僵尸网络的发现与跟踪.pdfVIP

全国网络与信息安全技术研讨会’2005 ·1· 僵尸网络的发现与跟踪 诸葛建伟，韩心慧，叶志远，邹维 （北京大学计算机科学技术研究所，北京 100871） 摘 要： 僵尸网络(Botnet)是近年来兴起的危害互联网的重大安全威胁之一，对僵尸网络的发现和跟踪能 够帮助安全研究人员深入了解僵尸网络攻击模式。本文介绍了发现和跟踪大量僵尸网络的方法，即通过恶意 软件收集器及样本交换等途径收集大量僵尸程序(Bot)，并通过对僵尸程序的分析获取进入僵尸网络控制信道 的必需信息，然后使用自动化僵尸网络控制服务器所属国查询以及规模查询工具得出该僵尸网络的基本信 息，最后使用IRC 客户端软件对IRC 僵尸网络进行全面跟踪。本文通过大量的僵尸网络发现和跟踪经验给 出了控制服务器所属国、僵尸网络规模的分布统计，以及对典型IRC 僵尸网络的跟踪记录。 关键词： 僵尸网络；僵尸程序；恶意软件；蜜网 Discover and Track Botnets Zhuge Jianwei, Han Xinhui, Ye Zhiyuan, Zou Wei (Institute of Computer Science and Technology, Peking University, Beijing, 100871) Abstract: Botnet is one of the emerging serious threats of the Internet. Discovering and tracking botnets can help the security researchers to understand the attack patterns of the botnets deeply. This paper presents the methodology of botnet discovery and tracking. First, a great deal bots were collected through an automated malware collector and sample exchanging with AV vendors, then they were analyzed to extract all necessary information to connect into the control channel of botnets, with these information, an automated whois query and botnet size tracking tool was used to extract the locations and sizes of the botnets, furthermore, an IRC client software was used to track and log the activities of these botnets. Through discovery and tracking of a great deal of botnets, this paper shows the distribution of locations of the botnet control servers, as well as the sizes of the botnets. Furthermore, a typical IRC botnet tracking example was presented. key words: botnet; bot; malware; honeynet 基金资助：第一作者受2004 年微软学者计划及2005 年IBM Ph.D. Fellowship 计划资助。 作者简介：诸葛建伟（1980－），男，浙江瑞安人，博士研究生，Email:zhugejianwei@。 ·2·