Kraken：最大，最坏的僵尸网络

Kraken: The biggest, baddest botnet yet
Kraken：最大，最坏的僵尸网络

《endurer注：1。Kraken: 相传在挪威海中出现的怪物。详见：http://en.wikipedia.org/wiki/Kraken》

Author: Michael Kassner
作者：Michael Kassner

翻译：endurer，2008-04-27 第1版

Category: General, security, Botnet, anti-spam, cybercrime, antivirus
类别：一般，安全，僵尸网络，反垃圾邮件，网络犯罪，反病毒

Tags: Technique, Researcher, Server, Zombie, Computer, Damballa, Kraken BotArmy-Twice, Storm, Productivity, Wiki
标签：技术，研究人员，服务器，僵尸，电脑，Damballa，Kraken BotArmy-Twice，Storm，生产率，维基

英文来源：http://blogs.techrepublic.com.com/networking/?p=482&tag=nl.e102

At the recent RSA 2008 gathering Damballa, an Internet security company devoted solely to researching botnet technology, is reporting some “not so good news.” In the article, “Kraken BotArmy-Twice as Big as Storm; Evades over 80% of Installed Antivirus Software” (pdf) Ashley Vandiver of Damballa explains:

在近期的RSA 2008上，一家独自投身于研究僵尸网络技术的互联网安全公司Damballa，正报道一个“不怎么好的消息”。在文章“Kraken僵尸网络队伍-有Storm僵尸网络的两倍大；可躲避超过80%的已安装的反病毒软件”中，Damballa的Ashley Vandiver说明：

《endurer注：1。Damballa：由Dagon和Wenke Lee成立的一家的公司，致力于开发能够保护用户的计算机不受这种类型攻击的方法。Damballa标榜自己是反僵尸网络的供应商，能够通过追踪计算机是否与那些已知是恶意的DNS服务器通讯，来鉴别出受到侵害的计算机。
2。Storm：2007年1月据国外媒体最新报道，名为“Storm worm”的木马开始传播，攻击了至少1600万台计算机，组建了一个大型僵尸网络。》

This new BotArmy, named “Kraken,” is twice as big as Storm, with over 400,000 distinct victims observed daily as compared to Storm’s 200,000 victims. Kraken has gone undetected on 80% of computers with antivirus software installed.

这个被命名为“Kraken”的新的僵尸网络队伍，每天拥有超过400,000台受感染电脑，是有200,000台受感染电脑的Storm僵尸网络的两倍大。Kraken能避开超过80%的已安装的反病毒软件的检测。

Remember Storm botnets?
记得Storm僵尸网络吗？

For those not familiar with Storm, up until now it had the honor of being the largest and most notorious botnet to date. Experts consider the Storm botnet to be powerful enough to knock entire countries off the Internet. The Wikipedia entry “Storm botnet” gives an accurate accounting of how the Storm Worm — a trojan horse that spreads through e-mail — is used to recruit infected computers (zombies) into the Storm botnet. Estimates have the number of zombies to be around 200,000. The Wiki entry also does a nice job of explaining what a botnet is and how it can be such a threat.

对那些不熟悉Storm僵尸网络的人，直到现在，它是到迄今止存在的最大和最臭名昭著的僵尸网络之冠。专家们认为Storm僵尸网络足以中止整个国家的互联网。维基百科上的“Storm botnet”条上给出了Storm蠕虫的确切的记录—一个通过电子邮件传播的特洛伊木马—被用来将被感染的电脑（僵尸电脑）补充到Storm僵尸网络。估计拥有200,000台左右的僵尸电脑。维基百科条目也友好地解释了什么是僵尸网络，以及它如何造成如此的威胁。

Some very sophisticated coding goes into botnet programs. For example, servers controlling the botnet automatically change the software code at pre-determined times to avoid detection by antivirus applications. On top of that, all botnet management traffic is encrypted and uses peer-to-peer control techniques, which make monitoring and disabling the botnet very difficult.

一些非常精密的编码进入僵尸网络程序。例如，控制僵尸网络的服务器在被确定之前自动地改变软件代码来避开反病毒应用程序的检测。最重要的是，所有的僵尸网络管理交通被加密了，并使用点对点控制技术，使监测和禁用僵尸网络非常困难。

On that same Wiki entry there is a very interesting quote from IBM researcher Joshua Corman:

在同一维基条目中，有一个对IBM研究员Joshua Corman的有趣引述：

“This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit. Researchers are still unsure if the botnet’s defenses and counter attacks are a form of automation, or manually executed by the system’s operators. If you try to attach a debugger, or query sites it’s reporting to, it knows and punishes you instantaneously. Over at SecureWorks, a botnet DDoS-ed a researcher.”

“这是我的记忆中第一次看到研究人员对研究一个漏洞利用感到害怕。研究人员仍不清楚，僵尸网络的防御和反攻击，是一种自动化的形式，还是该系统的操作者手动执行的。如果您尝试附加调试，或查询报道的网站，它知悉并立即惩罚你。看看SecureWorks ，一个僵尸网络DDoS过的研究人员。”

Kraken builds on Storm
Kraken以Storm为基础

Both Storm and Kraken rely on social engineering to propagate. Damballa believes that the preferred attack venue is to have the malware appear as an image file. When a user attempts to view the file, it’s all over. For those wondering if they may be infected, Damballa lists compromised public IP addresses on its Web site that it updates regularly. If perchance, you find a public IP address on the list that you are concerned about, Damballa has remediation instructions that explain how to identify the process and remove the malware.

Storm和Kraken依靠社会工程学传播。Damballa认为，首选攻击点是有恶意软件以图像文件出现。当用户尝试查看该文件，那就全完了。对于怀疑自身被感染的人，Damballa在其定期更新的网站上列出了遭受损失的公网IP地址。如果担心你在清单中发现了你关心的公网IP地址，Damballa有补救指令，说明如何确认进程和移除恶意软件。

《endurer注：1。be all over:全部结束(四处传播,奉承,占压倒优势)
2。concern about:对…的关心／忧虑》

What’s different about Kraken?
Kraken有何不同之处？

Instead of using peer-to-peer techniques to control the botnet, Kraken uses command and control (C&C) servers that are located in different parts of the world. Each infected computer has a list of the C&C servers. If the current C&C server is disabled, the zombies check in with the next server on the list. Using this approach eliminates the problem of having a portion of the botnet go down if one of the peers is taken off-line.

Kraken使用位于世界不同地区的命令控制(C&C)服务器，而不是点到点来控制僵尸网络。每台被感染的电脑都有一个命令控制服务器清单。如果当前命令控制服务器被禁用，僵尸电脑会向清单中的下一台服务器报道。使用这种做法可以免除一对点离线使僵尸网络部分脱落的问题。

Now the scary stuff
如今令人害怕的东西

It appears that infected computers don’t just belong to what researchers like to call the non-tech-savvy computer users. At last count, 50 Fortune 500 companies have compromised computers. Paul Royal, principal researcher at Damballa commented that Damballa is trying to figure out how the bot infestation is getting past the perimeter defenses of some of the best-protected networks in the world:

看来好像被感染的电脑不再属于研究人员喜欢称之为无技术常识电脑用户的人了。最新的统计，50个财富500强公司有受害的电脑。Damballa首席研究员Paul Royal评论说， damballa正试图弄清楚僵尸网络侵扰是如何越过一些世界上最佳保护网络的周边防御的：

《endurer注：1。It appears that:ad. 看来(看来好像)》

“Somehow, this thing is evading the canonical defense techniques that the enterprises use, such as intrusion detection systems and intrusion prevention systems. It should be caught by IDSes, IPSes and firewalls and it’s not.”

“不知何故，这东西躲过了企业使用的典型防御技术，如入侵检测系统和入侵预防系统。它应被入侵检测系统，入侵预防系统和防火墙捕获的，但是没有。”

Final thoughts
结语

For now, it appears that the Kraken botnet is just delivering massive amounts of spam. Damballa claims to have seen some infected machines sending over 500,000 spam messages per day. I do not even want to think about what a half a million infected machines sending 500,000 messages per day would do to most anti-spam services.

现在，看来kraken僵尸网络只是提供了发送的垃圾邮件。 Damballa声称已看到一些受感染的机器每天发送超过五十万的垃圾邮件。我甚至不敢想像50万受感染机器每天发送500000个邮件会给大多数反垃圾邮件服务带来什么。

《endurer注：1。do to:给与，加以，伤害》