基于覆盖率分析的僵尸网络控制命令发掘方法

doi:10.3969/j.issn.1000-436x.2014.01.018

Abstract

Abstract:

There are some inherent patterns in the bot execution trace coverage of basic blocks.Using these patterns,an approach was proposed to infer Botnet command-and-control protocol (C&C protocol).Without intermediate representation of binary code and constraints solving,this approach has a lower time and space overhead.This coverage analysis approach was evaluated on 3 famous Botnet:Zeus,Sdbot and Agobot.The result shows that this approach can accurately and efficiently extract the Botnet control commands.And the completeness of the extracted control commands could be verified by checking whether all available basic blocks in bot are covered by the traces triggered by the control commands.

Key words: malware analysis, Botnet, command-and-control protocol, code block, code coverage

Zhi WANG,Ya-yun CAI,Lu LIU,Chun-fu JIA. Using coverage analysis to extract Botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1): 156-166.

Figures/Tables 10

References 47

[1]	诸葛建伟, 韩心慧, 周林等. 僵尸网络研究[J]. 软件学报, 2008,19(3): 702-715. ZHUGE J W , HAN X H , ZHOU L ,et al. Research and development of Botnets[J]. Journal of Software, 2008,19(3): 702-715.
[2]	方滨兴, 崔翔, 王威 . 僵尸网络综述[J]. 计算机研究与发展, 2011,48(8): 1315-1331. FANG B X , CUI X , WANG W . Survey of Botnets[J]. Journal of Computer Research and Development, 2011,48(8): 1315-1331.
[3]	王天佐, 王怀民, 刘波等 . 僵尸网络中的关键问题[J]. 计算机学报, 2012,35(6): 1192-1208. WANG T Z , WANG H M , LIU B ,et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012,35(6): 1192-1208.
[4]	江健, 诸葛建伟, 段海新等. 僵尸网络机理与防御技术[J].2012,23(1):82-96. 2012,23(1): 82-96. JIANG J , ZHUGE J W , DUAN H X ,et al. Research on Botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1): 82-96.
[5]	NAZARIO J . DDoS attack evolution[J]. Network Security, 2008,7: 7-10.
[6]	HUSNA H , PHITHAKKITNUKOON S , PALLA S ,et al. Behavior analysis of spam Botnets[A]. IEEE COMSWARE[C]. Bangalore,India, 2008. 246-253.
[7]	FREILING F , HOLZ T , WICHERSKI G . Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks[A]. Proc of the ESORICS’05[C]. Milan,Italy, 2005. 319-335.
[8]	BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:an efficient approach to collect malware[A]. Proc of the RAID’06[C]. Hamburg,Germany, 2006. 165-184.
[9]	金鑫, 李润恒, 甘亮等 . 基于通信特征曲线动态时间弯曲距离的IRC 僵尸网络同源判别方法[J]. 计算机研究与发展, 2012,49(3): 481-490. JIN X , LI R H , GAN L ,et al. IRC Botnets' homology identifying method based on dynamic time warping distance of communication feature curves[J]. Journal of Computer Research and Development, 2012,49(3): 481-490.
[10]	GU G , PORRAS P , YEGNESWARAN V ,et al. BotHunter:detecting malware infection through ids-driven dialog correlation[A]. Proc of the 16th USENIX Security Symp[C]. Boston,Massachusetts,USA, 2007. 167-182.
[11]	GU G,PERDISCT R , ZHANG J , et a1 . BotMiner:clustering analysis of network traffic for protocol-and structure-independent botnet detection[A]. Proc of the 17th USENIX Security Symp[C]. San Jose,California,USA, 2008. 269-286.
[12]	GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic[A]. Proc of the NDSS[C]. San Diego,USA, 2008.
[13]	王威, 方滨兴, 崔翔 . 基于终端行为特征的 IRC 僵尸网络检测[J]. 计算机学报, 2009,32(10): 1980-1988. WANG W , FANG B X , CUI X . IRC Botnet detection based on host behavior[J]. Chinese Journal of Computers, 2009,32(10): 1980-1988.
[14]	HOLZ T , GORECKI C , RIECK C ,et al. Detection and mitigation of fast-flux service networks[A]. Proc of the NDSS[C]. San Diego,USA, 2008.
[15]	CHING-HSIANG H , HUANG C Y , CHEN K T . Fast-flux bot detection in real time[A]. Proc of the RAID[C]. Menlo Park,California,USA, 2011. 464-483.
[16]	王海龙, 龚正虎, 侯捷 . 僵尸网络监测技术研究进展[J]. 计算机研究与发展, 2010,47(12): 2037-2048. WANG H L , GONG Z H , HOU J . Overview of Botnet detection[J]. Journal of Computer Research and Development, 2010,47(12): 2037-2048.
[17]	FREILING F , HOLZ T , WICHERSKI G . Botnet tracking:exploring a root-cause methodology to prevent denial of service attacks[A]. Proc of the ESORICS[C]. Milan,Italy, 2005. 319-335.
[18]	RAJAB M , ZARFOSS J , MONROSE F ,et al. A multifaceted approach to understanding the Botnet phenomenon[A]. Proc of the 6th ACM SIGCOMM Conf on Internet Measurement[C]. Pisa,Italy, 2006. 41-52.
[19]	JUAN C , PONGSIN P , CHRISTIAN K ,et al. Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 621-634.
[20]	KANICH C , KREIBICH C , LEVCHENKO K ,et al. Spamalytics:an empirical analysis of spam marketing conversion[A]. Proc of the CCS 2008[C]. Alexandria,VA,USA , 2008. 3-14.
[21]	应凌云, 杨轶, 冯登国等. 恶意软件网络协议的语法和行为语义分析方法[J]. 软件学报, 2011,22(7): 1676-1689. YING L Y , YANG Y , FENG D G ,et al. Syntax and behavior semantics analysis of network protocol of malware[J]. Journal of Software, 2011,22(7): 1667-1689.
[22]	刘豫, 王明华, 苏璞睿等. 基于动态污点分析的恶意代码通信协议逆向分析方法[J]. 电子学报, 2012,40(4): 661-668. LIU Y , WANG M H , SU P R ,et al. Communication protocol reverse engineering of malware using dynamic taint analysis[J]. Acta Electronica Sinica, 2012,40(4): 661-668.
[23]	CHO C , BABIC D , SHIN E ,et al. Inference and analysis of formal models of botnet command and control protocols[A]. Proc of the CCS 2010[C]. Chicago,IL,USA, 2010. 426-439.
[24]	KANG B , ERIC C , LEE C ,et al. Towards complete node enumeration in a peer-to-peer Botnet[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 23-34.
[25]	STONE-GROSS B , COVA M , CAVALLARO L ,et al. Your Botnet is my botnet:analysis of a Botnet takeover[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 635-647.
[26]	DAGON D , ZOU C , LEE W . Modeling botnet propagation using time zones[A]. Proc of the NDSS[C]. San Diego,USA, 2006. 235-249.
[27]	VOGT R , AYCOCK J , JACOBSON M . Army of botnets[A]. Proc of the NDSS[C]. San Diego,USA, 2007. 111-123.
[28]	WANG P , WU L , CUNNINGHAM R ,et al. Honeypot detection in advanced Botnet attacks[J]. International Journal of Information and Computer Security, 2010,4(1): 30-51.
[29]	WANG W , FANG B , CUI X ,et al. A user ID-centralized recoverable Botnet:structure research and defense[J]. International Journal of Innovative Computing,Information and Control, 2010,6(4): 4307-4317.
[30]	ZENG Y , SHIN K , HU X . Design of SMS commanded-and-controlled and P2P-structured mobile botnets[A]. Proc of the 5th ACM Conf on Security and Privacy in Wireless and Mobile Networks[C]. Tucson,Arizona,USA, 2012. 137-148.
[31]	SINGH K , SENGAL S , JAIN N ,et al. Evaluating Bluetooth as a medium for Botnet command and control[A]. Proc of the Int Conf on Detection of Intrusions and Malware,and Vulnerability Assessment[C]. Bonn,Germany, 2010. 61-80.
[32]	CUI X , FANG B , YIN L ,et al. Andbot:towards advanced mobile Botnets[A]. Proc of the 4th USENIX Workshop on Large-scale Exploits and Emergent Threats[C]. Berkeley,California,USA, 2011.11.
[33]	ZHAO S , LEE P , LUI J ,et al. Cloud-based push-styled mobile botnets:a case study of exploiting the cloud to device messaging service[A]. Proc of the Annual Computer Security Applications Conf (ACSAC 2012)[C]. Florida,USA, 2012. 119-128.
[34]	AMINI P , PIERCE C , , Kraken Botnet infiltration[EB/OL]. , 2005.
[35]	CHIA Y , JUAN C , , Botnet infiltration:finding bugs in botnet command and control[EB/OL]. , 2009.
[36]	DAVIS C , FERNANDEZ J , NEVILLE S ,et al. Sybil attacks as a mitigation strategy against the storm Botnet[A]. Proc of the 3rd Int Conf on Malicious and Unwanted Software[C]. Alexandria,Virginia,USA, 2008. 32-40.
[37]	BARFORD P , YEGNESWARAN V . An inside look at Botnets[J]. Malware Detection, 2007,27: 171-191.
[38]	SHACHAM H . The geometry of innocent flesh on the bone:return-into-libc with-out function calls (on the x86)[A]. Proc of the 14th ACM Conf on Computer and Communications Security[C]. Alexandria,VA,USA, 2007. 552-561.
[39]	FALCARIN P , CARLO S , CABUTTO A ,et al. Exploiting code mobility for dynamic binary obfuscation[A]. Proc of the World Congress on Internet Security[C]. London,UK, 2011. 114-120.
[40]	CUI W , KANNAN J , WANG H J . Discoverer:automatic protocol reverse engineering from network traces[A]. Proc of 16th USENIX Security Symposium on USENIX Security Symposium[C]. Boston,MA,USA, 2007. 1-14.
[41]	VIGNA G . Static disassembly and code analysis[J]. Malware Detection, 2007,27: 19-41.
[42]	CABALLERO J , POOSANKAM P , KREIBICH C ,et al. Bidirectional Protocol Reverse Engineering:Message Format Extraction and Field Semantics Inference[R]. 2009.
[43]	LIM J , REPS T . BCE:Extracting Botnet Commands from Bot Executables[R]. 2010.
[44]	王志, 贾春福, 鲁凯 . 基于环境敏感分析的恶意代码脱壳方法[J]. 计算机学报, 2012,35(4): 693-702. WANG Z , JIA C F , LU K . Malicious hidden-code extracting based on environment-sensitive analysis[J]. Chinese Journal of Computers, 2012,35(4): 693-702.
[45]	Qemu[EB/OL]. , 2013.
[46]	SONG D , BRUMLEY D , YIN H ,et al. BitBlaze:a new approach to computer security via binary analysis[A]. Intl Conf on Information Systems Security(ICISS 2008)[C]. Hyderabad,India, 2008. 1-25.
[47]	Pin:a dynamic binary instrumentation tool[EB/OL]. , 2013.

Metrics

Recommended 0

No Suggested Reading articles found!

覆盖率	覆盖次数	分类
P _BB=100%	具有相似性不具有相似性	12
0＜P_BB＜100%	不具有唯一性具有唯一性	34
P _BB=0	(0,0,…,0)	5

Using coverage analysis to extract Botnet command-and-control protocol

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 47

Related Articles 15

Metrics

Recommended 0

[1]	Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG. Botnet detection based on generative adversarial network [J]. Journal on Communications, 2021, 42(7): 95-106.
[2]	Di WU,Binxing FANG,Xiang CUI,Qixu LIU. BotCatcher:botnet detection system based on deep learning [J]. Journal on Communications, 2018, 39(8): 18-28.
[3]	Tao YIN,Shi-cong LI,Yu-peng TUO,Yong-zheng ZHANG. Modeling and countermeasures of a social network-based botnet with strong destroy-resistance [J]. Journal on Communications, 2017, 38(1): 97-105.
[4]	Ke LI,Bin-xing FANG,Xiang CUI,Qi-xu LIU,Zhi-tao YAN. Research on Webshell-based botnet [J]. Journal on Communications, 2016, 37(6): 11-19.
[5]	. Progress in research on active network flow watermark [J]. Journal on Communications, 2014, 35(7): 22-192.
[6]	Xiao-jun GUO,Guang CHENG,Chen-gang ZHU,Dinh-Tu TRUONG,Ai-ping ZHOU. Progress in research on active network flow watermark [J]. Journal on Communications, 2014, 35(7): 178-192.
[7]	. Research on cloud-based traffic adaptive command and control method for mobile botnet [J]. Journal on Communications, 2014, 35(11): 4-30.
[8]	Wei CHEN,Shi-wen ZHOU,Cheng-yu YIN. Research on cloud-based traffic adaptive command and control method for mobile botnet [J]. Journal on Communications, 2014, 35(11): 32-38.
[9]	. Active-probing based distributed malware master detection system [J]. Journal on Communications, 2013, 34(Z1): 26-206.
[10]	Cheng-xiang SI,Bo SUN,Wen-han YANG,Hui-lin ZHANG,Xiao-nan XUE. Active-probing based distributed malware master detection system [J]. Journal on Communications, 2013, 34(Z1): 197-206.
[11]	. Method of detecting IRC Botnet based on the multi-features of traffic flow [J]. Journal on Communications, 2013, 34(10): 6-55.
[12]	Jian-en YAN,Chun-yang YUAN,Hai-yan XU,Zhao-xin ZHANG. Method of detecting IRC Botnet based on the multi-features of traffic flow [J]. Journal on Communications, 2013, 34(10): 49-55.
[13]	Yuan-zhang SONG,Jun-ting HE,Bo ZHANG,Jun-jie WANG,An-bang WANG. Detecting P2P botnet based on the role of flows [J]. Journal on Communications, 2012, 33(Z1): 262-269.
[14]	Tian-ning ZANG,Xiao-chun YUN,Yong-zheng ZHANG,Chao-guang MEN,Xiang CUI. Botnets' similarity analysis based on communication features and D-S evidence theory [J]. Journal on Communications, 2011, 32(4): 66-76.
[15]	Run-heng LI,Liang GAN,Yan JIA. IRC botnets’size measure based on duplicated removal of dynamic IP and NAT identifing [J]. Journal on Communications, 2010, 31(9A): 183-189.