嵌入式恶意软件-查克诺里斯僵尸网络分析

2010 European Conference on Computer Network Defense Pub Date : 2010-10-28 DOI:10.1109/EC2ND.2010.15

Pavel Čeleda, Radek Krejcí, Jan Vykopal, Martin Drasar

{"title":"嵌入式恶意软件-查克诺里斯僵尸网络分析","authors":"Pavel Čeleda, Radek Krejcí, Jan Vykopal, Martin Drasar","doi":"10.1109/EC2ND.2010.15","DOIUrl":null,"url":null,"abstract":"This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"33","resultStr":"{\"title\":\"Embedded Malware - An Analysis of the Chuck Norris Botnet\",\"authors\":\"Pavel Čeleda, Radek Krejcí, Jan Vykopal, Martin Drasar\",\"doi\":\"10.1109/EC2ND.2010.15\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!\",\"PeriodicalId\":375908,\"journal\":{\"name\":\"2010 European Conference on Computer Network Defense\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-10-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"33\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2010 European Conference on Computer Network Defense\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/EC2ND.2010.15\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 European Conference on Computer Network Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EC2ND.2010.15","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 33

摘要

本文描述了我们在2009年12月初发现的一个新的僵尸网络。我们基于Net flow的网络监控系统报告了越来越多的Telnet扫描探针。溯源我们已经确定了全球范围内受感染的DSL调制解调器和家用路由器。现在，许多供应商在这类设备中使用Linux。进一步的调查表明，大多数已部署的SoHo(小型办公室/家庭办公室)设备使用默认密码或未打补丁的易受攻击固件。有些设备允许通过Telnet、SSH或web接口进行远程访问。利用弱密码的Linux恶意软件允许快速传播和几乎无限的恶意活动潜力。与传统的面向桌面的恶意软件相比，终端用户几乎没有机会发现僵尸程序感染。我们以查克·诺里斯的名字命名这个僵尸网络，因为它的早期版本包含了字符串[R]anger Killato: in name di Chuck Norris!

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Embedded Malware - An Analysis of the Chuck Norris Botnet

This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2010 European Conference on Computer Network Defense

自引率

0.00%

发文量