Botnets: How to Get rooted in one easy lesson
BotNet: Easy course on how to implant computers
Author: Michael kassner
By Michael kassner
Translation: endurer, 3rd
Category: general, security, botnet, antivirus, Nat
Classification: regular, security, botnet, anti-virus, Nat
English Source:Http://blogs.techrepublic.com.com/networking? P = 714 & tag = NL. E102
In discussions about botnets, how and why a computer becomes part of a botnet are two questions that get asked quite often. like most things in life, the answers aren't simple; still, I 'd like to give it a try.
In discussions related to botnets, how and why a computer becomes part of botnets are frequently asked questions. Like the vast majority of things in my life, the answer is not simple. However, I still want to give one:
--------------------------------------
I noticed a trend in the comment section of my article"Botnets: bigger isn' t always better. "People wanted to know how a computer becomesBotAnd why it's so hard to detect when it happens. thinking about this must have put me in one of my moods (often mistaken for daydreaming), because my son asked me what was wrong. I explained my quandary, and in his infinite wisdom, he said, "Well, why don't you (looking at me with that dAhh expression) write about it, and then everyone will know. "Hmmm, I knew that.
In my article "botnet: bigger is not always a good thing" (Http://blog.csdn.net/Purpleendurer/archive/2008/11/04/3220788.aspx) In the comments, I reminded people of a trend, people always want to know how a computer turns into a zombie computer, and why it is so difficult to detect when it occurs. Thinking about this problem must be unavoidable (often mistaken for a daydream), because my son asked me what was wrong. I explained my confusion. He said with infinite wisdom: "Well, why don't you write it down (look at me with a Haha expression), and then everyone will know. "Well, I know.
BotNet or rootkit, which came first?
BotNet or rootkit. Who should come first?
Becoming part of a botnet requires the installation of a remotely accessible command and control application on the computer under attack. the Application of choice for this operation is the infamous rootkit, due to its ability to hide and run programs efficiently. for more detail about the inner-workings of rootkits, please refer to my article"10 + things you shoshould know about rootkits."
To become part of a botnet, you need to install remote access commands and control applications on the attacked computer. The application selected for this operation is the notorious rootkit because it can hide and effectively run programs. For more details about the internal work of rootkits, please refer to my article: 10 + things about rootkits that you need to know.
In that article, I didn't spend much time on the propagation process, and I 'd like to correct that now. malware that propagates the rootkit is calledBlended Threat, Because it consists of three parts: the dropper, loader, and rootkit. I 'd like to focus on the dropper, since it's where much of the confusion lies.
In that article, I did not spend much time on the dissemination process. Now I want to correct it. Malware that spread rootkit is called a hybrid threat because it contains three parts: the downloader, the loader, And the rootkit. I want to focus on the downloader, because it has a lot of chaotic lies.
Dropper Program
Downloader Program
TheDropperIs a program whose whole purpose is to sneak past security and antivirus applications. I liken droppers to the transformer toys my son used to play with: droppers try to make themselves and their payload (the loader and rootkit) appear as benign snippets of code. that usually happens by encrypting, compressing, or some type of encoding, making it difficult for malware scanners to detect them. the only way processing applications cocould possibly detect the malware is by having a signature for the transformation package or by guessing through the use of heuristics.
The downloader is a program whose purpose is to secretly bypass the security and anti-virus software. I compared the Downloaders to the variants my son used to play with, because the Downloaders tried to make themselves and their loads (loaders and rootkit) Look Like benign code snippets. This generally makes it difficult to be detected by malicious software scanning programs through encryption, compression, or some type of encoding. The only way that a scanner may detect malware is to have the variant Package features or use heuristic guesses.
Dropper versus Trojan
Downloader vs Trojan Horse
Export experts consider dropper programs to beReverse-connect Trojans. Trojans typically consist of two parts: client and server. originally the server (Listening portion) was placed on the computer being attacked and the client was on the attacker's computer. the attacker wowould then try to communicate with the server via the client application. all was good in the attacker's world.
Some experts believe that the downloader program is a Trojan horse for reverse connection. A Trojan horse consists of two parts: client and server. The initial server (listening port) is placed on the attacked computer, while the client is located on the attacker's computer. Attackers can then try to connect to the server through a client program. These are good in the attacker's world.
ThenNatStarted to be widely used. causing the original style of Trojan to stop working, Nat wocould break the connection between the client and server. being clever, the attackers decided to reverse the connection process and totally avoid the problem created by Nat, hence reverse-connect Trojans. all is good in the attacker's world again.
Next, Nat is widely used. Because NAT will damage the connection between the client and the server, the traditional Trojan horse will stop working. The cunning attacker decides to flip the connection process and completely avoids problems caused by Nat, resulting in a reverse connection Trojan. These are good again in the attacker's world.
The reason experts consider droppers to be Trojans is their use of trickery. Simply stated, Trojans and droppers are malware that appear to be something they're not (Ala the originalTrojan Horse). For example, one of the earliest methods used to get malware installed on computers was to offer free screensavers. the trouble is that the screensaver was that in name only. in reality, it's a Trojan that's now installed on the computer, with the user none-the-Wiser.
Experts believe that the reason the downloader is a Trojan Horse is that they use tricks. In short, Trojans and Downloaders are malware that are not like (the original Trojan Horse. For example, one of the earliest ways to install malware on a computer is to provide a free screen saver. The trouble is that the screen saver has its own name. In fact, this is a trojan and is now installed on a computer using the ignorance of the user.
Dropper's cat-and-mouse game
Games for the downloader's cats and mice
You can see how it has turned into a proverbial cat-and-mouse game between attackers and computer users. by design, this type of game eventual leads to the discovery of the scam. so instead of discussing specific examples that may already be out-of-date, I 'd rather describe the generic approaches being used by attackers today, with a great deal of success, I might add. once the attack vectors are understood, it shoshould become easier to spot specific examples of how a computer becomes a BOT:
You can see how attackers and computer users are playing games between cats and mice. According to the design, this type of game eventually leads to the discovery of scams. So I will not discuss specific examples that may be outdated. I would rather describe the general methods used by current attackers. With a lot of successes, I can add. Once you understand the attack media, it will become an example of how computers become botnets:
- Drive-by download: This method is the scary one. in Memory cases the attacker designs a malicious web site to leverage some unpatched vulnerability or operating system bugs. all the user has to do is visit the Web site, and the dropper is automatically loaded on the computer.
Driver download: This method is terrible. In many cases, attackers design a malicious website and exploit unpatched vulnerabilities or operating system bugs. All users have to do Is visit the website, and the downloader will automatically install the computer.
- User Interaction: This method pertains to a whole host of possible attack vectors: from simply opening a malicious attachment to clicking on a link that sends the web browser to a malicious Web site. A good example of a cutting-edge exploit that requires user interaction is clickjacking as explained in my recent article"Clickjacking: potentially harmful Web browser Exploit."
User interaction: This method involves a series of possible attack media. From simply opening a malicious attachment to clicking a link to bring a web browser to a malicious website. A good example of the most advanced exploitation that requires user interaction is click hijacking. In my recent article "Click hijacking: potentially harmful Web browser vulnerability exploitation" (Http://blog.csdn.net/Purpleendurer/archive/2008/11/19/3335731.aspx.
These are the two methods used by most dropper programs presently. Hopefully knowing this will raise a red flag if something you're doing on your computer just doesn't feel right.
This is Two Methods recently used by most download programs. If you feel something bad on the computer you are using, you may be alerted.
Exploit Definitions
Vulnerability exploitation Definition
There are a few more terms that I 'd like to look. by doing so, I hope to dissipate some fud and allow everyone to make educated judgments when determining how seriously to take malware warnings. on login occasions, security pundits get a bit overzealous, reasoning that it's better to error on that side. only problem is that most users can't react that fast and ignore the warning. then if nothing happens they feel the expert was crying wolf yet again. so here they are:
There are several additional terms I want to see. By doing so, I hope to eliminate some fuds and educate everyone on how to determine when to handle malware warnings seriously. In many cases, security scholars are somewhat enthusiastic and have many reasoning errors. The only problem is that most users cannot respond to prompt and ignored warnings. Then, if nothing happens, they think the experts send false alerts. They are:
Endurer Note: 1. Cry Wolf: false alarm (seek assistance when no assistance is needed)
- Proof-of-concept: Proof of concept (POC) is a mechanic or application used to prove whether a concept is viable or not. A good example of this is the clickjacking exploit. clickjacking was known to be an issue for a long time, but it didn't have any clout until researchers released a POC. what does this mean to users? Well, there's some breathing room. If it's interesting enough and easy to assemble, malware developers will be all over it in short order though.
Concept verification: proof of concept (POC) is a mechanism or program used to prove whether a concept is feasible. A good example is Clickjacking Vulnerability exploitation. Clickjacking has been a problem for a long time, but it had no influence before the researchers announced the POC. What does this mean for users? Well, there is some breathing space. If it is interesting and easy to assemble, malware developers will spread around in the short term.
Endurer Note: 1. Be all over: All ends (spread around, flatter, overwhelming)
- Zero-day Exploit: Is often confused with zero-day malware, but they are two entirely different concepts. zero-day exploits try to leverage an unknown/undisclosed application or operating system vulnerability. just remember that you have zero days to patch the computer, because there's an exploit in play already.
Zero-day vulnerability exploitation: It is often confused with zero-day malware, but they are two completely different concepts. The zero-day vulnerability exploits vulnerabilities that attempt to exploit unknown/undisclosed applications or operating systems. Remember that you have zero days to patch your computer because the vulnerability is being exploited.
- Zero-day malware: This refers to active malware strains that are so new security and antivirus applications are without signatures for them. this is a real problem, especially since attackers like to keep zero-day malware quiet for as long as possible. you may remember my run inRustock. BAnd my mentioning that experts are almost positive that rustock D is out as well, yet no one knows anything about it. so rustock. d wocould be considered zero-day malware, And there's precious little users can do about it.
Zero-day malware: this is a new active malware with no signatures in both security and anti-virus software. This is a very real problem, because attackers like to keep zero-day malware as long as possible. You may remember that I tested rustock. B and mentioned that experts are almost certain that rustock D is a layman, but no one knows anything about it. Therefore, rustock. D will be regarded as a zero-day malware, and only a small number of users can take measures against it.
Endurer Note: 1. Run in: Test Run (the flight from the plane to the target, insert part, argue)
2. Do About: Just... Action or measure
- In the wild: This is self-explanatory to some extent and the exact opposite of POC. if you hear mention that some malware is in the wild, that means too attackers are using it to leverage some sort of malicious activity. the following diwing (courtesy of viruslist.com) shows the growth of just rootkits in the wild:
Current popularity: Contrary to PoC, this is self-evident to a certain extent and accuracy. If you hear that some malware is currently popular, it means that many hackers are using it for some malicious activity. The following chart (provided by viruslist.com) shows the growth of popular Rootkit:
Final Thoughts
Finsi
I hope that I was able to provide some answers for those who were wondering how a computer gets rooted and why it's so hard to detect the process. logically my next step is to provide solutions for detecting rootkits and removing them. I 'd like everyone to stay tuned as it shoshould get interesting.
I hope I can provide some answers to people who do not know how to implant a computer and why it is so hard to detect. In principle, my next step is to provide a solution for detecting rootkit and clearing them. I would like to ask everyone to wait, because it should be more interesting.