2.botnet 追蹤實例與防護重點
TRANSCRIPT
![Page 1: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/1.jpg)
Botnet 追蹤實例與防護重點
國家資通安全會報 技術服務中心
張凱棊
103/5/29
![Page 2: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/2.jpg)
1
Outline
● 基本介紹 殭屍網路
● 殭屍網路分析架構
● 殭屍網路分析工具
● 案例分享
–IRC Botnet 2010–HTTP / HTTPS Botnet 2013
● 防護重點
● 結語
![Page 3: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/3.jpg)
2
基本介紹 殭屍網路
![Page 4: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/4.jpg)
3
殭屍網路研究架構
14,000 餘 Public IP分布於GSN、ISP
及TANET
藉此蒐集與偵測廣泛的惡意程式與
攻擊範圍
自主蒐集、分析及追蹤模組
![Page 5: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/5.jpg)
4
殭屍網路分析工具Botnet Analysis Module
![Page 6: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/6.jpg)
5
殭屍網路分析工具C&C Tracer
![Page 7: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/7.jpg)
6
殭屍網路分析工具Botnet Tracer
● 這是Botnet Tracer commander的控制介面
● Commander有些功能
使用者可以遠端控制
要選擇開啟或關閉
那些VM。抑或是
決定要側錄那些VM的封包。或是執行哪些
殭屍程式
![Page 8: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/8.jpg)
7
The Bots in Taiwan
![Page 9: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/9.jpg)
8
案例分享
● Case Study – IRC Botnet 2010–IRC Botnet 在真實世界,是如何運作的呢?–在IRC Botnet上看得了些什麼?– 這案例或許不是最新的,但是卻發生在你我的生活中
● Case Study – HTTP Botnet 2013–將呈現 HTTP Botnet C&C servers的分析成果
–在HTTP Botnet上看得了些什麼?–成功解開加密的封包後看到了些什麼
![Page 10: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/10.jpg)
9
Case Study – IRC Botnet 2010
● Botnet型態與敘述
–型態 IRC Botnet–敘述 這殭屍網路會進行Port Scan、VNC漏洞掃描(CVE-
2006-2450) 及 RFI (Remote File Inclusion) Scan。同時也可
以進行暴力破解攻擊(Brute Force Attacks)
● 受害規模
–在IRC Botnet C&C Server 上發現 21 channels,挖掘6,472 Bots 和其他 47 個有VNC 弱點的受害電腦。同時Bots stole 83 帳號與密碼,包含 (eBay, Yahoo, Google, Facebook, etc.)
![Page 11: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/11.jpg)
10
Case Study – IRC Botnet 2010
![Page 12: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/12.jpg)
11
Case Study – IRC Botnet 2010
● Nmap (Port Scan) and FeeLScaNz (RFI Scan)
![Page 13: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/13.jpg)
12
Case Study – IRC Botnet 2010
● VNC Scan and Brute Force
![Page 14: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/14.jpg)
13
Case Study – IRC Botnet 2010
● Bot stole 83 passwords (eBay, Yahoo, Google, Facebook, etc.)
![Page 15: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/15.jpg)
14
Case Study – HTTP Botnet 2013
● Botnet型態與敘述
–型態 HTTP/HTTPS Botnet–敘述 這殭屍網路使用兩種通訊協定HTTP/HTTPS。其
主要用於偷個人資訊。解開部分加密封包之後發現Bots監控 3,621 使用者螢幕。
● 受害規模
–經分析後發現 28,929 C&C DN,並挖掘 1,932,470 Bots。根據解密後的封包,發現Bots偷了一些資料,如:銀行帳
號、使用者螢幕、信用卡 and 購物紀錄。這個殭屍網路
的受害規模【 2013年全球第4大】。
![Page 16: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/16.jpg)
15
Case Study – HTTP Botnet 2013
![Page 17: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/17.jpg)
16
Case Study – HTTP Botnet 2013
![Page 18: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/18.jpg)
17
Case Study – HTTP Botnet 2013
![Page 19: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/19.jpg)
18
Case Study – HTTP Botnet 2013Malware Update
![Page 20: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/20.jpg)
19
Case Study – HTTP Botnet 2013MIME FormatBotnet Infromation Report.
![Page 21: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/21.jpg)
20
Case Study – HTTP Botnet 2013
![Page 22: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/22.jpg)
21
Case Study – HTTP Botnet 2013
![Page 23: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/23.jpg)
22
Case Study – HTTP Botnet 2013
![Page 24: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/24.jpg)
23
Case Study – HTTP Botnet 2013
![Page 25: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/25.jpg)
24
Case Study – HTTP Botnet 2013
![Page 26: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/26.jpg)
25
Case Study – HTTP Botnet 2013
We found bots IP 1,932,470
![Page 27: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/27.jpg)
26
Case Study – HTTP Botnet 2013
![Page 28: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/28.jpg)
27
防護重點
● 如何確保電腦不會淪為殭屍電腦呢?–安裝防毒軟體,定期更新特徵碼
殭屍程式往往廣泛地流竄於網路之中。防毒軟體廠商截獲之後會
製作特徵碼,透過定期更新特徵碼便可達到防護效果
–養成良好習慣,定期更新作業系統
殭屍程式多數擁有自動擴散的功能,因此只要定期更新作業系統
便可大幅降低遭感染的可能
–養成良好習慣,定期更換密碼
部分殭屍程式掛載簡易字典檔,進而對外攻擊,因此只要定期更
換密碼便可大幅降低遭感染的可能
![Page 29: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/29.jpg)
28
結語
● 殭屍網路威脅持續加劇,技服中心為了有效遏止
災情持續擴大,將朝下列幾個方向繼續努力
–為來將持續追蹤殭屍網路並改良追蹤工具
–同時蒐集各類資安情資,了解台灣整體殭屍網路威脅
● 透過建立各類通報機制,縮短駭客控制受害電腦
的時間並冀望能夠及時通知受害者。藉此提升台
灣網路安全防護能力
![Page 30: 2.botnet 追蹤實例與防護重點](https://reader030.vdocuments.site/reader030/viewer/2022012402/55a3752d1a28ab6d5d8b482b/html5/thumbnails/30.jpg)
29
Thanks you for your kind attention
Q & A