BOTNET趋势报告Botnet Trend Report2019关于绿盟科技北京神州绿盟信息安全科技股份有限公司（以下简称绿盟科技公司），成立于2000年4月，总部位于北京。公司于2014年1月29日在深圳证券交易所创业板上市，证券代码：300369。绿盟科技在国内设有40多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供全线网络安全产品、全方位安全解决方案和体系化安全运营服务。公司在美国硅谷、日本东京、英国伦敦、新加坡设立海外子公司，深入开展全球业务，打造全球网络安全行业的中国品牌。版权声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。2019 Botnet趋势报告A目录执行摘要 ··································································································································································· C关于绿盟科技伏影实验室 ································································································································································· 3关于绿盟威胁中心 NTI ····································································································································································· 31. 2019 Botnet安全事件概览 ·································································································································· 42. 2019 Botnet威胁趋势分析 ·································································································································· 62.1 Botnet 恶意软件趋势总览 ·························································································································································· 82.1.1 平台 ·············································································································································································································· 82.1.2 开发语言 ······································································································································································································ 92.1.3 文件类型 ···································································································································································································· 102.1.4 小结 ············································································································································································································ 102.2 入侵与传播方式分析 ································································································································································ 102.2.1 弱口令 ········································································································································································································ 112.2.2 漏洞利用 ···································································································································································································· 122.2.3 鱼叉攻击 / 恶意文档 ················································································································································································ 182.2.4 小结 ············································································································································································································ 212.3 持续性威胁分析 ········································································································································································ 212.3.1 DDoS 木马（DDoS Trojan） ··································································································································································· 222.3.2 勒索软件（Ransomeware） ·································································································································································· 342.3.3 挖矿木马（Crypto Mining Malware） ··················································································································································· 422.3.4 银行木马（Banker） ················································································································································································462.3.5 广告捆绑与推广软件（Adware） ·························································································································································· 522.3.6 持续性威胁分析小结 ················································································································································································ 552.4 移动端系统威胁分析 ································································································································································ 562.4.1 总览 ············································································································································································································ 562.4.2 广告软件 ···································································································································································································· 572.4.3 银行木马 ···································································································································································································· 572.4.4 勒索软件 ···································································································································································································· 592.4.5 挖矿软件 ···································································································································································································· 602.4.6 小结 ············································································································································································································ 622019 Botnet趋势报告B3. 2019 Botnet热点家族分析 ································································································································ 633.1 家族分析 ····················································································································································································· 643.1.1 GoBrut ·······································································································································································································643.1.2 Gafgyt ········································································································································································································663.1.3 Mirai ···········································································································································································································693.1.4 Nitol ···········································································································································································································743.1.5 Nekobot ····································································································································································································753.2 热点家族总结 ·············································································································································································764. 2019高级持续威胁（APT）分析 ····················································································································· 774.1 APT 组织新趋势 ········································································································································································ 784.2 APT 与 Botnet ············································································································································································794.3 APT 与 CVE ················································································································································································804.4 五大 APT 组织动态 ··································································································································································· 814.5 小结 ····························································································································································································· 835. 总结 ····································································································································································· 84引用与参考 ····························································································································································· 862019 Botnet趋势报告C执行摘要执行摘要随着计算机技术的蓬勃发展，大量网络设备被接入，全球互联网体量急速膨胀。然而，网络安全能力建设的速度远远赶不上互联网体量膨胀速度，使得互联网安全缺口不断扩大。裂隙之中滋生病菌，大量网络犯罪集团和个人占据着低安全性的网络资源，组建并控制僵尸网络集群，进而从中获利。僵尸网络（后文统称为 Botnet）是当今互联网威胁的重要载体。 DDoS 攻击、广告捆绑、挖矿、信息窃取等行为持续依托 Botnet 进行活动，而某些勒索软件会通过 Botnet 进行传播，甚至 APT 攻击也开始使用 Botnet 探路。近年来，越来越多的 Botnet 开始使用 BaaS（Botnet as a Service）的方式提供服务，该方式降低了不法分子进行持续威胁的成本，同时也提高了他们控制 Botnet 的便利性。这导致 Botnet数量不断攀升，规模不断扩大，严重危害互联网生态环境，需要对其进行对抗和打击。对抗 Botnet 需要有针对性的防御措施，打击 Botnet 需要有针对性的组织画像。这都要求对 Botnet 进行研究和追踪，捕获入侵的恶意软件，分析恶意软件技术，解读其发展趋势，跟踪其最新动态，从而达到获取威胁情报和防御的目的。绿盟科技伏影实验室多年来持续研究并追踪 Botnet，同时在 APT 研究与跟踪方向也取得重要进展。总的来说，今年威胁形势与之前相比，既有延续，也有变化，呈现以下趋势：入侵与传播：弱口令爆破和各类远程可执行漏洞仍然是现网攻击入侵的重要手段，涉及平台及资产范围广泛；鱼叉邮件投送持续活跃，凸显出攻击的阶段性和分工性，给追踪带来了巨大挑战，同时此类攻击有较强的目标针对性和内容迷惑性，往往能够骗取目标的信任与好奇心，因此多年来屡试不爽。应对这些入侵威胁，需要管理者和运维者及时更新升级相关系统，并加强对个人的安全意识培训，以避免受到攻击或最大程度降低因攻击而受到的损失。持续性威胁：爆破活动逐渐从 Botnet 的爆破功能中独立出来，由专项爆破家族实施。新家族 GoBrut 发起了针对 WordPress等多种网站管理框架、数据库和远程管理协议的大规模爆破活动，版本不断迭代，体现出 Go 语言恶意软件组成的 Botnet 正在迅速发展。 广告捆绑软件为了争夺用户推广软件，持续采取静默安装和广告弹窗等方式，甚至出现了传播12019 Botnet趋势报告2执行摘要恶意软件这种“白夹黑”的情况，其利益链条和安全风险更需进行深入研究。 DDoS 威胁方面，美国依然承受了最多的攻击，而这些攻击大部分来自 Gafgyt 和 Mirai 两大家族，其中 UDP 泛洪攻击占比进一步提升。由于更多企业和个人将服务器转移到云 /VPS 服务上，使得后者承受了越来越多的攻击流量。 勒索软件“前仆后继”，随着部分旧家族的退出，一些产业化程度更高的新家族浮出水面。GandCrab 和 Sonikibi 是 2019 年最为活跃的勒索软件家族之一。银行木马肆意横行，恶意家族的强强联合使得威胁进一步升级，由更多的“单打独斗”向多种攻击方式融合，最终以榨取用户钱财为目的。 移动平台亦是 Botnet 威胁的重要发展面，其上的恶意软件种类数量不逊于 PC 端，广告软件、银行木马、勒索软件等应有尽有，对 Android 手机和平板电脑这类存有重要个人信息的设备构成严重威胁。Android 电视盒子等设备因远离用户管控，故而更易受到挖矿软件的入侵。Botnet 依然是 APT 组织维护其持续性威胁的重要方式， 2019 年出现了其他 Botnet 组织协助APT 组织攻击的迹象。根据以上观测和研究结果，本年度 Botnet 不管是在入侵还是持续性威胁活动方面，其影响较之往年更甚。服务者、管理者和使用者需要依据实时的威胁情报，合力对 Botnet 进行管控治理，以避免其威胁到重要的服务和设施。2019 Botnet趋势报告3关于绿盟科技伏影实验室伏影实验室专注于安全威胁与监测技术研究。 研究目标包括 Botnet 威胁， DDoS 对抗， WEB 对抗，流行服务系统脆弱利用威胁、身份认证威胁，数字资产威胁，黑色产业威胁及新兴威胁。通过掌控现网威胁来识别风险，缓解威胁伤害，为威胁对抗提供决策支撑。为深入研究 Botnet，伏影实验室设立了跟踪 Botnet 的独立系统，接收来自绿盟科技威胁情报中心（NTI ）的威胁情报数据，提取数据中包含的 Botnet 线索，使用独特的手段对线索关联到的 Botnet 进行持续观测并采集指令，从而感知 Botnet 动态，进而掌控 Botnet 趋势，为攻击预警、应急响应、数据分析等提供支持。伏影实验室对 Botnet 的研究成果融入到了绿盟科技的多个产品当中，包括为 IDPS 产品持续提供规则，为 NTI 产品反哺大量 IoC 情报等。通过对 Botnet 的专向研究，保证了绿盟科技在威胁感知领域的专业度与敏感度，从而为客户持续提供独到而权威的威胁情报，更好地应对网络威胁。关于绿盟威胁中心NTI绿盟威胁情报中心（ NSFOCUS Threat Intelligence center, NTI）是绿盟科技为落实智慧安全 2.0 战略，促进网络空间安全生态建设和威胁情报应用，增强客户攻防对抗能力而组建的专业性安全研究组织。其依托公司专业的安全团队和强大的安全研究能力，对全球网络安全威胁和态势进行 持续观察和分析，以威胁情报的生产、运营、应用等能力及关键技术作为核心研究内容，推出了 绿盟威胁情报平台以及一系列集成威胁情报的新一代安全产品，为用户提供可操作的情报数据、专业的情报服务和高效的威胁防护能力，帮助用户更好地了解和应对各类网络威胁。2019 Botnet趋势报告42019 Botnet安全事件概览1. 2019 Botnet安全事件概览12019 Botnet安全事件概览2019 Botnet趋势报告52019 Botnet安全事件概览2019 年，网络安全威胁事件频发，恶意软件在其中扮演着重要角色，组成的 Botnet 展现出惊人的破坏力：2018 年底，驱动人生遭受供应链攻击，其升级通道被植入了门罗币挖矿木马，入侵个人主机后通过永恒之蓝漏洞进行横向传播，导致大量用户感染。该攻击带来的影响持续至 2019 年，并引发多起应急事件。2019 年年初，银行木马 Emotet 联合 Trickbot 下发勒索病毒 Ryuk。这三个家族互相牵连，组成了多级载荷，向欧美国家企业发动攻击1。此后，Emotet 家族进入活跃阶段，攻击事件数量激增。2019 年年初，爆破型家族 GoBrut 首次被发现，并在 8 月对大量 WordPress 这类网站管理框架进行弱口令爆破攻击，影响了数万个目标。由于被攻破目标的名单被公布在开放访问的服务器上，使得事件影响进一步升级。通过对 GoBrut 的持续跟踪，伏影实验室发现该家族依旧活跃，持续进行着针对WordPress 等网站管理框架和 SSH 协议的大规模爆破活动。2019年 6月，著名勒索病毒 GandCrab的开发组织在俄语论坛发布声明称将停止对程序的更新。之后，该勒索病毒的继任者 Sodinokibi 开始活跃，并发起针对包括中国用户在内的鱼叉攻击事件（伪造成敦豪国际航空快递公司邮件）2。伏影实验室发现 Sodinokibi 运营者使用了更公开的在线交流平台以方便受害者缴纳赎金，显示了高度的产业化程度。2019 年 6 月，伏影实验室在跟踪广告捆绑家族 SoftCNApp 时，发现了其传播了恶意软件，会进行一系列恶意推广活动，包括劫持浏览器主页、推广其他软件和显示广告弹窗等。这类广告捆绑软件持续活跃，不但影响用户体验，而且成为了其他恶意软件的传播渠道。2019 年 8 月，伏影实验室发现了 IoT 平台家族 Mirai 的特殊变种。该变种将 C&C 部署于暗网中，通过代理服务器与 C&C 通信。这种手法或许会被 Linux/IoT 恶意家族借鉴，形成新的网络威胁。2019 年 9 月，伏影实验室捕获到一起利用 Redis 漏洞入侵的门罗币挖矿攻击，该攻击中使用的恶意载荷 SkidMap 会替换多个 Linux 常用命令的二进制文件并加载恶意驱动以阻止用户发现异常。这种后门 +Rootkit 的攻击组合增强了恶意软件的隐匿性，在一定程度上给检测工作带来了困扰。2019 Botnet趋势报告62019 Botnet威胁趋势分析2. 2019 Botnet威胁趋势分析22019 Botnet威胁趋势分析