基于IRC协议的异步木马系统的设计与实现

【作者】 余少云；

【导师】 张琨；

【作者基本信息】 南京理工大学 ， 计算机应用技术， 2008， 硕士

【摘要】 随着计算机网络技术的高速发展,木马攻击常使信息安全受到侵害,但木马攻击本身又是一种强大的反攻击武器。异步木马系统由于具有异步通信的特点和分布式攻击的能力而受到广泛的利用和重视。但常见的异步木马系统,由于木马本身不具有传播性,因此不仅其种植效率低,且通信时的特殊数据流量易被防火墙侦测和拦截。为解决上述问题,本文设计了基于IRC协议的异步木马系统。该系统结合了Bot、IRC和蠕虫技术的优点,由主体功能模块和辅助功能模块两部分构成。主体功能模块由通信模块、命令控制模块和传播模块构成。其中通信模块实现IRC协议的一个子集,使木马命令能够以普通聊天消息为表征在IRC隐藏通道中传输;命令控制模块实现了定义木马命令的IRCPEP协议,使IRC Server和Zombie以隐语的形式交互;传播模块借助网页蠕虫携带木马源定位信息,使感染蠕虫的主机自动连接木马源,下载运行木马并形成Zombie。当实施攻击时,Attacker通过一个隐藏模式的IRC聊天通道先将攻击命令送到Bot Server,接着Bot Server通过另一隐藏模式的IRC聊天通道对一组Zombie发出攻击指令。辅助功能模块主要用于Botnet攻击能力测试,包括测试Botnet攻击能力的垃圾邮件发送功能、升级木马程序的自动更新功能等。本文的主要工作和创新点是:(1)系统使用IRC双隐藏通道模式,以Bot Server代理Attacker攻击,使攻击者位于Botnet外,身份更隐蔽管理更灵活;(2)定义了新的IRC解析执行协议(IRCPEP),实现了攻击命令的标准化和加密,使木马命令以普通聊天消息形式在IRC伪装下通信,增强了系统的抗查杀能力,系统只实现IRC协议的一个子集,减少了木马大小,使木马便于传输;(3)利用蠕虫技术传播木马,使木马种植由被动变为主动且更加高效,并实现了木马程序的自动更新功能,提高了木马的自适应性。更多还原

【Abstract】 With the rapid development of network technology, information security has often been invaded by Bot attacking. Whereas Bot attacking is also a powerful anti-attacking weapon. Therefore, asynchronism Botnet systems are widely used and intensely emphasized due to their asynchronous communicating characteristic and distributed attacking ability. However, planting an current Botnet system is very inefficient because Bot can not transmit itself. In addition. Firewalls can easily detect and block the special data streams from ordinary Bot communicating. In order to solve the above-mentioned problems, an IRC-based Botnet System is developed in this paper.This system is composed of a main function module and an auxiliary function module, with the combination of advantages of Bot, IRC and Worm technology. The main function module is constituted by communication module, command control module and dissemination module. The communication module implements a subset of IRC protocol, which can transmit disguised Bot commands through hidden IRC channel like normal chat messages. The command control module implements the IRCPEP protocal, which defines a set of Bot command to support IRC Server communicate with Zombie in argot. The dissemination module insert the Bot location into webpages, which tempts the worm-infected host to initiate connecting to Bot source, download and auto-run Bot program, and become a Zombie. On attacking, firstly attacker sends the attack command through a hidden pattern IRC chat channel to Bot Server, and then Bot Server disseminates the attack command to a group of Zombie through another hidden model IRC chat channel. The auxiliary module is mainly used to test Botnet attacking ability, which includs sending spam, updating Bot program, etc.In this paper, the main work and innovations are as following:(1) Using double hidden model IRC channel in the system made Bot Server act as the agent of Attacker, which can isolate the attacker from Botnet so as to hide the attacker’s identity and improve the flexiblity of management;(2) A new IRCPEP protocal was defined to standardize and encrypt attack command, which can disguise Bot command like normal chat messages so as to enhance the system’s anti-kill ability, moreover, only implementing a subset of IRC protocol reduced the size of Bot and accelerated the dissemination of Botnet;(3) Recuring to worm technique disseminating Bot can make Bot be planted more active and efficient. In addition, auto-updating function enhanced Bot’s self-adaptability.更多还原