【手工翻译】猫鼠游戏——一个僵尸网络的倾覆（Part 1）

欧阳宣

http://www.mcafee.com/us/resources/reports/rp-catch-me-if-you-can.pdf


译者注——
想翻译这篇的主要原因是这篇McAfee的报告刚刚获得了由virus bulletin颁发的Péter Ször Award（https://blogs.mcafee.com/mcafee-labs/mcafee-labs-team-wins-peter-szor-award/），然后这篇写得又蛮精彩的，也不难懂，所以就手痒了。

大家可以从这篇东西中大概得知如今的病毒已经进化到了怎样的一种形式，然后打击它们又是怎样一种跌宕起伏的过程。



introduction-引入

The analogy that fits cybercrime is a game of cat and mouse—played among those fighting cybercrime and those seeking illegal profits. We see multiple examples in which technical innovation on both sides has resulted in one party getting ahead on one occasion and playing catch-up on another. This struggle has played out in multiple guises, as criminals have developed convoluted communications infrastructures to facilitate control capabilities for malware, payments, and laundering services for their ill-gotten gains.
网络犯罪活动很像是猫捉老鼠——游戏交替在网络犯罪打击者和一群寻求非法利益的人之间进行。我们见过很多很多技术革新在两边同时进行的例子，双方互有胜负，都试图超过对方。这样的胶着状态存在很多不同的形式，罪犯们开发繁复的通讯架构，以生成具有控制能力的木马来释放病毒，控制支付，或者是为了肮脏的目的埋伏下服务项。



McAfee Labs discusses many examples in reports, white papers, and blogs that present the cybercrime ecosystem, emerging trends, and our engagement with key partners to disrupt or take down such operations. Earlier malware milestones seem rather rudimentary today, but the inescapable fact is that cybercrime is very big business. Last year, Intel Security commissioned a report by the Center for Strategic and International Studies to estimate the global cost of cybercrime. The report estimated that the annual cost to the global economy was more than US$400 billion.
迈克菲实验室在报告，白皮书，和博客中讨论过很多这样的例子：网络犯罪生态圈，犯罪趋势的演变，和我们与关键伙伴合作以干扰最后攻克这样的企图的例子。早先的经典恶意软件如今显得已经有点陈旧了；但是网络犯罪的体量越来越大确实是不可回避的事实。英特尔安全曾经与Center for Strategic and International Studies共同发布了一份报告，报告中预估全世界经济体每年的相关损失已经超过了四千亿美元。



Although it is easy to debate whether that estimate was too high or too low, the inescapable fact is that cybercrime is a growth industry; cyberattacks can bring in significant revenue. With such high returns, it is no wonder that we are witnessing remarkable innovation from both sides, from peer-to-peer communications methods incorporating tens of thousands of domains for infected hosts communication, to advanced evasion techniques (AETs) being introduced into trusted network egress control points.
为这样的预估争执究竟是过高还是过低固然很容易；但是网络犯罪已经是一个逐渐壮大的事业了，因为网络攻击确实能够带来暴利。在这样高回报率的诱惑下，我们不难看到攻守双方都在进行精彩的技术革新：从部署上万个为hosts感染服务的域名的p2p网络，到通过高级入侵技术逃脱控制点进入可信域。



This report illustrates one example of innovation: Cybercriminals created an AutoRun worm that avoids detection by continually changing its form with every infection. Its evolution was so prolific that new variants appeared as often as six times a day.
In early April 2015, a global law enforcement action took down the control servers for this botnet. Up-to-the-minute details of the takedown can be
found here.
本次报告展示了一个充满革新性的例子：网络罪犯创造了一种自动执行的蠕虫，每次感染都会让自己变种。进化的速度是如此之快，快到新的变种每天都会生成6次。
在2015年4月初，一次全球性的法律行动摧毁了这个僵尸网络的总控服务器。想要查看更多细节，点击这里。https://blogs.mcafee.com/mcafee-labs/takedown-stops-polymorphic-botnet/





—Raj Samani, McAfee Labs CTO for Europe, the Middle East, and Africa
—迈克菲实验室欧洲中东非洲分部首席技术官Raj Samani

欧阳宣

Meet the Worm
初遇蠕虫


Writing code for criminal gain is done with a specific purpose in mind, usually focusing on stealing information such as banking credentials, data, or intellectual property. Unlike the ends we’ve seen in other malware families, the ultimate goal of the cybercriminal behind this particular worm is to maintain persistence on the victim’s machine.
为犯罪目的编写代码往往具有特定的目的，一般来说是窃取诸如银行登录信息，数据，或者是知识财产等。和我们以前在其他病毒家族中见到的情况不同，这个蠕虫所存在的终极目的是保持自己能在被感染者的机器上活下来。



Known as W32/Worm-AAEH (as well as W32/Autorun.worm.aaeh, VObfus, VBObfus, Beebone, Changeup, and other names), the aim of this family is to support the download of other malware—including banking password stealers, rootkits, fake antivirus, and ransomware. The malware includes wormlike functionality to spread quickly to new machines by propagating across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files.
The worm was written in Visual Basic 6. Using the inherent complex and undocumented nature of Visual Basic 6 and employing polymorphism and obfuscation, W32/Worm-AAEH has successfully maintained its relevance since it was discovered in June 2009.
这个家族的命名为W32/Worm-AAEH (包含 W32/Autorun.worm.aaeh, VObfus, VBObfus, Beebone, Changeup, 以及其他名称)，主要目的是为其他类型的恶意软件下载到电脑提供基础支持——恶意软件包含银行密码窃取器，rootkit，fakeav，以及勒索软件等。这些软件也具有蠕虫一样在全新机器间迅速传播的特征，可以通过网络，可移动存储设备以及压缩包来传播。



Polymorphic malware, which can change its form with every infection, is a very difficult threat to combat. W32/Worm-AAEH is a polymorphic downloader worm with more than five million unique samples known to McAfee Labs. This worm has had a devastating impact on customer systems (more than 100,000 infected since March 2014). Once aboard, it morphs every few hours and rapidly spreads across the network, downloading a multitude of malware including password stealers, ransomware, rootkits, spambots, and additional downloaders. Our tracking of this worm since March 2014 shows that the control server replaces samples with new variants one to six times per day and that the server-side polymorphic engine serves client-specific samples and guarantees a unique sample with each download request. Proactive, automated monitoring has helped McAfee Labs stay ahead of these adversaries in detection and removal, thereby preventing an onslaught of malware in customer environments.
可变形的恶意软件会随着每次感染而变化为新的形式，是一种非常难对付的威胁。W32/Worm-AAEH是一种可变形的下载者蠕虫，迈克菲实验室已经探明的独立样本数就超过了五百万种。这种蠕虫会给被感染者的系统造成毁灭性的影响（从2014年三月起已经有超过100000台机器受到感染）。一旦到达机器，它会每几个小时变形一次，在网络中间疯狂地传播，同时下载一大堆恶意软件，包括密码窃取器，勒索软件，rootkit，spambot，以及其他下载器。我们从2014年三月份开始跟踪这个蠕虫，当时探明主控服务器会以每天6次的速度用新的变种替代机器上的样本，而服务器端存在控制变形的算法，确保每台被感染机器上的样本都是不同的，每次下载请求所下载到的样本也是不同的。前瞻性的自动化检测确保迈克菲实验室能在这个检测与反检测的循环中抢先一步，避免了该病毒在消费者环境中的大规模传播。



In this report we describe an automation system created in March 2014 by McAfee Labs to mimic the worm’s communication behavior and tap into its control servers to harvest malware. This system has allowed our researchers zero-day access to the malware and has helped McAfee Labs monitor the botnet’s activity prior to infecting customers. The automation has significantly reduced the number of customer system infections and escalations.
本次报告中我们将会描述一种实验室在14年三月自主开发的自动化系统，它的用途是模仿蠕虫的通讯行为，同时潜入主控服务器来直接收集样本。这个系统允许我们零延迟获取病毒，同时在僵尸网络感染消费者之前提前监控它的行为。自动化系统大大降低了被感染和占据的消费者机器的数量。




Evolution: as the W32/Worm-AAEH turns
进化：W32/Worm-AAEH的变身



The first known W32/Worm-AAEH sample (6ca70205cdd67682d6e86c8394ea459e) was found on June 22, 2009 (compiled on June 20). It is detected as Generic Packed.c. Despite being the first version released in the wild, the worm’s authors intended to make it hard to analyze by storing every string as individual characters and concatenating them at runtime. Aside from this step, however, no other functionality prevented the analysis of the malware. The sample had
modest capabilities:
第一个W32/Worm-AAEH 的样本 (6ca70205cdd67682d6e86c8394ea459e)是在09年六月22日被发现，编译于六月20日。当时的报法为Generic Packed.c。尽管是第一个被检测的样本，蠕虫的作者尽最大努力让分析这个样本变得非常困难：样本的每个字符串都被拆开成单个字符，只在运行时才被合并在一起。但除了这个步骤之外，样本并没有采取其他措施。这个样本的权限并非很具有侵略性：
■■
Executing at system startup and hiding in the User Profile directory.
在系统启动时执行，隐藏在用户目录下。
■■
Copying itself in all removable drives and using a hidden autorun.inf file to launch automatically. Using the string “Open folder to view files” as the action text in the local language, supporting 16 European languages.
将自己复制到所有可移动存储设备中，并使用一个隐藏属性的autorun.inf来保证自动启动；使用字符串“打开文件夹以查看文件”来触发，并支持16种欧洲各国语言。
■■
Disabling Windows Task Manager’s ability to terminate applications to prevent itself from being manually terminated by the user.
使windows任务管理器的结束任务功能失效，防止用户手动结束进程。
■■
Contacting a hardcoded domain (ns1.theimageparlour.net) to download and execute additional malware.
与一个代码被固化的域名(ns1.theimageparlour.net)进行通信，然后下载并运行其他恶意软件。



Over time, the authors introduced new features. Currently, the worm can:
随着时间推移，作者对蠕虫加入了新功能，如今这个蠕虫已经可以：
■■
Detect virtual machines and antivirus software.
侦测虚拟机和反病毒软件
■■
Terminate Internet connections to IP addresses at security companies.
中止与反病毒厂商相关ip地址的通信
■■
Use a domain generation algorithm (DGA) to find its control servers.
采用域名生成算法(DGA)来寻找主控服务器
■■
Inject malware into existing processes.
将恶意软件植入已有进程。
■■
Use encryption.
采用加密。
■■
Disable tools from terminating it.
防止工具结束自身
■■
Spread itself via removable CD/DVD drives.
通过CD/DVD驱动器传播
■■
Exploit a LNK file vulnerability (CVE-2010-2568).
采用lnk文件漏洞进行攻击(CVE-2010-2568)
■■
Insert itself in ZIP or RAR archives to aid its persistence and propagation.
将自己插入压缩包以保障自己的存活和传播。

欧阳宣

The feature set comprises two components: Beebone and VBObfus (also known as VObfus). The first component acts as a downloader for VBObfus, while the latter contains all the Trojan and worm functionality.
这些特征用到了两种组件：Beebone 和 VBObfus (又名 VObfus)。第一个组件是作为VBObfus的下载器而生的，第二个则具有各种木马和蠕虫特征。
Several obfuscation and antianalysis tricks make detection difficult, encryption techniques are updated often, and open-source software projects are occasionally included to further complicate analysis. It is no surprise that these tricks have kept this worm relevant since it was discovered in 2009.
许多模糊和反分析的技术让检测变得困难，用到的加密技术经常更新，更多的分析过程甚至需要用到一些开源软件。这也让这个病毒家族从09年被发现之后仍能存活到现在。



Domain Generation Algorithm
域名生成算法

W32/Worm-AAEH uses a simple yet effective DGA that allows the malware distributors to change server IPs and domain names on demand (for example, when blocked by security products) while communicating with current infections.
W32/Worm-AAEH 采用一种简单高效的算法来按照需要切换服务器ip和域名（比如旧的ip和域名刚刚被杀软拦截的时候）。
■■
The algorithm can be represented as {secret_string}{N}.{TLD} in which secret_string is a hardcoded obfuscated string stored in the malware sample.
算法的公式可以用{secret_string}{N}.{TLD}来表达，其中secret_string是一个从内部被扰乱顺序的字符串，被存储在样本内部。
■■
N is a number from 0 to 20.
N是从0-20的数
■■
TLD is any of the following strings: com, org, net, biz, info.
TLD是下列任意一个域名：com, org, net, biz, info

While N and TLD remain virtually constant, the secret string occasionally changes. At any time, the malware distributor sets the appropriate DNS records for the current secret string as well as the previous one to ensure that older samples can connect to the new servers for updates.
N和TLD虽然是常数，但是secret_string会随着情况变化。病毒分发者可以在任何时候为当前的这个secret_string分配和上个样本对应的DNS以保证旧样本能连接上新的服务器。

For example, on September 14, 2014, the control server IP address was 188.127.249.119. This IP address was registered under several domain names using the current secret string ns1.dnsfor and the previous string ns1.backdates. Some of the domain names from the DGA result in successful resolutions, as shown in the following image:
比如在14年九月14号，主控的IP为188.127.249.119，与这个DNS对应的secret_string为ns1.dnsfor，上一个为ns1.backdates。根据域名生成算法生成的有一些域名可以解析成功，如图所示。

Chained download mechanism
链式下载机制

One of the reasons antivirus software struggles with this threat is that the worm can replace itself with new variants before signatures are created to combat them. This tactic is implemented using a chained download mechanism, in which both W32/Worm-AAEH components (Beebone and VBObfus) download new variants of each other. This step ensures that worm’s persistence even if security software can detect one of the components—because the undetected component will eventually download an undetected version of its counterpart. The chained download is initiated through another component, detected by McAfee Labs as Generic VB.kk. This sample arrives through exploit kits and social engineering attacks and exists solely to download Beebone. An unrelated component detected as Downloader-BJM is an IRC bot that communicates with the same control server but doesn’t interact with W32/Worm-AAEH. This process is illustrated in the following diagram:
一个杀软厂商与这类病毒纠缠不清的原因是这类蠕虫会迅速生成新的变种，那时候对应的特征签名都还来不及发布。这种技巧被充分利用在了链式下载机制上：W32/Worm-AAEH的两个重要组件(Beebone 和 VBObfus)会互相下载对方的新变种。这样就能确保在只有一个组件被检测的情况下病毒依然存活：因为另一个组件会下载这个被检测的组件的新版本。链式下载由另一个组件启动，McAfee将其检测为Generic VB.kk。这个组件通过漏洞或是社会工程学攻击到达机器，唯一的目的就是下载Beebone。另一个被检测为Downloader-BJM的组件是一个IRCBot，与相同的主控服务器通信，但是与蠕虫本身没有联动。整个过程如图所示。

In the preceding illustration, Beebone (in Step 4) downloads a variant of VBObfus (6), which replaces the old Beebone with a new Beebone variant (8). A walkthrough of the download chain follows:
在上面的图表中，Beebone（步骤4）下载了VBObfus的某个变种，这个变种又会把老的beebone组件替换为新的beebone变种（步骤8）。简单的流程如图所示

The response received by Generic VB.kk in Step 3
步骤3中Generic VB.kk所接收到的回复

欧阳宣

Part 2还没弄完，所以暂时只能停在这里了

后面会讲到精巧的代码混淆算法，以及僵尸网络的主控服务器如何生成互相不同的病毒变种。

最后是全球通力合作围剿botnet的记录。


各位走过路过捧个场吧，先谢过了。

驭龙

看标题就猜到是McAfee的文章，Botnet和Exploit一样都是现在最具危险的威胁，我选择安软的时候必须有一点防御这些威胁的能力

aboringman

欧阳宣 发表于 2015-10-14 13:40
Part 2还没弄完，所以暂时只能停在这里了

后面会讲到精巧的代码混淆算法，以及僵尸网络的主控服务器如何 ...

不错，是好文章，俺来也。。。。。。
楼主辛苦了

谢谢你的温柔

看起来好霸气的样子

ericdj

赞一个！！

lixihong10

弱弱的问一句。怎么学好英语

HEMM

lixihong10 发表于 2015-10-14 17:06
弱弱的问一句。怎么学好英语

出国~
话说.........这英文一串串布啦布啦布啦的，看得我头疼，不想学习。
密密麻麻的我只能坚持三秒钟，然后就开始找乐子了
嘻嘻~有点像游戏说明书。
查杀的了QQ粘虫妈？