Open Access  Subscription Access

由於蠕蟲可利用來快速擴散攻擊的目標，若是蠕蟲載送惡意程式碼且利用加密的手法來躲過入侵偵測系統(IDS)，則會對現今之網路防護體系造成莫大之傷害，而以往蠕蟲的Shellcode是IDS做為判別確認是否為網路攻擊的主要特徵，而因此攻擊者為了躲避偵測，會將Shellcode透過簡單的加密以達到躲避的效果，也就是一般所稱的變形蟲。
為了防範變形蟲，我們首先要研究變形蟲是否有變化的可能性能夠躲過現有之IDS偵測機制，因此我們在本論文中探討並利用加密機制和多元的解密器來測試現有之特徵辨識IDS Snort是否可以正常偵測到我們的穿透測試載具，以及我們提出改變蠕蟲中的滑動區段必須能夠從任一位元組開始執行並正常的執行到Shellcode之特性以及調整OP code分佈使得一些分析可執行碼之IDS如STRIDE、APE是否可成功偵測我們所產生之變形蟲。
我們並於實驗室中利用所蒐集之Sasser、Blaster蠕蟲為基底進行變形、並加入正常之背景流量於我們的實驗環境中，對Snort和STRIDE進行比對測試。發現能夠成功的躲過入侵偵測系統，並將測試程式利用我們的載具攜帶至目的端電腦，而有9成以上的機率成功進行擴散。A worm is usually used to spread the exploit code to attack hosts in the Internet rapidly. Many worms use the encrypting techniques to hide themselves from the intrusion detection system (IDS), which decrease the network defense infrastructures dramatically. The traditional IDS use signatures of shellcode to detect worms, which are not able to detect the encrypted polymorphic worm.
For against the polymorphic worm, we need to study how the polymorphism could mutate themselves hide from the current detection mechanism. In this paper, we use the encryption mechanism and polymorphic decoder to test whether the well-known IDS systems, such as Snort, a signature-based IDS, could detect out penetration testing tool or not. We propose a scheme to mutate the shellcode of a worm, which could be executed normally on destination to evade the IDSs such as STRIDE or APE.
Finally, we use Sasser and Blaster worms as examples to inject into normal traffic in our experiment network, and compare the performance of our penetration testing tool and other IDSs, such as Snort and STRIDE. According to the emulation results, our tool could be successful possess the exploit code and evading the IDS to the end host above 90%.

入侵偵測系統; shellcode; 滑動區段; 變形蟲; 穿透測試; IDS; Shellcode; Polymorphism; Penetration test