基于覆盖率分析的僵尸网络控制命令发掘方法

doi:10.3969/j.issn.1000-436x.2014.01.018

摘要/Abstract

摘要：

从僵尸程序执行轨迹对二进制代码块的覆盖规律出发，提出了一种僵尸网络控制命令发掘方法。通过分析执行轨迹对代码块的覆盖率特征实现对僵尸网络控制命令空间的发掘，根据代码空间是否被全覆盖来验证发现的僵尸网络命令空间的全面性。对僵尸网络Zeus、SdBot、AgoBot的执行轨迹进行了代码块覆盖率分析，结果表明，该方法能够快速准确地发掘出僵尸网络的控制命令集合，时间和空间开销小，且该命令集合所对应的执行轨迹可以覆盖僵尸程序95%以上的代码空间。

关键词: 恶意代码分析, 僵尸网络, 命令与控制协议, 基本块, 覆盖率

Abstract:

There are some inherent patterns in the bot execution trace coverage of basic blocks.Using these patterns,an approach was proposed to infer Botnet command-and-control protocol (C&C protocol).Without intermediate representation of binary code and constraints solving,this approach has a lower time and space overhead.This coverage analysis approach was evaluated on 3 famous Botnet:Zeus,Sdbot and Agobot.The result shows that this approach can accurately and efficiently extract the Botnet control commands.And the completeness of the extracted control commands could be verified by checking whether all available basic blocks in bot are covered by the traces triggered by the control commands.

Key words: malware analysis, Botnet, command-and-control protocol, code block, code coverage

王志,蔡亚运,刘露,贾春福. 基于覆盖率分析的僵尸网络控制命令发掘方法[J]. 通信学报, 2014, 35(1): 156-166.

Zhi WANG,Ya-yun CAI,Lu LIU,Chun-fu JIA. Using coverage analysis to extract Botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1): 156-166.

图/表 10

图1

图2

图3

表1

图4

图5

图6

图7

图8

图9

参考文献 47

[1]	诸葛建伟, 韩心慧, 周林等. 僵尸网络研究[J]. 软件学报, 2008,19(3): 702-715. ZHUGE J W , HAN X H , ZHOU L ,et al. Research and development of Botnets[J]. Journal of Software, 2008,19(3): 702-715.
[2]	方滨兴, 崔翔, 王威 . 僵尸网络综述[J]. 计算机研究与发展, 2011,48(8): 1315-1331. FANG B X , CUI X , WANG W . Survey of Botnets[J]. Journal of Computer Research and Development, 2011,48(8): 1315-1331.
[3]	王天佐, 王怀民, 刘波等 . 僵尸网络中的关键问题[J]. 计算机学报, 2012,35(6): 1192-1208. WANG T Z , WANG H M , LIU B ,et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012,35(6): 1192-1208.
[4]	江健, 诸葛建伟, 段海新等. 僵尸网络机理与防御技术[J].2012,23(1):82-96. 2012,23(1): 82-96. JIANG J , ZHUGE J W , DUAN H X ,et al. Research on Botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1): 82-96.
[5]	NAZARIO J . DDoS attack evolution[J]. Network Security, 2008,7: 7-10.
[6]	HUSNA H , PHITHAKKITNUKOON S , PALLA S ,et al. Behavior analysis of spam Botnets[A]. IEEE COMSWARE[C]. Bangalore,India, 2008. 246-253.
[7]	FREILING F , HOLZ T , WICHERSKI G . Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks[A]. Proc of the ESORICS’05[C]. Milan,Italy, 2005. 319-335.
[8]	BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:an efficient approach to collect malware[A]. Proc of the RAID’06[C]. Hamburg,Germany, 2006. 165-184.
[9]	金鑫, 李润恒, 甘亮等 . 基于通信特征曲线动态时间弯曲距离的IRC 僵尸网络同源判别方法[J]. 计算机研究与发展, 2012,49(3): 481-490. JIN X , LI R H , GAN L ,et al. IRC Botnets' homology identifying method based on dynamic time warping distance of communication feature curves[J]. Journal of Computer Research and Development, 2012,49(3): 481-490.
[10]	GU G , PORRAS P , YEGNESWARAN V ,et al. BotHunter:detecting malware infection through ids-driven dialog correlation[A]. Proc of the 16th USENIX Security Symp[C]. Boston,Massachusetts,USA, 2007. 167-182.
[11]	GU G,PERDISCT R , ZHANG J , et a1 . BotMiner:clustering analysis of network traffic for protocol-and structure-independent botnet detection[A]. Proc of the 17th USENIX Security Symp[C]. San Jose,California,USA, 2008. 269-286.
[12]	GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic[A]. Proc of the NDSS[C]. San Diego,USA, 2008.
[13]	王威, 方滨兴, 崔翔 . 基于终端行为特征的 IRC 僵尸网络检测[J]. 计算机学报, 2009,32(10): 1980-1988. WANG W , FANG B X , CUI X . IRC Botnet detection based on host behavior[J]. Chinese Journal of Computers, 2009,32(10): 1980-1988.
[14]	HOLZ T , GORECKI C , RIECK C ,et al. Detection and mitigation of fast-flux service networks[A]. Proc of the NDSS[C]. San Diego,USA, 2008.
[15]	CHING-HSIANG H , HUANG C Y , CHEN K T . Fast-flux bot detection in real time[A]. Proc of the RAID[C]. Menlo Park,California,USA, 2011. 464-483.
[16]	王海龙, 龚正虎, 侯捷 . 僵尸网络监测技术研究进展[J]. 计算机研究与发展, 2010,47(12): 2037-2048. WANG H L , GONG Z H , HOU J . Overview of Botnet detection[J]. Journal of Computer Research and Development, 2010,47(12): 2037-2048.
[17]	FREILING F , HOLZ T , WICHERSKI G . Botnet tracking:exploring a root-cause methodology to prevent denial of service attacks[A]. Proc of the ESORICS[C]. Milan,Italy, 2005. 319-335.
[18]	RAJAB M , ZARFOSS J , MONROSE F ,et al. A multifaceted approach to understanding the Botnet phenomenon[A]. Proc of the 6th ACM SIGCOMM Conf on Internet Measurement[C]. Pisa,Italy, 2006. 41-52.
[19]	JUAN C , PONGSIN P , CHRISTIAN K ,et al. Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 621-634.
[20]	KANICH C , KREIBICH C , LEVCHENKO K ,et al. Spamalytics:an empirical analysis of spam marketing conversion[A]. Proc of the CCS 2008[C]. Alexandria,VA,USA , 2008. 3-14.
[21]	应凌云, 杨轶, 冯登国等. 恶意软件网络协议的语法和行为语义分析方法[J]. 软件学报, 2011,22(7): 1676-1689. YING L Y , YANG Y , FENG D G ,et al. Syntax and behavior semantics analysis of network protocol of malware[J]. Journal of Software, 2011,22(7): 1667-1689.
[22]	刘豫, 王明华, 苏璞睿等. 基于动态污点分析的恶意代码通信协议逆向分析方法[J]. 电子学报, 2012,40(4): 661-668. LIU Y , WANG M H , SU P R ,et al. Communication protocol reverse engineering of malware using dynamic taint analysis[J]. Acta Electronica Sinica, 2012,40(4): 661-668.
[23]	CHO C , BABIC D , SHIN E ,et al. Inference and analysis of formal models of botnet command and control protocols[A]. Proc of the CCS 2010[C]. Chicago,IL,USA, 2010. 426-439.
[24]	KANG B , ERIC C , LEE C ,et al. Towards complete node enumeration in a peer-to-peer Botnet[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 23-34.
[25]	STONE-GROSS B , COVA M , CAVALLARO L ,et al. Your Botnet is my botnet:analysis of a Botnet takeover[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 635-647.
[26]	DAGON D , ZOU C , LEE W . Modeling botnet propagation using time zones[A]. Proc of the NDSS[C]. San Diego,USA, 2006. 235-249.
[27]	VOGT R , AYCOCK J , JACOBSON M . Army of botnets[A]. Proc of the NDSS[C]. San Diego,USA, 2007. 111-123.
[28]	WANG P , WU L , CUNNINGHAM R ,et al. Honeypot detection in advanced Botnet attacks[J]. International Journal of Information and Computer Security, 2010,4(1): 30-51.
[29]	WANG W , FANG B , CUI X ,et al. A user ID-centralized recoverable Botnet:structure research and defense[J]. International Journal of Innovative Computing,Information and Control, 2010,6(4): 4307-4317.
[30]	ZENG Y , SHIN K , HU X . Design of SMS commanded-and-controlled and P2P-structured mobile botnets[A]. Proc of the 5th ACM Conf on Security and Privacy in Wireless and Mobile Networks[C]. Tucson,Arizona,USA, 2012. 137-148.
[31]	SINGH K , SENGAL S , JAIN N ,et al. Evaluating Bluetooth as a medium for Botnet command and control[A]. Proc of the Int Conf on Detection of Intrusions and Malware,and Vulnerability Assessment[C]. Bonn,Germany, 2010. 61-80.
[32]	CUI X , FANG B , YIN L ,et al. Andbot:towards advanced mobile Botnets[A]. Proc of the 4th USENIX Workshop on Large-scale Exploits and Emergent Threats[C]. Berkeley,California,USA, 2011.11.
[33]	ZHAO S , LEE P , LUI J ,et al. Cloud-based push-styled mobile botnets:a case study of exploiting the cloud to device messaging service[A]. Proc of the Annual Computer Security Applications Conf (ACSAC 2012)[C]. Florida,USA, 2012. 119-128.
[34]	AMINI P , PIERCE C , , Kraken Botnet infiltration[EB/OL]. , 2005.
[35]	CHIA Y , JUAN C , , Botnet infiltration:finding bugs in botnet command and control[EB/OL]. , 2009.
[36]	DAVIS C , FERNANDEZ J , NEVILLE S ,et al. Sybil attacks as a mitigation strategy against the storm Botnet[A]. Proc of the 3rd Int Conf on Malicious and Unwanted Software[C]. Alexandria,Virginia,USA, 2008. 32-40.
[37]	BARFORD P , YEGNESWARAN V . An inside look at Botnets[J]. Malware Detection, 2007,27: 171-191.
[38]	SHACHAM H . The geometry of innocent flesh on the bone:return-into-libc with-out function calls (on the x86)[A]. Proc of the 14th ACM Conf on Computer and Communications Security[C]. Alexandria,VA,USA, 2007. 552-561.
[39]	FALCARIN P , CARLO S , CABUTTO A ,et al. Exploiting code mobility for dynamic binary obfuscation[A]. Proc of the World Congress on Internet Security[C]. London,UK, 2011. 114-120.
[40]	CUI W , KANNAN J , WANG H J . Discoverer:automatic protocol reverse engineering from network traces[A]. Proc of 16th USENIX Security Symposium on USENIX Security Symposium[C]. Boston,MA,USA, 2007. 1-14.
[41]	VIGNA G . Static disassembly and code analysis[J]. Malware Detection, 2007,27: 19-41.
[42]	CABALLERO J , POOSANKAM P , KREIBICH C ,et al. Bidirectional Protocol Reverse Engineering:Message Format Extraction and Field Semantics Inference[R]. 2009.
[43]	LIM J , REPS T . BCE:Extracting Botnet Commands from Bot Executables[R]. 2010.
[44]	王志, 贾春福, 鲁凯 . 基于环境敏感分析的恶意代码脱壳方法[J]. 计算机学报, 2012,35(4): 693-702. WANG Z , JIA C F , LU K . Malicious hidden-code extracting based on environment-sensitive analysis[J]. Chinese Journal of Computers, 2012,35(4): 693-702.
[45]	Qemu[EB/OL]. , 2013.
[46]	SONG D , BRUMLEY D , YIN H ,et al. BitBlaze:a new approach to computer security via binary analysis[A]. Intl Conf on Information Systems Security(ICISS 2008)[C]. Hyderabad,India, 2008. 1-25.
[47]	Pin:a dynamic binary instrumentation tool[EB/OL]. , 2013.

覆盖率	覆盖次数	分类
P _BB=100%	具有相似性不具有相似性	12
0＜P_BB＜100%	不具有唯一性具有唯一性	34
P _BB=0	(0,0,…,0)	5