重复出现的,如防止频道被滥用、管理权限、记录频道...
  • zhouwei1221q
  • zhouwei1221q
  • 2015年09月05日 10:13
  • 5309


前言 Necurs僵尸网络是世界上最大的恶意网络之一,曾经用于传播各种致命威胁,但是在很长一段时间内它都没有再出现过,似乎是已经消失了。 然而现在,它又回来了,已知的主要功能是发送大量垃圾...
  • Anprou
  • Anprou
  • 2017年03月01日 15:01
  • 746


文章分析了近来的 比尔盖茨 病毒,这是一种网络僵尸病毒,它的破坏方式很巧妙也很多样,作者的能力有限,希望与大家共同探讨。...
  • u010484477
  • u010484477
  • 2014年06月11日 21:46
  • 2912


般而言,个人用户侧重发现本机上的僵尸程序,计算机安全应急组织侧重发现活跃的僵尸网络。 对于使用Windows操作系统的个人用户来说,发现僵尸程序(Bot)的难度取决于该程序的隐蔽程度。Bot平时潜伏在...
  • s_kuang
  • s_kuang
  • 2009年12月07日 14:18
  • 865


原文地址:When does the worst case of Quicksort occur?这个答案还得看枢轴(pivot)的选择策略。在快速排序的早期版本中呢,最左面或者是最右面的那个元素被选...
  • sinat_36246371
  • sinat_36246371
  • 2016年10月16日 10:42
  • 3522