基于Webshell的僵尸网络研究

李可; 方滨兴; 崔翔; 刘奇旭; 严志涛

doi:10.11959/j.issn.1000-436x.2016118

您当前的位置：

首页 >

文章列表页 >

基于Webshell的僵尸网络研究

学术论文 | 更新时间：2024-06-05

- 基于Webshell的僵尸网络研究
- Research on Webshell-based botnet
- 通信学报 2016年37卷第6期页码：11-19
- 作者机构：
  
  1. 北京邮电大学计算机学院，北京 100876
  2. 中国科学院信息工程研究所，北京 100093
- 作者简介：
  
  [ "李可（1988-），男，湖南益阳人，北京邮电大学博士生，主要研究方向为网络安全。" ]
  [ "方滨兴（1960-），男，江西万年人，中国工程院院士，北京邮电大学教授、博士生导师，主要研究方向为计算机体系结构、计算机网络与信息安全。" ]
  [ "崔翔（1978-），男，黑龙江讷河人，博士，中国科学院信息工程研究所研究员，主要研究方向为网络安全。" ]
  [ "刘奇旭（1984-），男，江苏徐州人，博士，中国科学院信息工程研究所副研究员，主要研究方向为网络空间安全评测。" ]
  [ "严志涛（1991-），男，浙江临海人，中国科学院信息工程研究所硕士生，主要研究方向为网络安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61303239);国家高技术研究发展计划（“863”计划）基金资助项目(2012AA012902)
- DOI：10.11959/j.issn.1000-436x.2016118
  中图分类号： TP309.5
- 网络出版日期：2016-06，
  
  纸质出版日期：2016-06-25
- 稿件说明：
移动端阅览
李可, 方滨兴, 崔翔, 等. 基于Webshell的僵尸网络研究[J]. 通信学报, 2016,37(6):11-19.

Ke LI, Bin-xing FANG, Xiang CUI, et al. Research on Webshell-based botnet[J]. Journal on communications, 2016, 37(6): 11-19.
李可, 方滨兴, 崔翔, 等. 基于Webshell的僵尸网络研究[J]. 通信学报, 2016,37(6):11-19. DOI： 10.11959/j.issn.1000-436x.2016118.

Ke LI, Bin-xing FANG, Xiang CUI, et al. Research on Webshell-based botnet[J]. Journal on communications, 2016, 37(6): 11-19. DOI： 10.11959/j.issn.1000-436x.2016118.

摘要

以Web服务器为控制目标的僵尸网络逐渐兴起，传统命令控制信道模型无法准确预测该类威胁。对传统Webshell控制方式进行改进，提出一种树状拓扑结构的信道模型。该模型具备普适和隐蔽特性，实验证明其命令传递快速可靠。总结传统防御手段在对抗该模型时的局限性，分析该信道的固有脆弱性，提出可行的防御手段。

Abstract

With the rapid rising of Web server-based botnets

traditional channel models were unable to predict threats from them.Based on improving traditional Webshell control method

a command and control channel model based on tree structure was proposed.The model was widely applicable and stealthy and the simulation experimental results show it can achieve rapid and reliable commands delivery.After summarizing the limitations of current defenses against the proposed model

the model’s inherent vulnerabilities is analyzed and feasible defense strategies are put forward.

关键词

Keywords

references

CUI X , FANG B X , et al . Botnet triple-channel model:towards resilient and efficient bidirectional communication botnets [M ] // Security and Privacy in Communication Networks . Springer International Publishing , 2013 .

SHAHID K , et al . A taxonomy of botnet behavior,detection,and defense [J ] . Communications Surveys ＆Tutorials,IEEE , 2015 , 16 ( 2 ): 898 - 924 .

HEILMAN E , KENDLER A , ZOHAR A , et al . Eclipse attacks on Bitcoin’s peer-to-peer network [C ] // 24th USENIX Security Symposium (USENIX Security 15) . 2015 : 129 - 144 .

CANALI D , BALZAROTTI D . Behind the scenes of online attacks:an analysis of exploitation behaviors on the Web [C ] // 20th Annual Network＆Distributed System Security Symposium(NDSS 2013) . 2013 .

Netcraft . Web server survey [EB/OL ] . http://news.netcraft.com/archives/2015/11/16/november-2015-web-server-survey.html http://news.netcraft.com/archives/2015/11/16/november-2015-web-server-survey.html .

Symantec . 2015 Internet security threat report [EB/OL ] . https://www.symantec.com/security_response/publications/threatreport.jsp https://www.symantec.com/security_response/publications/threatreport.jsp .

F-Secure . Backdoor:Osx/tsunami [EB/OL ] . https://www.f-secure.com/v-descs/backdoor_osx_tsunami_a.shtml https://www.f-secure.com/v-descs/backdoor_osx_tsunami_a.shtml .

New bot malware (BoSSaBoTv2) attacking Web servers discovered [EB/OL ] . https://www.trustwave.com/Resources/SpiderLabs-Blog/Honeypot-Alert--New-Bot-Malware-(BoSSaBoTv2)-Attacking-WebServers-Discovered/ https://www.trustwave.com/Resources/SpiderLabs-Blog/Honeypot-Alert--New-Bot-Malware-(BoSSaBoTv2)-Attacking-WebServers-Discovered/ .

WANG P , SPARKS S , ZOU C C . An advanced hybrid peer-to-peer botnet [J ] . IEEE Transactions on Dependable and Secure Computing , 2010 , 7 ( 2 ): 113 - 127 .

STARNBERGER G , KRUEGEL C , KIRDA E . Overbot:a botnet protocol based on Kademlia [C ] // The 4th International Conference on Security and Privacy in Communication Networks . ACM , 2008 .

HUND R , HAMANN M , HOLZ T . Towards next-generation botnets [C ] // European Conference on Computer Network Defense . IEEE , 2008 : 33 - 40 .

DOUCEUR J R . The sybil attackpeer-to-peer systems [M ] // Springer Berlin Heidelberg , 2002 : 251 - 260 .

SINGH K , SRIVASTAVA A , GIFFIN J , et al . Evaluating email’s feasibility for botnet command and control [C ] // IEEE International Conference on Dependable Systems and Networks With FTCS and DCC,IEEE , 2008 : 376 - 385 .

XU K , BUTLER P , SAHA S , et al . DNS for massive-scale command and control [J ] . IEEE Transactions on Dependable and Secure Computing , 2013 , 10 ( 3 ): 143 - 153 .

CUI X , FNAG B X , et al . Andbot:towards advanced mobile botnets [C ] // Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats . USENIX Association , 2011 : 11 - 11 .

LEE S , KIM J . Fluxing botnet command and control channels with URL shortening services [J ] . Computer Communications , 2013 , 36 ( 3 ): 320 - 332 .

SANATINIA A , NOUBIR G . OnionBots:subverting privacy infrastructure for cyber attacks [C ] // Dependable Systems and Networks (DSN) , 2015 : 69 - 80 .

LI J , EHRENKRANZ T , KUENNING G , et al . Simulation and analysis on the resiliency and efficiency of malnets [C ] // Principles of Advanced and Distributed Simulation . IEEE , 2005 : 262 - 269 .

WANG D Y , SAVAGE S , VOELKER G M . Juice:a longitudinal study of an SEO botnet [C ] // The NDSS Symposium . 2013 .

STONE-GROSS B , COVA M , CAVALLARO L , et al . Your botnet is my botnet:analysis of a botnet takeover [C ] // The 16th ACM Conference on Computer and Communications Security . ACM , 2009 : 635 - 647 .

BIRYUKOV A , PUSTOGAROV I , WEINMANN R . Trawling for tor hidden services:detection,measurement,deanonymization [C ] // 2013 IEEE Symposium on Security and Privacy(SP) . 2013 : 80 - 94 .

浏览量

1110

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于生成对抗网络的僵尸网络检测

BotCatcher：基于深度学习的僵尸网络检测系统

强抗毁性社交僵尸网络的构建及其防御

流量自适应的移动僵尸网络云控机制研究

主动网络流水印技术研究进展