网络攻击与防范4-恶意代码概论.ppt

* * * * * * Some of the trojans have been removed to make the list fit on the slide. * * * * Botnets (contd.) 3 Steps of Authentication Bot to IRC Server IRC Server to Bot Botmaster to Bot (*) : Optional Step Why IRC? IRC(Internet Relay Chat) servers are: freely available easy to manage easy to subvert Attackers have experience with IRC IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts Host-based detection Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (CC) Center Through firewall logs, denied connections Network Intrusion Detection Systems Example Systems: Snort and Bro Sniff network packets, looks for specific patterns (called signatures) If any pattern matches that of a malicious binary, then block that traffic and raise alert These systems can efficiently detect virus/worms having known signatures Cant detect any malware whose signature is unknown (i.e., zero day attack) Anomaly Detection Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Botnet Traffic Share Botnet Traffic Share IRC Nicknames Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots botnets Example nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly HoneyPot and HoneyNet HoneyPot is a vulnerable machine, r