Title: Module 11: ?????????????
1Module 11 ?????????????
2????
- ??????????????Botnet????????,?????????????????????
??????????????????????,?????????????? - 2. ?????????????
- (1)??????()
- (2)???????????()
- (3)???? - Botnet()
- (4)???? - Rootkits()
- (5)Rootkit????????()
- (6)?????????()
- ??????
3Module 11?????????????
- Module 11-1??????()
- Module 11-2???????????()
- Module 11-3???? - Botnet()
- Module 11-4???? - Rootkits()
- Module 11-5Rootkit????????()
- Module 11-6?????????()
??(basic)??????? ??(moderate)???????????,???
??????? ??(advanced)??????????
4 5??
- ??????????????????????????(script),???????????????
?????????,??????????????????? - ????????????????????,??????????,????????Port??????
,??????????????????? - ????????????
6??
- ????????????,????????????????????
7??????
- ????????????????????????????????
- ????????????,????????
- ??(Virus)
- ??(Worm)
- ?????(Trojan horse)
- Rootkits
- ???????????,????????????????,?????????????????????
???????
8?????? - ??(Virus)
- ?????????,????????????,????
- ?????????,???????????
- ?????????????????
- ????????????????,????????,???CMOS?Flash BIOS?????
9?????? - ??(Worm)
- ??????,????????????
- ????????????,??????,?????????
- ??????????
- ??????,?????
- ??????????????????
- ???????????????????
10?????? - ?????(Trojan horse)
- ?????????????????,???????????????????,??????????
- ??????????,?????????????????????
- ?????????
- Universal????????
- Transitive????????,???????
11??????
???? ??
XF Excel????
W32 32???,????32?Windows??
WINT 32?Windows??,???Windows NT
Troj ?????
VBS VBScript?????????
VSM ?? Visio VBA???script????script??
JS JScript?????????
- ????????1991?,?CARO(Computer Antivirus
Researchers Organization)???????????,??????????? - lt??????gt//lt??gt/ltfamily??gt.ltgroup??gt.ltinfective_??
gt.lt??gt.lt?????gt
Example virus//w32/Beast.41472.A
????The Art of Computer Virus Research and
Defense
12??????????
2008 FBI/CSI Survey ????http//i.cmpnet.com/v2.g
ocsi.com/pdf/CSIsurvey2008.pdf
13?????????? (?)
2007???????
14??????????
- ???????????,??????
- ?????????
- ???????????????
- ????????,????????????
- ????????,??????????????
- ???????????????,????????????
15?????????
- ?????????????,??????????????(?????????????),??????
??? - ???????????????
- ????
- ???????
- ????
- ?????????????????
- ?????
- ???????
16 17????????
- ????????????,??????????,????????
- ????
- ??????
- IM (Internet Message)??
- Email
- P2P????
- ?????
18???????????
- ??????
- ????????????????????
- ??RegisterServiceProcess??????????
- DLL injection
- ?????
- ?????????????????????
- ???????????????????
- ???????????
- ?????
19??????
- DLL Injection??????????,?????????????
- ????????????DLL??????
- ??SetWindowsHookEx??,????DLL??????????,???????????
?DLL?? - API Hooking
- API?Windows??????,????????DLL Injection???????????
???API
20?????(Packer)
- ?????????????????,????????????,???????????????????
???? - ?????????????????????????,???????????,????????????
??????? - ?????????????????
21???????????
- ????????????????
- ???????????
- ?????????
- ????????????????????????,?????????????????????????
??? - ???????(Anti-VM or Anti-Emulator)
22????????(Polymorphism)
- ??????????????????,??????????????,?????????
- ?
?????
MOV AX, 0E88 set key 1 MOV di,
AX MOV BX, BP0D2B pick next word
?????
MOV AX, 0E88 set key 1 INC SI
?? MOV di, AX CLC
?? NOP
?? MOV BX, BP0D2B pick
next word
23?????????
- ???????????????
- ??????
- ????
- ????
- ??????
- ?????(checksum)
- ???????
24?????? - ????
- ????????????????,????????????,????????????
- ?????
- ????????????
- ???????IDA pro?Ollydebug
- ????
- ???????????,???????,????????????
- ??????PEID
- ????????????????????
25?????? - ????
- ????????,????,??????????????????????,?????????????
?? - ????????,????????????,??????????????????
- ?????????????????????
- ??????????,?????????
- CWSandbox?????????
- (http//www.cwsandbox.org/)
26??????
- ????????????
- ????
- ??????????
- ?????
- ????
- ??????????
27- Module 11-3???? - Botnet()
28??????
- Botrobot???,?????????????,??????????????,????????
??? - Zombie(????)???Bot???,?????????
- Botnet????Bot????????,????????????
29Botnet????
- ???????Botnet?????????????Botnet,?????
- ?????????,Botnet????????????,????????????????????
30Botnet??
- ?IRC Botnet??
- ???IRC Botnet????IRC Server???????,?????IRC
Server????????????? - ???????IRC Server???,?????????
- ?????????????????,????????????,?????????????,????
???????? - ???????????????????DoS??
- ?????????,??????
31Botnet??????????
??/?? ??? ??? ??? ????
Bot ???? ???? ? ?????????
Trojan horse ? ?? ? ?????????
Worm ???? ?/? ?/? ???????
Spyware ? ? ???? ????
Virus ???? ? ? ????
???? http//zh.wikipedia.org/w/index.php?titleE
6AEADE5B18DE7B6B2E7B5A1variantzh-tw
32Botnet?????
- ??????,????????????
- ????????????????????,??????????????????,?????????(
2011-04-20)
????http//www.symantec.com/business/threatreport
/index.jsp
33Botnet?????
- Botnet???????????????????
- ??
- ??
- ??
34Botnet????
Bot????
35Botnet????
- ???????????????????Bot???,??????????????Botnet???
- ?IRC Botnet??,?????????????(Bot),???????????????(C
C/IRC Server)?????,?????????????
36Botnet????
Bot????
37Botnet???
- Botnet???
- Gartner?2008???75??????Bot
- ????????????????????Bot
- FBIBotnet?????????
- ?10?????1.1???????????
- ???????,????????,??????????????????????????????,??
Bot????????????
????( botnet)??????? ????http//tw.trendmicro.co
m/tw/support/tech-support/board/tech/article/20081
007100643.html
38Botnet??? (?)
- ??Botnet??????,??????????
- ??????
- ???????,?????????????????????,????????????????????
??(DDoS) - ??????
- Botnet??????????????,????????????????????IP??,????
???????
39Botnet??? (?)
- ????
- ????????????????????????????
- Bot???????(Sniffer)???????,???????????
- ????
- ????????,????????????,??????????????????????
- ?????????????,?????????????
Mentors Research InterestBotnet?? ????http//
mentorwang.blogspot.com/2008/07/botnet.html
40- Module 11-4???? - Rootkits()
41Rootkits??
- Rootkits?Root?kits?????
- Root ? Unix????????,??Unix????????
- kits ?????????????
- Rootkits
- ???????????????????
- ???????,??????????
42Rootkits??
- Rootkits?????????????????????????
- Rootkits ??
- User mode (ring 3)
- Kernel mode (ring 0)
- ???? (ring -1)
- SMM mode (ring -2)
43User Mode Rootkits
- ??
- IAT Hook
- Inline function patch
- ?? - easy for everything
- ???????
- ????
44Kernel Mode Rootkits
- ??
- SSDT hook
- IDT hook
- Layered driver
- Inline function patch
- ?? - hard for everything
- ???????,???????????
- ???????Rootkits???
45????Rootkits
- Virtual Machine Based Rootkits
- Samuel T. King Peter M. Chen?2006???
- ??????????
RING 03
RING -1
RING -2
Host Hardware
46SMM mode????()
- ????CPU SMM mode??Rootkits
- ?Rutkowska Joanna??????2009???
- ?????????????,??????????????
- ?????????Rootkits????
47SMM mode Rootkits()
RAM
- SMM mode - System Management Mode
- ???CPU??????
- ??????
- ?????????????
- ?????????
- SMM mode???????????
- ??????????
- SMM mode???????????????
- ?Rootkits??????????????????????,???????
Common
SMRAM
Common
Common
Common
48???? - Sony??????????Rootkits??
- ??
- ??????????,??Sony????Rootkit??,?MicroVault
USB?????????Windows???????,??????????????F-Secure?
???????,??????Sony?MicroVault USB?,????????????,??
??????,?????????????,?????????????????,?????????,?
??????????????,??????????,???????????
????http//www.ithome.com.tw/itadm/article.php?c
45063
49??
- ?????????????,?????????????????,????????????????
- ?????????????????????,?????????????????????????
- ??????????,???????????????
50- Module 11-5Rootkit????????()
51Rootkit???????(?Root Shell??)
52??????
Victim (HTTP Server ) OSWindows XP
SP2 IP10.1.1.3
Attacker OSWindows XP SP2 IP10.1.1.2
53????on Testbed_at_TWISC - ?????????
54??
- ??Victim??????????,??????
- NetCat (nc.exe)??telnet????Shell??????????????
- Root Shell???????,?NetCat????????? Root
Sell?????? - Hacker Defender???????Rootkit??,?????????????????
(Hacker Defender 1.0.0) - ?Victim??????,??????
- Avira AntiVir
- ??????Avira????????????
55??????? - NetCat
- ??
- NetCat 111 (nc.exe)
- ??????
- Microsoft Windows
- ????
- http//www.megaupload.com/?dPQCHRLCX
- ??????
- Attacker??
56??????? - NetCat (?)
57??????? - Rootshell
- ??
- Rootshell.v.2.0.php
- ??????
- Microsoft Windows
- ????
- http//www.megaupload.com/?dTANMWUVH
- ??????
- Victim??
58??????? - Rootshell (?)
59??????? - Hacker Defender
- ??
- Hacker Defender 1.0.0
- ??????
- Microsoft Windows
- ????
- http//www.megaupload.com/?dUV8WRCHJ
- ??????
- Attacker??
60??????? - Hacker Defender (?)
- Hacker Defender (defender v1.0.0???????)
?????? ???? ??
hxdef100.exe 70 144 b Hacker defender v1.0.0???
hxdef100.ini 3 872 b ini????
hxdef100.2.ini 3 695 b ini????,?2?
bdcli100.exe 26 624 b ?????
rdrbs100.exe 49 152 b redirectors base
readmecz.txt 34 654 b ????????
readmeen.txt 35 956 b ??????
readmefr.txt 38 029 b ??????
src.zip 91 936 b ???
readmezh.txt 38 029 b ??????
61??????? - Hacker Defender (?)
- Hacker Defender(????????)
???? ??
Hidden Table ???????
Root Processes ????
Hidden Services ????
Hidden RegKeys ??RegKeys??
Hidden RegValues ??RegValues
Startup Run ????????
Free Space ??????
Hidden Ports ??port
Settings hxdef???
62??Rootkit?? - Avira AntiVir
- ??
- Avira AntiVir Personal - FREE Antivirus
- ??????
- Microsoft Windows
- ????
- http//www.free-av.com/de/trialpay_download/1/avir
a_antivir_personal__free_antivirus.html - ??????
- Victim??
63??Rootkit?? - Avira AntiVir (?)
- ??Avira ???????,??Rootkit???,??????????
64????
- ????
- Victim?????HTTP Server
- Victim?????Rootshell (Rootshell.v.2.0.php)
- Attacker???Victim????
- Attacker?????
- ??Rootshell??,???nc.exe?Victim??
- ???????
- ??????????
- Victim?????
- ??????????
65???? (?)
- ???????????????,?Victim???????????????
- ??????
- ????
- ??Rootshell???NetCat
- ????
- ????
- Victim?????
66????
- ?????????????Victim??,??????,?????
- ????????????????,?????????Victim????
67???? (?)
- ?Victim?????Appserv,???HTTP Server
- Appserv????
- http//prdownloads.sourceforge.net/appserv/appserv
-win32-2.5.10.exe?download
68???? (?)
69???? (?)
70???? (?)
- ?????
- ?Rootshell????Appserv?www???
71??Root Shell???NetCat
72??Root Shell???NetCat (?)
- ?Attacker???????,??Victim???IP?Rootshell????,?????
?
73??Root Shell???NetCat (?)
- Attacker????Rootshell?nc.exe???Victim??
74??Root Shell???NetCat (?)
- ?Victim???C\\Appserv\www\??nc.exe??????
75????
- ?Attacker????? Root Shell??nc -l -p 8888 e
cmd.exe,?Victim?????? - ?Execute?,?????????,???????,????????
76???? (?)
- ?Victim?????Process Explorer??,??Victim????Attacke
r?????? - Process Explorer????
- http//technet.microsoft.com/en-us/sysinternals/bb
896653.aspx - ???????nc.exe????,??????????????????
- ??,?????????nc.exe??,????????
77???? (?)
78???? (?)
79???? (?)
- ????????,?Attacker??????????
- ????????????,?????????nc.exe??,????????
80???? (?)
- ????????,?Attacker??????????
- ??rm phpinfo.php???phpinfo.php,??Victim????
11-80
81????
- ?Attacker?????Hacker Defender??hxdef100.ini,?Hidd
en Processes?????? - \ltHiltgtdden" P/rgtoc"/eltssgtes\\gtn"c.ex"erclt
md\.exlte
82???? (?)
- ??????????,??Victim???IP?Rootshell????
- Attacker???Root Shell???????
83???? (?)
- Attacker???Rootshell???hxdef100.exe
- ?Victim???nc.exe??????
- ???Victim??,Process Explorer?????????nc.exe
84???? (?)
85???? (?)
11-85
86Victim?????
- Victim????Avira AntiVir????,??????Rootkit????????,
????????? - ??Avira AntiVir???????
87Victim?????
11-87
88Victim?????
11-88
89Victim?????
11-89
90??
- ?Rootkit????,???????
- ?????Rootkit
- ???????
- ????
- ?Rootkit????,???AntiRootkit????
- ??Avira AntiRootkit??????
- ???files?registry?processes?driver????
- ???????????????,????????????????Rootkit
91? ?
92???
93???
- ??????????Botnet???(???Botnet???),???????????????
??
94???
- ?????,???????Rootkit???????,?????
95???
- ??,????????????????Rootkit
96Module 11-6 ?????????()
97??????
- ??????????????Rootkit????
98??????
- A????????????,????Root Shell??,?????????????NetCat
??????,??????????,???????,??????? - ???????,??????
- ??????Root Shell?NetCat???????
- ??Hacker Defender????
99?????? (?)
- ????B????,????????????Rootkit,????????????,???????
? - ???????,??????
- ??Avira Antivir????
- ??Avira Antivir????
100?????
Victim OSWindows XP SP2 IP10.0.1.2 ????AppServ
Attacker OSWindows XP SP2 IP10.0.1.1
AppServ??? http//www.appservnetwork.com
101??????
- ?????????,???????????
- ?? 2011.06.01 2359 ?????? evannolimit_at_gmail.com
- ????????????????
7-101
102????
- ????????????http//www.libertytimes.com.tw/2008/ne
w/apr/30/today-life7.htm - ???????????http//www.cib.gov.tw/news/news02_2.asp
x?no261 - CNN???????!??????????http//www.nownews.com/2008/0
8/07/339-2316527.htm - ????????????http//www.media.edu.cn/wang_luo_an_qu
an_5177/20060630/t20060630_186389.shtml - ????-????http//zh.wikipedia.org/w/index.php?title
E6AEADE5B18DE7B6B2E7B5A1variantzh-t
w - Mentors Research InterestBotnet??http//mentor
wang.blogspot.com/2008/07/Botnet.html
103???? (?)
- Spam Statistics from TRACEMarshal
- http//www.marshal.com/TRACE/spam_statistics.asp
- ??????Backdoor.Rustock.A??
- http//ccnet.tnua.edu.tw/cert-news/viewtopic.php?
p19sidc3133b653ed47a4918045a4b434bc9c0 - the new pof 2.0.8 (2006-09-06)
- http//lcamtuf.coredump.cx/p0f.shtml
- rpmfind.net
- http//rpmfind.net/linux/RPM/index.html
- Conficker?????W32.Waledac??????
- http//rogerspeaking.com/2009/04/2024
104???? (?)
- Kaspersky, ????????Rootkit, 2006/10/05 1850
- VirusList ???????, Viruslist.com, 2005
- iDEF2003 Anton Chuvakin, An Overview of Unix
Rootkits - TWCERT/CC
- www.cert.org.tw/document/
- Greg Hoglund James Buther, Rootkits
Subverting the Windows Kernel, Addison Wesley,
2006 - Nancy Altholz and Larry Stevenson, Rootkits for
Dummies, Dummies, 2007 - Wikipedia Encyclopedia
- http//en.wikipedia.org/wiki/Rootkit
105???? (?)
- Chkrootkit
- www.chkrootkit.org
- Rootkit Hunter
- http//www.rootkit.nl/
- http//www.microsoft.com/taiwan/technet/columns/pr
ofwin/19-Rootkits.mspx - http//www.ithome.com.tw/itadm/article.php?c45063