当前位置:首页 期刊杂志

遏制网络病毒,到底该怎么做?

时间:2024-06-03

纪望月

今年5月,一款名為WannaCry的勒索病毒肆虐全球,仅爆发两天就造成150多个国家、至少20万人受害。更可怕的是,这款病毒利用的漏洞程序竟然源自美国国安局。此次事件再度敲响网络安全的警钟,并引发全球范围内关于网络安全治理的讨论:面对来势汹汹、不断升级的网络病毒,国际社会究竟能做些什么?又该如何做呢?

A global outbreak of ransomware1) is rapidly infecting machines in critical and not-so-critical infrastructure across the globe, including the National Health Service in the United Kingdom, a Spanish internet service provider, the German rail system, and mall billboards in Singapore. This digital pandemic illustrates a challenge that the cybersecurity community has been wrestling with2) for nearly a decade: How to counter the spread of malicious cyber capability.

To help inform this conversation, lets first step back and review what we know about WannaCry, the ransomware sprinting across the globe. As has been widely reported, the malware leverages an exploit3) developed by the U.S. National Security Agency. The exploit, which was called EternalBlue, “works reliably against computers running Microsoft Windows XP,” as Ars Technica4) put it. The developers of WannaCry combined this Windows exploit with code that allowed the ransomware to spread without so much as a keystroke5) or click from either the operator or the victim, locking machines and demanding ransom. How, you might ask, did this exploit reach the authors of WannaCry? In simple terms: The Shadow Brokers6), the group that has spent the last few months leaking NSA tools, essentially made it open-source.

Because of difficulties associated with pushing patches7) designed to block an exploit out to the public—it takes a long time for everyone to click on those annoying little security updates, and some portion of the population never will—open-sourcing exploits like this is often a bad idea. It simultaneously notifies the software manufacturers and potential attackers of the bug. The Shadow Brokers/WannaCry case is just one demonstration of the growing challenge of countering the spread of malicious cyber capability. The code for Carberp8) (a “botnet9) creation kit”) was posted online and precipitated10) the outbreak of the Carbanak11) malware used to steal cash from ATMs. Rumors persist that versions of the BlackEnergy trojan—twice leveraged to shut off portions of the Ukrainian power grid—have been floating around in malware forums.

In 2013 and in response to the publicity of Stuxnet12), the campaign that sabotaged the Iranian nuclear enrichment13) program, Gen. Michael Hayden14) noted that the time we live in “has the whiff15) of August 1945. Someone, probably a nation-state, just used a cyber weapon in a time of peace … to destroy what another nation could only describe as their critical infrastructure.” To Hayden, it was abundantly clear that cyber-insecurity could threaten global stability, yet the international community was ill-equipped to handle the problem.

Today, when policymakers around the world contemplate the intersection of cybersecurity and global stability, they focus their time, money, and effort into developing concepts around norms for responsible state behavior—in other words, what states and other international actors should and should not do in cyberspace. They have not paid enough attention to the other side of the same stability-regime coin: limiting what groups can and cannot do. This means a combination of hardening our own systems against attacks and, likely, somehow countering the proliferation of capability—the possibility of which requires a great deal more exploration from researchers.

This research will be important because there are several problems when it comes to countering the spread of malicious software. Chief among the challenges here is the notion that malware, the “weapon of cyberconflict,” is only a portion of the problem. The tool itself isnt the only thing bad actors need—they must have the knowledge of how to leverage it as well. In any case the capability—the code and how to use it—is not physical. Its knowledge or information. And its easier to lock down a physical object than it is to stop the spread of information.

Second, somewhat counterintuitively, there are people who argue that the open spread of malicious capability is actually beneficial to those trying to defend against cyberattacks. If the exchange of tools and practices happens in the open, defenders have a better sense of what and who they are trying to protect against.

Third, the cybersecurity community cannot afford to institute blanket16) restrictions on the exchange of malware. When actively defending against an attack or remediating an incident, defenders and responders share artifacts with colleagues to gain insight on how to counter the attack. More often than not, these artifacts could only be described as malware.

So what can we do? For starters, the policy community needs to understand that not all malicious cyber capability is made equal. We know that the capability behind the Stuxnet campaign that sabotaged the Iranian nuclear facility at Natanz17) is different from Zeus18), which enabled financial and other cybercrime around the world, which is different from the Mirai19) botnet, which caused the Dyn20) internet outage in October 2016. And all of these tools are constructed and operate differently from WannaCry. Just as cybertools are vastly different in construction and effect, we likely need a variety of policy tools to address them. Wrapping our heads around21) what these capabilities are, how they differ, and how they spread is a massive first step.

If we can do that, we can then look to other fields, like biosecurity, pathogen22) and disease control, counternarcotic23), and counter-money-laundering and small arms trade, which could shed light and provide frameworks for addressing diffusion24) problems. This type of framework might be leveraged to help the defensive cybersecurity community address transnational threats like the Mirai botnet and clean up the mess left by widespread ransomware. Similarly, the cybersecurity community can likely draw lessons about where and how to break up illicit markets from the experiences of the counternarcotic community to help address the spread of malware between criminal groups.

Western policymakers are not the only ones who see WannaCry as a catalyst25) to renew discussion. Chinese academic Shen Yi writes, “all countries that are willing to take responsibility, including the United States, should advocate as soon as possible to promote a global cyber non-proliferation mechanism.” In a polarized world, there may be space for some form of transnational cooperation on this issue. But first, we need to fill the knowledge gap.

一款勒索軟件在全球爆发,迅速感染了包括英国国民医疗服务体系、西班牙一家互联网服务提供商、德国铁路系统和新加坡商场广告板在内的全球关键和非关键基础设施的电脑。数字病毒的流行凸显出网络安全领域近十年来一直试图解决的一个问题:如何应对恶意网络力量的传播。

为了使对话双方知晓相关背景,我们先退一步,看一下我们对WannaCry这款光速横扫全球的勒索软件有多少了解。大量报道显示,该恶意软件利用了美国国家安全局开发的一款漏洞利用程序。据美国科技博客Ars Technica称,这款名为“永恒之蓝”的漏洞利用程序可以“有效攻击装有微软Windows XP系统的电脑”。WannaCry的开发人员将这一Windows漏洞利用程序与某种代码结合,使这种勒索软件无需操控者或受害者敲击键盘、点击鼠标便能传播开来,锁定电脑,然后勒索赎金。你可能会问:这个漏洞利用程序是如何落到WannaCry的开发者们手中的?简单来说,一个名为“影子经纪人”的组织近几个月来一直在泄露美国国安局的各种工具,“永恒之蓝”实际上也因此成了开源软件。

由于向公众普及漏洞补丁存在困难——想让每个人都点击那些讨厌的安全升级小程序需要很长时间,有些人甚至从来不升级——故而将“永恒之蓝”这一类漏洞利用程序开源化往往是非常可怕的。这种做法同时提醒着软件开发商和潜在的攻击者,告诉他们有漏洞存在。恶意网络力量传播带来的挑战日益显著,影子经纪人/WannaCry事件只是冰山一角。银行盗号软件Carberp (一种僵尸网络创建工具)的代码曾被挂在网上,造成盗取ATM机现金的Carbanak恶意软件突然爆发。还有传言坚称,曾两度用于关闭乌克兰部分地区电网的“黑暗力量”木马的变种如今仍出没在各大恶意软件论坛上。

2013年,导致伊朗核浓缩计划搁浅的蠕虫病毒Stuxnet被公之于众。针对此事,美国的迈克尔·海登将军称,我们生活的时代“弥漫着1945年8月的气息。一些人,或许是某个民族国家,在和平时期使用网络武器……来摧毁对另一个国家来说至关重要的基础设施”。在海登看来,显而易见,网络空间的危险会威胁到全球的稳定,但国际社会却没有足够的能力来处理该问题。

如今,在思考网络安全和全球稳定之间的关系时,全世界的决策者们常把他们的时间、财力、精力投在研究“负责的国家行为准则”这样的概念上。换言之,就是国家和其他国际行为体在网络空间内该做什么,不该做什么。然而,这些决策者并没有把足够的注意力放在这个网络稳定架构硬币的另一面,即对一些组织能做什么、不能做什么加以限定。这意味着在强化我们自身系统防范网络攻击能力的同时,可能的话遏制恶意网络能力的扩散。而后者能否实现,需要研究人员进行大量的探索。

该研究很重要,原因在于要遏制恶意软件的传播,存在几个问题。其中首要的问题是,有人认为恶意软件这一“网络冲突的武器”并非问题的全部。软件工具本身并非恶意行为体唯一需要的东西,他们还必须具备关于如何利用这种工具的知识。无论如何,恶意网络力量——代码及其使用方法——并非是物质的。这种力量是知识或信息。而锁定实体对象远比阻止信息传播要容易得多。

其次,和我们第一反应不同的是,有人认为,对于那些试图抵御网络攻击的人来说,恶意网络力量的公开传播实际是有用的。如果公开交流工具和攻击做法,防御者就能更好地了解他们要抵御的是什么样的对手和武器。

其三,網络安全领域无法对恶意软件交流进行完全的限制,其后果是难以承受的。在对网络攻击进行积极防御或采取补救措施时,防御者和响应者会和同事共享一些工具,以深入了解如何应对攻击。而在大多数情况下,这些工具只能被描述为是恶意软件。

那么,我们能做些什么呢?首先,决策者们要明白,不是所有的恶意网络力量都是相同的。我们都知道,破坏伊朗在纳坦兹的核设施的Stuxnet背后的恶意网络力量和在全球实施金融及其他网络犯罪的木马病毒Zeus并不相同,Zeus与2016年10月导致Dyn公司中断提供服务的Mirai僵尸病毒也有所区别。而以上三种工具在编写和运行方面都不同于WannaCry。正是由于网络工具的编写和效果存在巨大差异,我们可能需要采取多样的政策工具加以应对。因此,理解这些病毒的能力所在、有何区别及其传播方式,是我们要做的极其重要的第一步。

我们如果能做到这一点,就可以将目光转到其他能为解决扩散问题提供灵感和框架的领域,如生物安全、病原体及疾病防治、反毒品、反洗钱和小规模武器交易等。这种框架可以用来帮助网络安全防御领域应对诸如Mirai僵尸病毒的跨国性威胁,并清理勒索软件肆虐留下的残局。同理,关于在哪里以及如何粉碎非法市场这一问题,网络安全领域可以从反毒品领域吸取教训,以帮助应对恶意软件在犯罪团伙间传播的问题。

并非只有西方国家的决策者们将WannaCry事件看作重启讨论的契机。中国学者沈逸认为:“所有愿意承担责任的国家,包括美国,应该尽快倡导推进全球网络空间防扩散机制的建立。”在这个多极化的世界,针对这一问题,各国间存在着跨国合作的空间。但首先,我们需要做的是填补知识上的空白。

1. ransomware [?r?ns?mwe?(r)] n. 勒索软件

2. wrestle with:试图解决(问题),设法对付(困难)

3. exploit [?ekspl??t] n. [计]漏洞利用程序

4. Ars Technica:美国知名科技博客媒体

5. keystroke [?ki??str??k] n. (键盘上的)一次按击

6. The Shadow Brokers:影子经纪人,一个神秘的黑客组织,曾泄露大量窃自美国国安局的漏洞利用程序。

7. patch [p?t?] n. [计]补丁(程序)

8. Carberp:一款专门用于盗取银行信息的恶意软件

9. botnet [?b?tnet] n. 僵尸网络,指通过采用一种或多种传播手段,使大量主机感染僵尸程序(bot),从而在控制者和被感染主机之间形成的一个可一对多控制的网络。

10. precipitate [pr??s?p?te?t] vt. 使突然发生,促使

11. Carbanak:一个木马病毒,可入侵银行系统管理员账号,盗取资金。

12. Stuxnet:蠕虫病毒,又称超级工厂病毒,世界上首个专门针对工业控制系统编写的破坏性病毒,曾造成伊朗核电站推迟发电。

13. enrichment [?n?r?t?m?nt] n. (核燃料的)浓缩

14. Michael Hayden:迈克尔·海登(1945~),美国空军四星上将,美国中央情报局(CIA)第18任局长,曾于1999~2005年间任美国国家安全局(NSA)局长。

15. whiff [w?f] n. (气味等微弱的)一阵;痕迹

16. blanket [?bl??k?t] adj. 总括的;通用的;适用于全体的

17. Natanz:纳坦兹,伊朗中部的一个小城

18. Zeus:木马病毒“宙斯”,可窃取用户的银行账户信息,通过钓鱼式攻击信息传播。

19. Mirai:一种物联网僵尸病毒,能感染各类存在漏洞的物联网设备,如安保摄像头、互联网路由器等,引发大规模的互联网瘫痪。

20. Dyn:即Dynamic Network Services Inc.,常被称为Dyn公司,是美国一家主要的域名服务器管理服务供应商。

21. wrap ones head around:消化,理解

22. pathogen [?p?θ?d??n] n. [微]病原体

23. counternarcotic [?ka?nt(?)rnɑ?(r)?k?t?k] n. 反毒品

24. diffusion [d??fju??(?)n] n. 扩散;传播

25. catalyst [?k?t?l?st] n. 催化剂;促进因素

免责声明

我们致力于保护作者版权,注重分享,被刊用文章因无法核实真实出处,未能及时与作者取得联系,或有版权异议的,请联系管理员,我们会立即处理! 部分文章是来自各大过期杂志,内容仅供学习参考,不准确地方联系删除处理!