首页 > 其他分享 >Kraken:最大,最坏的僵尸网络

Kraken:最大,最坏的僵尸网络

时间:2022-11-22 17:06:06浏览次数:78  
标签:botnet Kraken 最坏 网络 Storm Damballa 僵尸


Kraken: The biggest, baddest botnet yet
Kraken:最大,最坏的僵尸网络

《endurer注:1。Kraken: 相传在挪威海中出现的怪物。详见:​​http://en.wikipedia.org/wiki/Kraken​​》

Author: Michael Kassner
作者:Michael Kassner

翻译:endurer,2008-04-27 第1版

Category: General, security, Botnet, anti-spam, cybercrime, antivirus
类别:一般,安全,僵尸网络,反垃圾邮件,网络犯罪,反病毒

Tags: Technique, Researcher, Server, Zombie, Computer, Damballa, Kraken BotArmy-Twice, Storm, Productivity, Wiki
标签:技术,研究人员,服务器,僵尸,电脑,Damballa,Kraken BotArmy-Twice,Storm,生产率,维基

英文来源:​​http://blogs.techrepublic.com.com/networking/?p=482&tag=nl.e102​

At the recent RSA 2008 gathering ​​Damballa​​​, an Internet security company devoted solely to researching botnet technology, is reporting some “not so good news.” In the article, “​​Kraken BotArmy-Twice as Big as Storm; Evades over 80% of Installed Antivirus Software​​” (pdf) Ashley Vandiver of Damballa explains:

在近期的RSA 2008上,一家独自投身于研究僵尸网络技术的互联网安全公司Damballa,正报道一个“不怎么好的消息”。在文章“Kraken僵尸网络队伍-有Storm僵尸网络的两倍大;可躲避超过80%的已安装的反病毒软件”中,Damballa的Ashley Vandiver说明:

《endurer注:1。Damballa:由Dagon和Wenke Lee成立的一家的公司,致力于开发能够保护用户的计算机不受这种类型攻击的方法。Damballa标榜自己是反僵尸网络的供应商,能够通过追踪计算机是否与那些已知是恶意的DNS服务器通讯,来鉴别出受到侵害的计算机。
2。Storm:2007年1月据国外媒体最新报道,名为“Storm worm”的木马开始传播,攻击了至少1600万台计算机,组建了一个大型僵尸网络。》

This new BotArmy, named “Kraken,” is twice as big as Storm, with over 400,000 distinct victims observed daily as compared to Storm’s 200,000 victims. Kraken has gone undetected on 80% of computers with antivirus software installed.

这个被命名为“Kraken”的新的僵尸网络队伍,每天拥有超过400,000台受感染电脑,是有200,000台受感染电脑的Storm僵尸网络的两倍大。Kraken能避开超过80%的已安装的反病毒软件的检测。

Remember Storm botnets?
记得Storm僵尸网络吗?

For those not familiar with Storm, up until now it had the honor of being the largest and most notorious botnet to date. Experts consider the Storm botnet to be powerful enough to knock entire countries off the Internet. The Wikipedia entry “​​Storm botnet​​” gives an accurate accounting of how the Storm Worm — a trojan horse that spreads through e-mail — is used to recruit infected computers (zombies) into the Storm botnet. Estimates have the number of zombies to be around 200,000. The Wiki entry also does a nice job of explaining what a botnet is and how it can be such a threat.

对那些不熟悉Storm僵尸网络的人,直到现在,它是到迄今止存在的最大和最臭名昭著的僵尸网络之冠。专家们认为Storm僵尸网络足以中止整个国家的互联网。维基百科上的“Storm botnet”条上给出了Storm蠕虫的确切的记录—一个通过电子邮件传播的特洛伊木马—被用来将被感染的电脑(僵尸电脑)补充到Storm僵尸网络。估计拥有200,000台左右的僵尸电脑。维基百科条目也友好地解释了什么是僵尸网络,以及它如何造成如此的威胁。

Some very sophisticated coding goes into botnet programs. For example, servers controlling the botnet automatically change the software code at pre-determined times to avoid detection by antivirus applications. On top of that, all botnet management traffic is encrypted and uses peer-to-peer control techniques, which make monitoring and disabling the botnet very difficult.

一些非常精密的编码进入僵尸网络程序。例如,控制僵尸网络的服务器在被确定之前自动地改变软件代码来避开反病毒应用程序的检测。最重要的是,所有的僵尸网络管理交通被加密了,并使用点对点控制技术,使监测和禁用僵尸网络非常困难。

On that same Wiki entry there is a very interesting quote from IBM researcher Joshua Corman:

在同一维基条目中,有一个对IBM研究员Joshua Corman的有趣引述:

“This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit. Researchers are still unsure if the botnet’s defenses and counter attacks are a form of automation, or manually executed by the system’s operators.If you try to attach a debugger, or query sites it’s reporting to, it knows and punishes you instantaneously. Over at SecureWorks, a botnet DDoS-ed a researcher.”

“这是我的记忆中第一次看到研究人员对研究一个漏洞利用感到害怕。研究人员仍不清楚,僵尸网络的防御和反攻击,是一种自动化的形式,还是该系统的操作者手动执行的。如果您尝试附加调试,或查询报道的网站,它知悉并立即惩罚你。看看SecureWorks ,一个僵尸网络DDoS过的研究人员。”

Kraken builds on Storm
Kraken以Storm为基础

Both Storm and Kraken rely on social engineering to propagate. Damballa believes that the preferred attack venue is to have the malware appear as an image file. When a user attempts to view the file, it’s all over. For those wondering if they may be infected, Damballa lists ​​compromised public IP addresses​​​ on its Web site that it updates regularly. If perchance, you find a public IP address on the list that you are concerned about, Damballa has ​​remediation instructions​​ that explain how to identify the process and remove the malware.

Storm和Kraken依靠社会工程学传播。Damballa认为,首选攻击点是有恶意软件以图像文件出现。当用户尝试查看该文件,那就全完了。对于怀疑自身被感染的人,Damballa在其定期更新的网站上列出了遭受损失的公网IP地址。如果担心你在清单中发现了你关心的公网IP地址,Damballa有补救指令,说明如何确认进程和移除恶意软件。

《endurer注:1。be all over:全部结束(四处传播,奉承,占压倒优势)
2。concern about:对…的关心/忧虑》

What’s different about Kraken?
Kraken有何不同之处?
Instead of using peer-to-peer techniques to control the botnet, Kraken uses command and control (C&C) servers that are located in different parts of the world. Each infected computer has a list of the C&C servers. If the current C&C server is disabled, the zombies check in with the next server on the list. Using this approach eliminates the problem of having a portion of the botnet go down if one of the peers is taken off-line.

Kraken使用位于世界不同地区的命令控制(C&C)服务器,而不是点到点来控制僵尸网络。每台被感染的电脑都有一个命令控制服务器清单。如果当前命令控制服务器被禁用,僵尸电脑会向清单中的下一台服务器报道。使用这种做法可以免除一对点离线使僵尸网络部分脱落的问题。

Now the scary stuff
如今令人害怕的东西

It appears that infected computers don’t just belong to what researchers like to call the non-tech-savvy computer users. At last count, 50 Fortune 500 companies have compromised computers. Paul Royal, principal researcher at Damballa commented that Damballa is trying to figure out how the bot infestation is getting past the perimeter defenses of some of the best-protected networks in the world:

看来好像被感染的电脑不再属于研究人员喜欢称之为无技术常识电脑用户的人了。最新的统计,50个财富500强公司有受害的电脑。Damballa首席研究员Paul Royal评论说, damballa正试图弄清楚僵尸网络侵扰是如何越过一些世界上最佳保护网络的周边防御的:

《endurer注:1。It appears that:ad. 看来(看来好像)》

“Somehow, this thing is evading the canonical defense techniques that the enterprises use, such as intrusion detection systems and intrusion prevention systems. It should be caught by IDSes, IPSes and firewalls and it’s not.”


“不知何故,这东西躲过了企业使用的典型防御技术,如入侵检测系统和入侵预防系统。它应被入侵检测系统,入侵预防系统和防火墙捕获的,但是没有。”

Final thoughts
结语

For now, it appears that the Kraken botnet is just delivering massive amounts of spam. Damballa claims to have seen some infected machines sending over 500,000 spam messages per day. I do not even want to think about what a half a million infected machines sending 500,000 messages per day would do to most anti-spam services.

现在,看来kraken僵尸网络只是提供了发送的垃圾邮件。 Damballa声称已看到一些受感染的机器每天发送超过五十万的垃圾邮件。我甚至不敢想像50万受感染机器每天发送500000个邮件会给大多数反垃圾邮件服务带来什么。

《endurer注:1。do to:给与,加以,伤害》

标签:botnet,Kraken,最坏,网络,Storm,Damballa,僵尸
From: https://blog.51cto.com/endurer/5878231

相关文章

  • 同步与异步、阻塞与非阻塞、综合使用、创建进程的多种方式、进程间数据隔离、进程的jo
    同步与异步用来表达任务的提交方式同步 提交完任务之后原地等待任务的返回结果期间不做任何事异步 提交完任务之后不愿地等待任务的返回结果直接去做其他事有结果......
  • 同步、异步与阻塞、非阻塞的概念、创建进程的多种方式及multiprocessing模块、进程间
    目录一、同步与异步同步异步二、阻塞与非阻塞阻塞非阻塞三、综合使用1.同步阻塞:2.同步非阻塞:3.异步阻塞:4.异步非阻塞:四、创建进程的多种方式进程的创建multiprocessing模块......
  • 卡巴斯基发布2016年2季度DDoS报告:Linux僵尸网络“挑大梁”
     据外媒报道,Linux僵尸网络已占2016年2季度发起的“分布式拒绝服务攻击”(DDoS)中的70.2%。过去三个月时间里,安全研究人员发掘出了运行基于Linux的固件、能够发起DDoS攻击、......
  • C语言也能写植物大战僵尸
                                   不少同学都玩过《植物大战僵尸》,最近PopCap公司又带来了新版的消息,这次高......
  • Linux中僵尸进程是什么意思?怎么查看僵尸进程?
    进程就是系统运行中的程序。是正在执行的一个程序或者命令,每一个进程都是一个运行的实体,都有自己的地址空间,并占用一定的系统资源。说起进程,那么你知道Linux中僵尸进程......
  • 僵尸国度.Z.Nation
    介绍又是一部以僵尸为题材的美剧。第一季刚开始,感觉这部电视剧拍的很烂,尤其是看过​​《行尸走肉》​​的童鞋们更是如此认同。但看到这一季末的时候,开始感觉有点意思。那......
  • linux 如何查找并结束僵尸进程
    当时用top命令查看时,发现zombie数字不是0,就说明有僵尸进程了。寻找僵尸进程ps-ef|grep杀掉该进程kill-9[pid]......
  • 僵尸进程
    僵尸进程的定义是:一个已经终止运行但其父进程尚未对其进行善后处理(获取终止子进程的有关信息、释放它仍占用的资源)的进程,被称为僵尸进程。这种僵尸进程会在父进程退出......
  • 植物大战僵尸
    #include<iostream>#include<windows.h>usingnamespacestd;DWORDYG1=0;HANDLEhProcess=NULL;DWORDaddress1=0x006A9EC0;//第一个房间门的编号DWORDaddre......
  • 亿万僵尸
    处理家里爆僵尸办法集合3dm处下载的游戏,处理方法。删掉这几个文件。然后再删掉这个文件夹下的所有文件 游侠处下载的游戏删掉这几个文件。再删掉这个文件夹下的......