Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
!
!
!
!
!
!
!!!!!!!!
!
!! !
!2015( !
!!
! !
1!
!! !
4 1 ! oh
uj
oh uj R
n BC . :(C&C)
.hk . !
!
HKCERT H 4
M oh 6 oh IP
BC uj n t
— uj uj !
HKCERT- Information!Feed!Analysis!System!(IFAS)! m uj
v uj ! ( 1)! s S
!
I uj T uj
!
oh ! T !
n
BC . !
!
N 6 u !
:
(C&C)!
!
N 6 IP u !
!
!
N 6 IP
u !
!
!
2!
!
I uj S n I
ujn I [email protected] I
C !
!
!
uj Z m y m y.
uj
!
!
: w uj
, j Z :
uj G d :
!
!
X !
Z ! CC! ! 4.0! !X HKCERT
!
http://creativecommons.org/licenses/by/4.0/!
!
! !
3!
! !!
� !..................................................................................................................................!4!
!
uj!................................................................................................................................!11!
1.! n!..........................................................................................................!11!
1.1! uj !....................................................................................................!11!
2.! !..........................................................................................................!13!
2.1! uj !....................................................................................................!13!
3.! BC . !..................................................................................................!15!
3.1! uj !....................................................................................................!15!
4.! !..........................................................................................................!17!
4.1! :(C&C)!...........................................................................!17!
4.2! !....................................................................................................!18!
!
!........................................................................................................................................!20!
1!– v !..........................................................................................................!20!
2!– y !..........................................................................................!20!
3!– !..................................................................................................!21!
!
4!
� !
(
!
( ohuj uj
m Nm p
!
1!–3
!
99% 10,851 2013( w
!
!
:!BC . n
:!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
! IFAS!S!Information!Feed!Analysis!System(IFAS)! HKCERT!- m
uj !
2
! 1!S v !
3
!u t n !
16,589!
18,087!
12,437!
10,936!
21,787!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Unique!security!events
������
5!
!
2!–4
!
u 2015( 7 5,867 16,338
BC . w !
noh u 9 5% A oh BC . oh
168% 412% !
) oh oh
L oh
N oh H oh
u
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4
!u t n !
4,522!
2,926!
1,644! 1,604! 1,692!
2,557!
3,048!
1,883!2,934!
7,836!
1,561!
5,760!
2,735!1,329!
6,810!
S
2,000!
4,000!
6,000!
8,000!
10,000!
12,000!
14,000!
16,000!
18,000!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Malware!
hosting!
����
�
Phishing!
�"��
Defacement!!!
�!�
6!
BC . 41% 2828 HTML/Drop.Agent.ABBC .
BC . Ramnit !
!
3SHTML/Drop.Agent.AB !
7 3 HTML/Drop.Agent.AB Ramnit
Ramnit 5 Ramnit BC .
BC . 5 8 I
!
!
G .
!! w . w
!! w G . a w
!! U M
!! M G .
!! 0
!! ?
!
!
!
:(C&C)! ! ! ug 0 ─
T 2 ! !
! ! m :(C&C)! T
2 !
0
200
400
600
800
1000
1200
1400
1600
2015S01 2015S02 2015S03 2015S04 2015S05 2015S06
HTML/Drop.Agent.AB ��
7!
!
: !
:(C&C) :!
!
4!– :(C&C) !
!
: u S !
!
4! : Zeus :
IRC : !
!
!
:!
2!
5!
3!
4! 4!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
:(C&C)
Botnet!(C&Cs)
��������(C&C)
8!
!
!
5!S !
!
9 2014( !
!
2015( D u 8% Virut 87%
ZeusH ! ( 14)! !
H
( 13)!
Ramnit!
Ramnit rD v R Fj FTP
Fj cookies oh i
BC . !
Ramnit 2010( cs D5
R 9 i Ramnit g
Ramnit H !
Ramnit D oh FTP
sf !
!
Tinba!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!5
! http://www.symantec.com/connect/blogs/ramnitScybercrimeSgroupShitSmajorSlawSenforcementSoperation!
7947
63486172
5065
5445
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Trend!of!Botnet!(Bots)!security!events
( )
Botnet!(Bots)
�� �
9!
. oh Fj
( M 5 V 6
P 7
M n
.
4
oh sf
. (H u 8
M
M M T
P 5 M
M 33 H 5 s.
x oh M d
P 9 P
:u g : .
k : g : P
q H BC
.
sf
!! w . w
!! q W_
!! 0
!!
!! w
2013( 6 : m G
)
R
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6
! https://blog.avast.com/2014/09/15/tinySbankerStrojanStargetsScustomersSofSmajorSbanksSworldwide/!
7
! https://www.fSsecure.com/weblog/archives/00002810.html!
8
! http://securityintelligence.com/dyreSwolf/!
9
! http://www.seculert.com/blog/2015/04/newSdyreSversionSevadesSsandboxes.html!
10!
: BC .D
S
!
T/
!! T/
! !
11!
uj!
1.! n!
1.1! uj !
!
6!–! n10
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!10
u t n !
4522
2926
1644 16041692
683 654478 441
569
Q2 Q3 Q4 Q1 Q2
n
Unique!URL!
���
Unique!IP
��IP
n
!! n X ohy n
2
!! t
!!
!! g d
!! oh
12!
!
!
7!–! n /IP !
!
!
v :! !
!! ZoneSH! !
! !
6.62!
4.47!
3.44!3.64!
2.97!
Q2 Q3 Q4 Q1 Q2
n /IP
URL/IP!ratio
���/IP�
! ! /IP !
!! u IP
u !
!
!! u u
4 !
!! IP u u !
!! !
13!
2.! !
2.1!uj !
! ! !
8!–! !
2557
3048
1883
2934
7836
443 354 280 208373
Q2 Q3 Q4 Q1 Q2
Unique!URL
���
Unique!IP
��IP
!!
2
!! v d
!!
!! g d
!! oh
14!
!
!
9!–! /IP !
!
!
v :! !
!! ArborNetwork!–!Atlas!SRF! !
!! CleanMX!–!phishing! !
!! Millersmiles! !
!! Phishtank! !
! !
5.77!
8.61!
6.73!
14.11!
21.01!
Q2 Q3 Q4 Q1 Q2
/IP
URL/IP!ratio
���/IP�
! ! /IP !
!! u IP
u !
!
!! u u
4 !
!! IP u u !
!! !
15!
3.! BC . !
3.1!uj !
!
! !
10!–!BC . !
!
1561
5760
2735
1329
6810
351 408603
391664
Q2 Q3 Q4 Q1 Q2
BC .
Unique!URL
���
Unique!IP
��IP
BC .
!! BC . sfBC .
2
!! BC . BC .
!!
!! g d
!! oh
16!
!
11!–!BC . /IP !
!
!
!
!
v :!
!! Abuse.ch:!Zeus!Tracker!–!Binary!URL! !
!! Abuse.ch:!SpyEye!Tracker!–!Binary!URL!
!! CleanMX!–!Malware! !
!! Malc0de! !
!! MalwareDomainList! !
!! Sacour.cn!
! !
4.45!
14.12!
4.54!
3.40!
10.26!
Q2 Q3 Q4 Q1 Q2
BC . /IP
URL/IP!ratio
���/IP�
! ! /IP !
!! u IP
u !
!
!! u u
4 !
!! IP u u !
!! !
17!
4.! !
4.1! :(C&C)!
! !
!
12!–! ( :) !
!
!
v :!
!! Zeus!Tracker! !
!! SpyEye!Tracker! !
!! Palevo!Tracker! !
!! Shadowserver!–!C&Cs! !
1
2 2
3 31
3
1
1 1
0
1
2
3
4
5
6
Q2 Q3 Q4 Q1 Q2
:
HTTP
IRC
:
!! : ─
BC ? ? s.
x oh
2
!! 4
!! m uj
18!
4.2! !
4.2.1! 11!
IP u
b N
G N u !
!
!
!
! "#! !
IP !
( u )!
!
1! S! Conficker! ! 2,083! ! S5%!
2! "! Virut! ! 1,101! ! 87%!
3! # Zeus! ! 765! ! S25%!
4! S ZeroAccess! ! 523! ! S8%!
5! S! Pushdo! ! 352! ! S4%!
6! NEW! Ramnit! ! 146! ! NA!
7! NEW! Tinba! ! 94! ! NA!
8! # Citadel! ! 91! ! S13%!
9! NEW! Dyre! ! 55! ! NA!
10! " Wapomi! ! 25! ! S22%!
13!–! u !
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11
T S uj !
2,083!
1,101!
765!523!
352!
146!
94!
91!
55!
54!
Conficker
Virut
Zeus
ZeroAccess
Pushdo
Ramnit
Tinba
Citadel
Dyre
19!
!
14!–12!
!
v :!
!! ArborNetwork!–!Atlas!SRF!–!conficker! !
!! ShadowServer!–!botnet_drone!
!! ShadowServer!–!sinkhole_http_drone!
!! ShadowServer!–!Microsoft_sinkhole!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!12
! Virut u t!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Conficker 2945 2597 2419 2185 2083
Virut 277 263 559 588 1101
Zeus 2512 1897 1472 1020 765
ZeroAccess 1407 1062 838 569 523
Pushdo 211 63 406 367 352
0
500
1000
1500
2000
2500
3000
3500
!! H u –
BC .D H D 5 BC . y
6 T oh
2
!!
!! v d
!! T BC sfBC . s.
x oh
20!
��!
1!– v !
v :!
oh v
n
BC .
BC .
BC .
BC .
BC .
BC .
:
:
:
:
!
!
!!
2!– y !
I Z y y !
!
y w
!!!
21!
3!–
!
D y oh2
BankPatch! !!MultiBanker!
!!Patcher!
!!BankPatcher!.
!! H !
!!
!
!! !
!! !
!!
M
v rD uj!
BlackEnergy!
.
!! rootkitP S !
!! P !
!!g 0 P
!
!! s. x o
h(DDoS)!
Citadel!
.
!!
!
!
!! v
rD v!
!!U !
!!K l !
!! l !
!! oe!
!! !
Conficker! !!Downadup!
!!Kido!
!! E !
(DGA)! !
!! P2P !
!! !
!! Window
MS08S067 !
!!
f!
!! Window
(autoSrun)
f!
Dyre! !
.
!! ! !!
v!
!! ─ !
Gamarue! !!Andromeda! !! oh !
!! !
!!9 Word !
!! !
!! rD !
!! X !
!! BC .!
22!
Glupteba! ! . !! .
(driveSbySdownload)D
!
!! ─ !
!! h S!
IRC!Botnet! . !! IRC ! !!5 . X
!
!! s. x o
h(DDoS)!
!! ─ !
Palevo! !!Rimecud!
!!Butterfly!
bot!
!!Pilleuz!
!!Mariposa!
!!Vaklik!
!! ,!
!
!!5 . X
!
!! v r
D v!
!! O
!
Pushdo! !!Cutwail!
!!Pandex!
!! BC !
!! E !
(DGA)! !
!! .
(driveSbySdownload)D
!
!! a !
!!
BC .( :!Zeus!
! Spyeye)!
!! s. x o
h(DDoS)!
!! ─ !
Ramnit! ! !!D !
!! oh !
!! FTP !
!!5 . X
!
!! v r
D v!
Sality! . !! rootkitP S !
!! P2P !
!!
f!
!! !
!! E
Entry!Point!
Obscuring P D
!
!! ─ !
!! !
!! rD v!
!!D /
!
!! BC .!
23!
Slenfbot! !!
f!
!
!!5 . X
!
!!
BC .!
!! s. x o
h(DDoS)!
!! ─ !
Tinba! !!TinyBanker!
!!Zusy!
! .
!! oh !
!! !
!! v r
D v!
Torpig! !!Sinowal!
!!Anserin
. !! rootkitP S !
(Mebroot!rootkit)!
!! E !
(DGA)! !
!! .
(driveSbySdownload)D
!
!! rD v!
!! oe!
Virut! ! . !!
f!
!
!! ─ !
!! s. x o
h(DDoS)!
!! !
!! v!
!!!
Wapomi! !!
f!
!!D !
!!5 . X
!
!! BC .!
!!n
!
!!m uj
v
q !
24!
ZeroAccess! !!max++!
!!Sirefef
. !! rootkitP S !
!! P2P !
!! .
(driveSbySdownload)D
!
!! H q ( :
keygen)!
!! BC .!
!!Z & h!
Zeus! !!Gameover
.
!! P !
!! .
(driveSbySdownload)D
!
!! P2P !
!
!! v
rD v!
!! oe!
!!U !
!! BC .( :!
Cryptolocker)!
!! s. x o
h(DDoS)!
!