1. Technical Field
Example embodiments of the present invention relate in general to an apparatus and method for blocking a zombie behavior process, and more specifically, to an apparatus and method for detecting a process infected by a zombie and blocking the process and traffic while operating in a computer system.
2. Related Art
A botnet is a plurality of computers that are connected via a network and infected with a bot which is malicious software. In other words, thousands to hundreds of thousands of computers that are infected with a malicious program, that is, a bot, remotely controlled by a bot master having authority to control bots at will, and capable of performing various types of malicious behavior, are referred to as a botnet.
Since the first appearance of a botnet with EggDrop in 1993, advanced bots such as Forbot, PBot and Toxt have emerged during recent ten years. These days, various variants are emerging and making it difficult to cope with the variants themselves. Command and control (C&C) servers and malicious bots for issuing orders to bot zombies and controlling the bot zombies have been extensively spread all over the world. In particular, countries having high-speed Internet service can come under fierce attack such as distributed denial of service (DDoS) and thus are vulnerable to botnet infections.
The worldwide number of zombie computers infected with bots is continuously increasing, and botnets are also increasing in scale. One hundred million to one hundred fifty thousand computers, representing about 11% of all computers in the word, are expected to be infected with bot malicious code and used for an attack. In particular, attack of botnets is a serious problem in that the attacks tend to be criminal, such as threats to cause problems to a company's service.
Early botnets were mainly Internet relay chat (IRC) botnets using characteristics of IRC that had a flexible structure and was widely used, but have evolved into botnets based on hypertext transfer protocol (HTTP), which is a web protocol, making it difficult to detect and cope with the botnets, or peer-to-peer (P2P) botnets in which all zombies can be C&C servers. According to an application target, technology for coping with such botnets is classified into host-based technology for detecting and analyzing a botnet on a computer on the basis of bot behavior, and network-based technology for detecting and analyzing a botnet on the basis of network traffic from a bot zombie computer and a C&C server.
With the disclosure of the severity of botnets, active research has recently been underway to block a botnet. However, the research has mainly been carried out for IRC botnets, and only the present situation, characteristics, etc. have been researched for HTTP and P2P botnets. Most conventional research on IRC botnets has problems in that it is possible to evade detection by channel encryption, stealth scanning, command/control pattern change, domain name server (DNS) spoofing, etc., a misdetection may occur, and a countermeasure against recent HTTP/P2P botnets is insufficient.