近年來由於網際網路的蓬勃發展,導致病毒、蠕蟲、木馬後門程式、間諜程式等惡意軟體也快速傳播,甚至這些惡意軟體可被遠端操控而成為殭屍電腦(Bot),並將多個Bot組成一個殭屍網路(Botnet)。殭屍網路控制者(BotMaster)就可利用C&C(Command and Control)伺服器,發送命令來操控多個Bot以進行分散式阻斷服務攻擊(DDoS)、發送垃圾郵件(Spam)、竊取個人電腦資料等攻擊或利用廣告來獲得非法利益。為了偵測Botnet與惡意軟體,學者們也研究相關的偵測技術,有利用安裝監測程式觀察主機網路連線及處理程序觀察Botnet、使用虛擬機器及蜜罐誘捕系統對於Botnet進行監測、運用蒐集網路連線資訊來觀察Botnet與惡意軟體的異常行為及特徵,或運用Honeynet蒐集Botnet連線資訊與入侵偵測系統(IDS)進行監測分析,因此,有效的偵測Botnet與惡意軟體是現今極為重要的議題。 為了針對一個企業組織或校園網路有效偵測Botnet與惡意軟體,本論文提出一個結合主機型(Host-based)與網路型(Network-based)的偵測技術,利用SNMP事件通報(Trap)得知監測電腦開機時間並進行動態輪詢(Polling),運用SNMP傳統MIB-II物件及個人電腦內建Host Resources MIB物件,於監測電腦開機後ㄧ段時間內蒐集網路連線及目前執行之處理程序資訊,採用黑白名單來偵測Botnet與惡意軟體之異常處理程序,並在事後進行NetFlow訊務流分析,此外,針對Fast-Flux模式之Botnet與惡意軟體,將即時蒐集之NetFlow訊務流資訊進行DNS反查,達到有效偵測。
With the advanced growth of internet technology, viruses, worms, trojans and spywares are widely spread, and these malwares which are used for remote control become a Bot. Bots are united as a Botnet. BotMaster commands multiple Bots to issue DDoS attack, to send spam mails, to hook personal information by the C&C server or to gain illegal profits through advertisements. In order to detect Bontnet and malwares, scholars have conducted extensive researches, including installing software to monitor the network connections and processes, observing the anomaly behaviors and features of Botnet and malwares by capturing the connections from VMware and Honeypot system, gathering as well as analyzing the connections of Botnet by Honeynet and IDS, respectively. Thus, effective detections to Botnet and malwares become urgent issues. Aiming to develop an effective detection to Botnet and malwares in an organization or school campus, this paper proposes a host-based and network-based detection scheme. By taking advantage of SNMP notifications, the proposed detection scheme is aware of the time when the computer was turned on, and a dynamic polling can be immediately conducted. In addition, the monitoring of SNMP MIB-II and Host Resources MIB objects help the collection of the information related to network connections and current processes within the certain time period right after notifications are received. In the proposed scheme, Black/White lists are adopted to deal with anomaly processes of Botnet and malwares, and afterwards, a traffic analysis via NetFlow is also made for more details of suspected traffic flows. For detection of fast-flux bots, we adopt reverse DNS queries from real-time traffic collection in NetFlow to achieve better detection results.