現今的電腦網路安全正面臨到木馬、蠕蟲、分散式阻斷服務攻擊與廣告釣魚信件的威脅,而在背後支撐起這些恐怖力量的正是Botnet,也就是所謂的僵屍網路。 僵屍網路是由傳統的惡意程式進化來的新型態攻擊方式,特色在於提供了攻擊者隱密、有彈性且能夠一對多的操控僵屍進行任務。僵屍網路主要是透過IRC 通訊協定來做溝通,本文便以IRC的Botnet病毒為研究重心,透過域名轉向技術將中了僵屍網路病毒的電腦匯集在一起,阻斷與駭客之間的聯繫,再配合封包解析把控制僵屍的方法找出,以協助這些被駭客操控的電腦解毒。實驗結果證實我們的方法可行,不但成功將的把中了僵屍病毒的電腦匯集起來,還找到了協助他們解毒的辦法。 A group of bots, referred to as a botnet, is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and launching DDoS attacks. Botnets are evolved from malicious program, its features are providing the attacker secret, flexibility and very powerful capability. IRC is the most common botnet commend and control mechanism because it is scalable and easy to hide within. So in this paper, we focus on the IRC-based virus, using DNS hijacking technology to converge computers infected with botnet virus, this way is to monopolize the connection between hackers. Then figure out hackers how to control bots via traffic analysis. Our results show that bots traffic can be filtering and redirection, and we also can give bot client assistance in clean virus up.
