基于Webshell的僵尸网络研究

doi:10.11959/j.issn.1000-436x.2016118

摘要/Abstract

摘要：

以Web服务器为控制目标的僵尸网络逐渐兴起，传统命令控制信道模型无法准确预测该类威胁。对传统Webshell控制方式进行改进，提出一种树状拓扑结构的信道模型。该模型具备普适和隐蔽特性，实验证明其命令传递快速可靠。总结传统防御手段在对抗该模型时的局限性，分析该信道的固有脆弱性，提出可行的防御手段。

关键词: 僵尸网络, 命令与控制, 信道预测, Webshell

Abstract:

With the rapid rising of Web server-based botnets,traditional channel models were unable to predict threats from them.Based on improving traditional Webshell control method,a command and control channel model based on tree structure was proposed.The model was widely applicable and stealthy and the simulation experimental results show it can achieve rapid and reliable commands delivery.After summarizing the limitations of current defenses against the proposed model,the model’s inherent vulnerabilities is analyzed and feasible defense strategies are put forward.

Key words: botnet, command and control, channel prediction, Webshell

李可,方滨兴,崔翔,刘奇旭,严志涛. 基于Webshell的僵尸网络研究[J]. 通信学报, 2016, 37(6): 11-19.

Ke LI,Bin-xing FANG,Xiang CUI,Qi-xu LIU,Zhi-tao YAN. Research on Webshell-based botnet[J]. Journal on Communications, 2016, 37(6): 11-19.

图/表 13

图1

图2

表1

图3

图4

图5

表2

表3

图6

图7

图8

图9

图10

参考文献 21

[1]	CUI X , FANG B X ,et al. Botnet triple-channel model:towards resilient and efficient bidirectional communication botnets[M]// Security and Privacy in Communication Networks. Springer International Publishing, 2013.
[2]	SHAHID K ,et al. A taxonomy of botnet behavior,detection,and defense[J]. Communications Surveys ＆Tutorials,IEEE, 2015,16(2): 898-924.
[3]	HEILMAN E , KENDLER A , ZOHAR A ,et al. Eclipse attacks on Bitcoin’s peer-to-peer network[C]// 24th USENIX Security Symposium (USENIX Security 15). 2015: 129-144.
[4]	CANALI D , BALZAROTTI D . Behind the scenes of online attacks:an analysis of exploitation behaviors on the Web[C]// 20th Annual Network＆Distributed System Security Symposium(NDSS 2013). 2013.
[5]	Netcraft. Web server survey[EB/OL]. .
[6]	Symantec. 2015 Internet security threat report[EB/OL]. .
[7]	F-Secure. Backdoor:Osx/tsunami[EB/OL]. .
[8]	New bot malware (BoSSaBoTv2) attacking Web servers discovered[EB/OL]. .
[9]	WANG P , SPARKS S , ZOU C C . An advanced hybrid peer-to-peer botnet[J]. IEEE Transactions on Dependable and Secure Computing, 2010,7(2): 113-127.
[10]	STARNBERGER G , KRUEGEL C , KIRDA E . Overbot:a botnet protocol based on Kademlia[C]// The 4th International Conference on Security and Privacy in Communication Networks. ACM, 2008.
[11]	HUND R , HAMANN M , HOLZ T . Towards next-generation botnets[C]// European Conference on Computer Network Defense. IEEE, 2008: 33-40.
[12]	DOUCEUR J R . The sybil attackpeer-to-peer systems[M]// Springer Berlin Heidelberg, 2002: 251-260.
[13]	SINGH K , SRIVASTAVA A , GIFFIN J ,et al. Evaluating email’s feasibility for botnet command and control[C]// IEEE International Conference on Dependable Systems and Networks With FTCS and DCC,IEEE, 2008: 376-385.
[14]	XU K , BUTLER P , SAHA S ,et al. DNS for massive-scale command and control[J]. IEEE Transactions on Dependable and Secure Computing, 2013,10(3): 143-153.
[15]	CUI X , FNAG B X ,et al. Andbot:towards advanced mobile botnets[C]// Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats. USENIX Association, 2011: 11-11.
[16]	LEE S , KIM J . Fluxing botnet command and control channels with URL shortening services[J]. Computer Communications, 2013,36(3): 320-332.
[17]	SANATINIA A , NOUBIR G . OnionBots:subverting privacy infrastructure for cyber attacks[C]// Dependable Systems and Networks (DSN), 2015: 69-80.
[18]	LI J , EHRENKRANZ T , KUENNING G ,et al. Simulation and analysis on the resiliency and efficiency of malnets[C]// Principles of Advanced and Distributed Simulation. IEEE, 2005: 262-269.
[19]	WANG D Y , SAVAGE S , VOELKER G M . Juice:a longitudinal study of an SEO botnet[C]// The NDSS Symposium. 2013.
[20]	STONE-GROSS B , COVA M , CAVALLARO L ,et al. Your botnet is my botnet:analysis of a botnet takeover[C]// The 16th ACM Conference on Computer and Communications Security. ACM, 2009: 635-647.
[21]	BIRYUKOV A , PUSTOGAROV I , WEINMANN R . Trawling for tor hidden services:detection,measurement,deanonymization[C]// 2013 IEEE Symposium on Security and Privacy(SP). 2013: 80-94.

网络	僵尸程序运行模式	权限要求	终端防护	感染是否需要用户配合	终端数据资源
PC僵尸网络	主动持续运行	管理员或系统权限	PC杀毒软件、防火墙	大多数需要	个人敏感信息，包括登录口令，文档、金融账户信息、邮件等
移动僵尸网络	主动持续运行	安装及敏感功能授权	手机杀毒软件	大多数需要	个人敏感信息，包括手机联系人、短信、邮件等
Webshell 僵尸网络	被动请求执行	Web站点权限	Web应用防火墙	否	网站后台数据及主机敏感信息

参数	说明
C_N	通知命令，告知节点请求获取功能或转发命令
C_F	功能命令，包括DDoS、扫描、垃圾邮件发送、文件回传、Call-Home、更新等
C_T	转发命令，包括转发目标U及对应的通知命令C_N
U	Webot僵尸主机URL 列表
IP_Sensor	代理节点地址
E()	RSA加密算法
E'()	DES加密算法
Public_Key	RSA加密算法公钥
Private_Key	RSA加密算法私钥
ID_i	Bot ID，标识唯一的僵尸主机
T	时间窗，包括开始时间和结束时间
R_Key	一次性会话密钥

角色	所掌握资源
	Private_Key
控制者	∑C_N
	∑R_Key_i
	∑C_F
	U
	∑C_N
C＆C服务器	∑R_Key_i
	∑C_T
	∑ID_i
僵尸主机	Public_Key
	∑ID_i
代理节点	无