| Robot network, referred to as Botnet, domestic called zombie network, is thedevelopment of the Internet today to form new comprehensive attack platform, which iscomposed of a plurality of implanted BOT program (bots) of the host. From the initialmethod based on IRC extension to the P2P (peer-to-peer, peer-to-peer network), and then tothe is based on Http and DNS mode, botnet gradually to the simple, modular development,has all kinds of advanced Trojan program, backdoor, hidden traces of rootkit, means more andmore professional, more and more to the prevention and control of. Also because of this, inthe information war, corpse network has become a national information security departmentto study a subject. Botnet threat is huge, its explosive and concealment, can effectivelymobilize various scale of network attacks, such as DDOS, steal sensitive information, usingspam spread reactionary political speech and so on.Our country folk for botnet research and monitoring began in late2004, mainlyCNCERT/CC and Tsinghua university CCERT malicious code research project team, InPLA there were no special research institutions.Research shows that each botnet have command and control Channel, the C2Channel(Command&Control Channel). Through this channel, hackers can real-time control,according the difference of C2model,generally botnet is divided into three patterns:(1) centralized botnet;(2) distributed botnet;(3) compound botnet.This paper uses literature research, comparative research, experimental analysis, casestudy, information collection method, combining with the current domestic and foreignresearch results, the main means of detection is divided into three kinds:(1) Feature-based botnet detection technology;(2) flow-based botnet detection technology;(3) behavior-based botnet detection technology;The above three kinds of detection methods, mainly concentrated in destroying C&Cstructure (Command&Control infrastructure), so as to achieve the purpose of paralysis botnet.There exist some shortcomings: 1、High cost: the run-time overhead monitors network traffic, overhead storage space ofdata packet log,etc.2、Easy to avoid: various anti detection means emerge in an endless stream.3、Unable to completely destroy clear zombie network structure, BOT program code canbe reused, the attacker simply modify the C&C command can improve the detection and thecontrol capability.In addition, decapitation operations (resection of hackers and zombie contact betweenhost) even if successful, will be in the network on the left large numbers of infected hosts,still be other hackers to capture, thus to be controlled, adding to new more secret zombienetwork.Therefore, the mainstream of coping strategies is proposed in this paper the advantagesand disadvantages, botnet hijack strategy, namely using virtual machine technology, honeypottechnology to capture BOT procedures, using OllDbg sand table, analysis of BOT programmodule function, gradually grasps it zombie process life cycle use of anti detectiontechnology, so as to further understand the code structure and function, as to whether it cancontrol of the botnet feasibility analysis.The article concludes with an idea, is to use can be hijacked zombie network services tous, play botnet technology features, as network machine policeman, took the initiative to findeasily compromised hosts, implantation holes updates, malware scanning module. |
PDF Full Text Request