Research from security vendor Finjan Inc. suggests enterprise IT shops are losing the war against those who would hijack company computers for botnets. Almost half the victims appear to be in the U.S. -- most using Microsoft's Internet Explorer (IE) browser. [Related:Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]
Finjan的恶意代码研究中心(MCRC)在对乌克兰和其他地方的僵尸网络牧民运行的命令和控制服务器进行调查期间,发现了一个由190万个木马程序组成的网络,这些木马程序运行在全世界的公司、政府和消费者电脑上。其中一台服务器于今年2月推出,但后来关闭,由一个6人组成的在线团伙控制,他们成功地建立了一个庞大的特洛伊木马分发网络。[相关:僵尸网络是什么样子的:]
"Hackers keep looking for improved ways to distribute malware and Trojans are winning the race. The sophistication of the crimeware and the staggering amount of infected computers proves these people are raising the bar," Finjan CTO Yuval Ben-Itzhak said. "Corporate and governmental data remain prime targets, especially computers in the U.S. and the U.K. which are under attack, and need to protect themselves." [Podcast:僵尸网络之战:如何反击,第一部分]
Based on posts found on various hacking forums, researchers believe 1,000 hijacked computers are being rented out for $100-$200 a day. The bad guys can make $190,000 a day for renting a botnet of 1.9 million infected computers.
TheTrojan horseprograms are silently dropped on computers when the user visits compromised websites that hide the malware. The giant command-and-control server researchers uncovered includes the IP addresses of infected machines as well as the computers' name inside corporate and government networks that are running the Trojan horse.
来自美国、英国、巴西、土耳其和印度的77个政府拥有的域名(gov)的计算机遭到破坏并运行木马。这些恶意软件是由黑客远程控制的,他们利用它们在最终用户计算机上传递几乎任何他们认为合适的命令,包括阅读电子邮件、复制文件、记录击键、发送垃圾邮件和制作屏幕截图。
Here's the global spread of infected computers in percentages, based on Finjan's findings:
*美国:45%
* U.K.: 6 percent
* Canada: 4 percent
*德国:4%
* France: 3 percent
* Other: 38 percent
特洛伊木马感染computers running Windows XP and using the following browsers to hunt its prey:
* Internet Explorer: 78 percent
* Firefox: 15 percent
* Opera: 3 percent
* Safari: 1 percent
Finjan的发现与其他研究人员所看到的一致。
Alex Lanstein, senior security researcher at FireEye Inc., a security vendor based in the San Francisco Bay area, said some of the larger botnets out there get no press, because their overlords don't want to make news and let people know their machines are infected. Cimbot, for example, is a piece of malware that has been used to create a botnet that now accounts for about 15 percent of the world's spam, he said.
Among the problems security researchers have encountered when trying to track and shut down botnets is that the newer worms used to build botnets are using strong cryptography to protect the command-and-control centers, said Paul Kocher, president and chief scientist at Cryptography Research.
"It used to be you could track how a botnet was getting its commands and send out fake commands to take it out," he said. "It's getting a lot harder to do that."
The newer botnets are also building their own P2P networks to communicate and have gotten good at snuffing out a machine's security controls.
“我们也在观察僵尸网络蠕虫为逃避检测而做出的更复杂的努力,”科彻说它们更具多态性,从一个拷贝到另一个拷贝。这使得防病毒软件的作者更难创建一个签名来阻止它。”
Gunter Ollmann, vice president of research at Atlanta-based security vendor Damballa, Inc., said enterprise IT shops would do well to ramp up efforts to detect the lesser known malware being used to such devastating effect these days. In the last 2 years, he said, IT shops have deployed a broad range of detection and prevention technologies. Each layer of defense has gotten better at fending off certain attacks.
"The more common the threat, the better the protection," he said. "But the bad guys are very much aware of how these defenses work, so they're using more sophisticated, targeted social engineering attacks. Looking at the malware used, a high percentage is IDS and AV proxy aware."
Ollmann and others offer the same advice: Since attackers are so successful at using social engineering tricks -- luring users with fake headlines that play on current events and duping them into clicking on malicious links -- one of the best defenses remains user education.
专家说,向普通用户展示他们每次上网时遇到的问题,这样他们就不太可能被欺骗下载机器人构建代码。
这个故事,“美国(和IE)僵尸网络大混乱的头号人物”最初由CSO公司 .