Botnets: How to get rooted in one easy lesson
僵尸网络:如何植入电脑的简易课程
Author: Michael Kassner
作者:Michael Kassner
翻译:endurer,2008-12-02,第3版
Category: General, security, Botnet, antivirus, NAT
分类:常规,安全,僵尸网络,反病毒,NAT
Tags: Try, Lesson, Productivity, Michael Kassner, Attacker, Trojan Horse, Malware, Computer, Dropper, Spyware, Adware & Malware
标签:尝试,课程,生产率,Michael Kassner,攻击者,特洛伊木马,恶意软件,电脑,下载者,间谍软件,广告软件 & 恶意软件
英文出处:http://blogs.techrepublic.com.com/networking/?p=714&tag=nl.e102
In discussions about botnets, how and why a computer becomes part of a botnet are two questions that get asked quite often. Like most things in life, the answers aren’t simple; still, I’d like to give it a try.
在与僵尸网络有关的讨论中,一台电脑如何和为什么成为僵尸网络的一部分是两个经常被问到的问题。像生活中的绝大数事情一样,答案并不简单,然而,我仍想尝试给出一个来:
——————————————————————————————————————
I noticed a trend in the comment section of my article “Botnets: Bigger Isn’t Always Better.” People wanted to know how a computer becomes a bot and why it’s so hard to detect when it happens. Thinking about this must have put me in one of my moods (often mistaken for daydreaming), because my son asked me what was wrong. I explained my quandary, and in his infinite wisdom, he said, “Well, why don’t you (looking at me with that dahh expression) write about it, and then everyone will know.” Hmmm, I knew that.
在我的文章《僵尸网络:大些并不总是好事》(http://blog.csdn.net/Purpleendurer/archive/2008/11/04/3220788.aspx)的评论中,我提醒了一种趋势,人们总想知道一台电脑是如何变成僵尸电脑的,以及为什么在发生时检测起来这么困难。思考这个问题一定让不能自拔(往往误认为是白日梦) ,因为我的儿子问是什么错的。我解释了我的困惑,他以无穷的智慧说道: “好吧,你为什么不把它(用打哈哈的表情看着我)写下来,然后每个人都会知道。 ” 嗯,我知道了。
Botnet or rootkit, which came first?
僵尸网络或 rootkit,谁先来?
Becoming part of a botnet requires the installation of a remotely accessible command and control application on the computer under attack. The application of choice for this operation is the infamous rootkit, due to its ability to hide and run programs efficiently. For more detail about the inner-workings of rootkits, please refer to my article “10+ Things You Should Know about Rootkits.”
要变成僵尸网络的一部分,需要对受攻击的电脑进行远程访问命令和控制应用程序的安装。这种操作选择的应用程序是臭名昭著的rootkit,因为它能隐藏和有效运行程序。关于rootkits的内部工作的更多细节,请参考我的文章:《关于rootkits你需要知道的10+件事情》。
In that article, I didn’t spend much time on the propagation process, and I’d like to correct that now. Malware that propagates the rootkit is called a blended threat, because it consists of three parts: the dropper, loader, and rootkit. I’d like to focus on the dropper, since it’s where much of the confusion lies.
在那篇文章中,我没花功夫在传播过程上,现在我想要改正。传播rootkit的恶意软件称为混合威胁,因为它包含了三个部分:下载者,装载者,和rootkit。我想集中在下载者上,因为它存在很多混乱的谎言之处。
Dropper program
下载者程序
The dropper is a program whose whole purpose is to sneak past security and antivirus applications. I liken droppers to the transformer toys my son used to play with: droppers try to make themselves and their payload (the loader and rootkit) appear as benign snippets of code. That usually happens by encrypting, compressing, or some type of encoding, making it difficult for malware scanners to detect them. The only way scanner applications could possibly detect the malware is by having a signature for the transformation package or by guessing through the use of heuristics.
下载者是一个程序,其目的是偷偷越过安全和防病毒软件。我拿下载者比作我儿子过去玩的变型玩具,因为下载者试图使它们自已和它们的负载(装载者和rootkit)看起来像良性代码片段。这一般通过加密,压缩,或一些类型的编码,使其难于被恶意软件扫描程序检测出来。扫描程序可能检测出恶意软件的惟一方法是拥有变型包特征或使用启发式来猜测。
Dropper versus trojan
下载者 vs 特洛伊木马
Many experts consider dropper programs to be reverse-connect trojans. Trojans typically consist of two parts: client and server. Originally the server (listening portion) was placed on the computer being attacked and the client was on the attacker’s computer. The attacker would then try to communicate with the server via the client application. All was good in the attacker’s world.
一些专家认为下载者程序是反向连接的特洛伊木马。特洛伊木马一般包含两个部分,客户端和服务器端。最初的服务器端(监听端口)放置在被攻击的电脑上,而客户端则位于攻击者的电脑中。攻击者随后可以通过客户端程序尝试连接服务器端。这些在攻击者的世界中是良好的。
Then NAT started to be widely used. Causing the original style of trojan to stop working, NAT would break the connection between the client and server. Being clever, the attackers decided to reverse the connection process and totally avoid the problem created by NAT, hence reverse-connect trojans. All is good in the attacker’s world again.
接下来,NAT开始被广泛使用。由于NAT将破坏客户端和服务器端的连接,造成传统类型的特洛伊木马停止工作。狡猾的攻击者决定翻转连接过程并完全避免了NAT造成的问题,由此出现了反向连接木马。这些在攻击者的世界中再次是良好的。
The reason experts consider droppers to be trojans is their use of trickery. Simply stated, trojans and droppers are malware that appear to be something they’re not (ala the original Trojan Horse). For example, one of the earliest methods used to get malware installed on computers was to offer free screensavers. The trouble is that the screensaver was that in name only. In reality, it’s a trojan that’s now installed on the computer, with the user none-the-wiser.
专家认为下载者是特洛伊木马的原因是它们使用了诡计。简单的说,特洛伊木马和下载者是外表不像(原始的特洛伊木马)的恶意软件。例如,最早使用的一种让恶意软件安装到电脑中的方法是提供免费屏幕保护程序。麻烦的是屏幕保护程序徒有其名。实际上,这是一个木马,现在利用户的无知安装到计算机上了。
Dropper’s cat-and-mouse game
下载者的猫和老鼠的游戏
You can see how it has turned into a proverbial cat-and-mouse game between attackers and computer users. By design, this type of game eventual leads to the discovery of the scam. So instead of discussing specific examples that may already be out-of-date, I’d rather describe the generic approaches being used by attackers today, with a great deal of success, I might add. Once the attack vectors are understood, it should become easier to spot specific examples of how a computer becomes a bot:
你可以看见攻击者和电脑用户之间如何变成猫和老鼠的游戏的。根据设计,这种类型的游戏最终导致骗局的发现。所以不再讨论可能已经过时的具体例子,我宁愿描述现在的攻击者所使用的一般方法。随着大量的成功,我可以补充。一旦理解了攻击媒介,它会变成更容易说明电脑如何成为僵尸的的具体例子:
- Drive-by download: This method is the scary one. In many cases the attacker designs a malicious Web site to leverage some unpatched vulnerability or operating system bug. All the user has to do is visit the Web site, and the dropper is automatically loaded on the computer.
驱动下载:此方法是可怕的。在许多情况下,攻击者设计一个恶意网站,利用一些未修补的漏洞或操作系统bug。所有用户们所要做的就是访问该网站,下载者会自动装上电脑。 - User interaction: This method pertains to a whole host of possible attack vectors: from simply opening a malicious attachment to clicking on a link that sends the Web browser to a malicious Web site. A good example of a cutting-edge exploit that requires user interaction is clickjacking as explained in my recent article “Clickjacking: Potentially Harmful Web Browser Exploit.”
用户交互:此方法涉及到一系列可能的攻击媒介。从单纯打开一个恶意附件,到点击一个将网络浏览器带到恶意网站的链接。一个很好的需要用户交互的最先进利用例子是点击劫持,在我最近的一篇文章《点击劫持:潜在有害的网页浏览器漏洞利用》(http://blog.csdn.net/Purpleendurer/archive/2008/11/19/3335731.aspx)中有解释。
These are the two methods used by most dropper programs presently. Hopefully knowing this will raise a red flag if something you’re doing on your computer just doesn’t feel right.
这是近期大多数下载者程序使用的两种方法。如果你感觉正使用的计算机上一些东东不妙,希望知道这将提高警戒。
Exploit definitions
漏洞利用定义
There are a few more terms that I’d like to look at. By doing so, I hope to dissipate some FUD and allow everyone to make educated judgments when determining how seriously to take malware warnings. On many occasions, security pundits get a bit overzealous, reasoning that it’s better to error on that side. Only problem is that most users can’t react that fast and ignore the warning. Then if nothing happens they feel the expert was crying wolf yet again. So here they are:
还有几项我想看到的术语。通过这样做,我希望能消除一些FUD,让每个人在判断何时确定认真处理恶意软件警告上,都受到教育。在许多情况下,安全学者有点过分热心,推理误差多。唯一的问题是,大多数用户无法对迅速且忽略的警告作出反应。然后,如果没有什么事情发生,他们就认为专家发假警报。他们是:
《endurer注:1、cry wolf:发假警报(在不需要援助时求援)》
- Proof-of-Concept: Proof of Concept (PoC) is a mechanism or application used to prove whether a concept is viable or not. A good example of this is the clickjacking exploit. Clickjacking was known to be an issue for a long time, but it didn’t have any clout until researchers released a PoC. What does this mean to users? Well, there’s some breathing room. If it’s interesting enough and easy to assemble, malware developers will be all over it in short order though.
概念验证:概念验证(PoC)是一种用来证明概念是否可行的机制或程序。一个好的例子是点击劫持漏洞利用。点击劫持是出现了很长一段时间的一个问题了,但在研究人员公布了PoC之前,它没有任何影响力。这对用户而言是什么意思呢?嗯,有一些喘息空间。如果它足够有趣,且易于组装,恶意软件开发者们将在短期内四处传播。
《endurer注:1、be all over:全部结束(四处传播,奉承,占压倒优势)》
- Zero-day exploit: Is often confused with zero-day malware, but they are two entirely different concepts. Zero-day exploits try to leverage an unknown/undisclosed application or operating system vulnerability. Just remember that you have zero days to patch the computer, because there’s an exploit in play already.
零日漏洞利用:往往与零日恶意软件混淆,但他们是两个完全不同的概念。零日漏洞利用试图利用不明/未公开的应用程序或操作系统的漏洞。只要记住,你有零天的时间给电脑打补丁,因为漏洞已经在被利用。
- Zero-day malware: This refers to active malware strains that are so new security and antivirus applications are without signatures for them. This is a real problem, especially since attackers like to keep zero-day malware quiet for as long as possible. You may remember my run in with Rustock.B and my mentioning that experts are almost positive that Rustock D is out as well, yet no one knows anything about it. So Rustock.D would be considered zero-day malware, and there’s precious little users can do about it.
零日恶意软件:这是指安全和防病毒软件都没有特征码的新活跃恶意软件。这是一个特别真实的问题,因为攻击者喜欢让零日恶意软件尽可能长的不引起注意。您可能还记得我试运行Rustock.B,又提到专家们几乎肯定Rustock D外行,但没有人知道关于它的任何事情。所以Rustock.D将被视为零日恶意软件,并只有极少数用户可以对它采取措施。
《endurer注:1、run in:试车(飞机向目标的飞行,插入部分,争论)
2、do about:就…采取行动或措施》 - In the wild: This is self-explanatory to some extent and the exact opposite of PoC. If you hear mention that some malware is in the wild, that means many attackers are using it to leverage some sort of malicious activity. The following diagram (courtesy of Viruslist.com) shows the growth of just rootkits in the wild:
目前流行:与PoC相反,这在一定程度和精度下是不言自明的,如果你听说,一些恶意软件目前流行,这意味着许多黑客在利用它进行某种恶意活动。下面的图表(Viruslist.com提供)显示在目前流行的rootkit的增长情况:
Final thoughts
终思
I hope that I was able to provide some answers for those who were wondering how a computer gets rooted and why it’s so hard to detect the process. Logically my next step is to provide solutions for detecting rootkits and removing them. I’d like everyone to stay tuned as it should get interesting.
我希望我能为那些不知道如何植入电脑并且为什么这么难以检测的过程的人提供一些答案。按道理我的下一个步骤是提供检测rootkit和清除它们的解决方案。我想请大家耐心等待,因为它应该更有趣。