Upload
julia-yu-chin-cheng
View
169
Download
0
Embed Size (px)
Citation preview
(Julia Yu-Chin Cheng)
Page 2 2
Speaker -- Julia Cheng
: TWISC@NCKU Honeynet Project ( 2010 :
/ / / / /
Page 3
Outline
The Honeynet Project
ANIMATED
SCENE 1
Page 5
...
: u / u u u
: u MSN u Yahoo Massager! u QQ
: u u u
: u u u
Page 6
2009
: h$p://www.bnext.com.tw/ar3cle/view/cid/127/id/13177
Page 7
Malware) Ex:hijacking )
l
lWordPDFExcel l(Patch)
l
l l l( l
Page 8
l
l
Page 9
Page 10
Page 11
11
Vulnerable Web Server
1. 2.
Phishing Site
Exploit Code
(
Page 12
Page 13
l
l l
l
lMSNSkype
l(Phishing):
Page 14
l Facebook Plurk
Page 15
Page 16
Delta Airlines
Paypal
Page 17
20094DHL
DHL
Page 18
2009-11-30
Page 19
MSNSkype
Page 20
( + + +
Step 1: (Blocked)
Step 2: MSN/ Skype Webcam
Skype
Page 21
1
Email.
21
sysadmin [[email protected]]
Page 22
2
MSNFacebookFacebook
22
Page 23
Simple and Quickly:
Botnet Setup Tool Kits()
23
Page 24
..
Hacking is easy and cheap. You will be a victim anytime and anywhere Hackers love your information, computer, network and your money Hacking market is very mature
24
Page 25
Hacking Market
25
Page 26
Seller : Bot
26
Page 27 27
Page 28 28
Page 29 29
Page 30 30
Page 31 31
XR BOTS .25 EACH
Page 32
700 DDoSeR bots for selling
32 153$ paypal ONLY
Page 33
33
Page 34 34
Sikandar's Private FUD Keylogger v1 Features:
Page 35
The Honeynet Project
ANIMATED
SCENE 2
Page 37 37
The Honeynet Project
The Honeynet Project is an organization dedicated to answering these questions. It studies the bad guys and shares the lessons learned. What specific threats do computer networks face from hackers? Who's perpetrating these threats and how? The group gathers information by deploying networks (called
honeynets) that are designed to be compromised.
Page 38
The Honeynet Project
The Honeynet Project is a non-profit, research organization improving the security of the Internet at no cost to the public by providing tools and information on cyber security threats.
Page 39
Mission Statement:
To learn the tools, tactics, and motives of the blackhat community, and share the lessons learned.
nGoals :
n Awareness: To raise awareness of the threats that exist.
n Information: Aware, teach and inform about the threats.
n Research: To give organizations the capabilities to learn more on their own.
39
Page 40
The Honeynet Project History
1999Mailing-List
2000Lance Spitzner Honeynet ProjectHoneynet Project
(2010.07)41Honeynet Project
Page 41
The Honeynet Project History
41
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Member organized in Wargames
mailing list
Lance Spitzner officially become
Honeynet Project
Organize Research Alliance
Annual Workshop
Funded Google Code
Project
High-Interaction Honeywall CDROM ROO
Client Honeypot
Virtual Honeypot
41
GDH Project
Page 42
Honeynet Project Organization
Characteristics: Not-profit (501c3) organization Trusted relationship for full members. Works virtually around the world.
42
Page 43
Activities
KYE Papers Forensics Challenge Open Source Tools Development Global Distributed Honeynet (GDH II ) Google Summer Code (GSoC) Project Annual Closed Workshop
43
Page 44
Annual Workshop
2009 Annual Workshop: 2009225228
70 (Closed Meeting)
: 15
R&D
Trusted Relationship
Hands-on Training Courses 44
We are here !
2007
2009
Page 45
http://www.honeynet.org http://www.honeynet.org/project
ANIMATED
SCENE 3
Page 47
xxx
Page 48
xxxBotPHP Bot
Page 49
xxx
Page 50
Page 51
51
Page 52
1. RFI
Site A Host ProxyABot
Compromise Web A
Malicious CodePage
1.
IPEmail CPUMSN (Web , Smtp)
Malicious Web + RFI + Fast-Flux+ Phishing =
3322.org
2. Malware File Server
SMTP Server SMTP
Server
Malicious Web Site B2
Malicious Web Site B1
3322.org
3322.org Malicious Web Site B3
3322.org
Phishing Web Site C1
3322.org Phishing Web Site C2
3322.org
Page 53
1.(Dynamic DNS): xxx.8866.org / xxxx.3322.org
2. :(setup)
3. : (Fast-Flux)
4.
53
Page 54
Exploit Code
54 Exploit Code
Page 55
(Cont.)
JavascriptExploit Code (Malicious Link)
55
http://v.6t65r.cn/01/
Page 56
Drive-by-Download
Drive-by-Download
HTML (BrowserFlash PDF)
56
Page 57
57
Malicious Link
Malicious Link
Malicious Link
Malicious Link
Obfuscated JavascriptObfuscated Javascript
MalwareMalwareMalware
Exploit Code
Landing Sites Hopping Site Download Site
JavaScripts
(
Landing sites
Page 58
Client Honeypot
Page 59
Thinking /
A lot of information to provide us : Firewall , IPS, Negios, System Logs, .. Authorized access, unauthorized connection, unusual
connections, abnormal behaviors,
However, what is critical information for network administrators ?
To Solve : finding a needle in a haystack Good Solution : Honeypot & Honeynet
59
Page 60
(Honeypot)
60
General Purpose : Designed operation systems, services or vulnerabilities
around your networks to be probed and hacked.
All data collected is of high value and unpolluted
What is Honeypot ? () Honeypot
:
Page 61
Honeypot
: www.mtsc.com.tw/service11.htm
Page 62
Honeyd
HIHAT
(Bot)
Page 63
-- Honeyd
Internet
Router
192.168.0.1Linux
192.168.0.2FreeBSD
192.168.0.3Windows
192.1683.0.4NetBSD
192.168.0.0Honeyd
Page 64
LSASS Vulnerability
MS04-011
LSASS
MS04-011
LSASS
l MS04-011(CVE 2003-0533) : LSASRV.DLL
W32.Gaobot.AFC/ W32.Gaobot.AFJ W32.Gaobot.AFW
W32.Sasser
Exploit code ( Fire-and Forget)
All Malicious Payload (Compromise Machine) W32.Gaobot.AFC/
W32.Gaobot.AFJ/W32.Gaobot.AFW
W32.Sasser
Page 65
Nepenthes
(Autonomously Spreading)
Low-Interaction Honeypot : http://nepenthes.carnivore.it : http://nepenthes.mwcollect.org Developer: Paul Baecher, Markus Koetter
Page 66
Emulated Vulnerable Services
Vulnerability Vulnerabilityvuln-asn1 vuln-optix
vuln-bagle vuln-pnp
vuln-dameware vuln-sasserftpd
vuln-dcom vuln-upnp
vuln-msmq vuln-veritas
vuln-mssql vuln-wins
vuln-mydoom vuln-msdtc
vuln-netbiosname vuln-ftpd
vuln-netdde vuln-sub7
vuln-kuang2 vuln-iis
vuln-lsass
Page 67
: Nepenthes Process
:
Page 68
:Nepenthes
Page 69
-- Nepenthes
69
Page 70
Remote File Inclusion (Cont.)
Remote File Inclusion (RFI)
/RFI (Web Server)
70
Step 1: Try to Inject (Testing Code A) into target webpage Injec
t OK
Step 2: if OK, hackers can inject (Executable Code A ) to control host B
Step 3: Exploit this host and get root access authority
A: RFI attack site B: Target Site
Page 71
(Remote)
71
http://milw0rm.org/exploits/ Step 1: RFI
Step 2: GoogleRFI ScannerRFI
Step 3: Inject APHP CodeTarget BRFIB
RFI Site A (Drop Site) Target B
PHP Code
Step 4: BRFITarget BBotBotnet
Page 72
: exploitscanner
72
Page 73
RFI: HIHAT (Web Honeypot)
RFI Dropsite (RFI ScriptsWeb Server)
Web Honeypot -- HIHAT RFI Drop Site
73
Page 74
Remote File Inclusion :
Why hackers loves vulnerable web server ? (Web Server ) (99% is online service)
74
Page 75
Page 76
Page 77
Page 78
Page 79
(Honeynet)
: How can we collect more information and defend
against enemy, when we dont even know who the enemy is? ?
Honeypot
Honeynet
Page 80 80
(Honeynet) (Cont.)
: :
: Honeypot
Page 81 81
(Honeynet) (Cont.)
:
Honeynetriskvulnerabilities
Page 82 82
Honeywall CDROM ROO
Honeynet ProjectHoneynetHoneynet
https://projects.honeynet.org/honeywall/
Page 83 83
Honeynet
router
Host 1 Host N
...
Server 1 Server N
Honey Host 1Honey Host N
...
Management Host
eth1eth0
eth2HoneyWall
HoneyNet
...
Page 84 84
Honeywall CDROM ROO
(Data Capture): Firewall LogSnortSebek
INTERNET
Honeywall
Sendmail Mail Server
Oracle DataBaseServer
DNS Server
MS-SQL DataBase Server
Apache WebServer
Honeynet
Page 85 85
Honeywall CDROM ROO (Cont.)
(Data Capture):
(Data Control): honeypot
(Data Analysis):
Page 86 86
Page 87 87
Page 88 88
Page 89 89
Page 90
Client Honeypot
Client Honeypot 2005Browser Exploits Client-Side Attacks : Client Honeypot is an active security devices in search of malicious servers that attack clients.
(Browser)
90
Page 91
Client-Side Attack (Cont.) 1. Exploit Obfuscation ( encoding, dynamical content with Javascript, functions)
2. Redirect
window.open() window.location.href()
Drive-by-do
wnload
3. Exploit Code
Browser
Page 92
Client-Side Attack (Cont.)
Client-Side Attack: bot Proxy spywarekeylogger Browser Helper Objects (BHOs)
Page 93
Capture-HPC
n:Client honeypot is an active security devices/application in search of malicious servers that attack clients.
nServerServer(Benign)(Malicious)
n Capture-HPCClient HoneypotMalicious Web servers (Client-Side Attacks)
93
Page 94
Client-Side Attack
JavaScript Mozilla Firefoxnoscripts
Java, Java Scripts
Page 95
Honeypot
Honeynet
Client Honeypot
Malware Honeypot
GDH 2
l 1998 ~ lHoneyd, VoIP Pot, SpamPot, WirelessPot, Google Hack Pot, HIHAT l Service
l 2002 ~ lHoneywall CD-ROM , HoneyStick l
l 2005 ~ lHoneyC , Capture-HPC, HoneySpider, HoneyClient l
l 2006 ~ lNepenthes, Honeytrap l
l 2004 ~ lGDH1, GDH2 l Global Distributed Honeypot
Page 96
Network
Connection
Web App.
Malware
Client-Side
Behavior
PCAP file
lCapture-BAT: Win32 Operation System Behavior Analysis Tool
lHoneysnap: Used for extracting and analyzing data
DNS lTracker: Used to find domains resolving, track hostname IP
EXE file lPehunter: grabs Windows executables off the network
lHoneymole: Setup Honeyfarm multiple sensors that redirect traffic to a centralized collection of honeypots.
lHoneywall CD ROM: Create a network architecture for capturing attacks
lHoneystick: It includes both the Honeywall and honeypots from a single, portable device
lHoneyd: Low-interaction used for capturing attacker activity lHoneytrap: Capture Novel attacks against network services
lGoogle Hack Honeypot : lHIHAT: transfer PHP application to Honeypot
lNepenthes: emulate known vulnerabilities to download malware
lHoneyC: Low interaction Client Honeypot lCapture-HPC: High-Interaction Client Honeypot
Page 97
/
1. 2. IP / Physical Device/ 3. / / 4. 5.
97
Page 98
HonEeeBox Rapid Deployment of Many Distributed Low Interaction Malware Collectors
Start project immediately (June 2009) Deploy widely and internationally (130+)
Page 99 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
/ Firewall / IPS
105
ANIMATED
SCENE 3
Page 107
Botnet Infrastructure
2. Setup Botnet C&C Server and
fast-flux xxxx.asia xxxx.asia xxxx.asia xxxx.asia xxxx.asia
1.Register Domain
xxxx.asia
Botnet Developer
3. Infected Bot
Controlled
4. Sell botnets 5.Control
botnets
6. Criminal Activities inside Botnets
YouTube ddos exploits
downlaod
Phishing Sites Click Information
Stealer DDOS Exploits /
New malware
SSH Brute
Flooding (new target)
Idea: 1.Monitoring inside the botnets 2.Collect pcap-traffic and command 3. Analyze and incident Reporting
Page 108
Idea of Inside the Botnets
2. Setup Botnet C&C Server and
fast-flux xxxx.asia xxxx.asia xxxx.asia xxxx.asia xxxx.asia
1.Register Domain
xxxx.asia
Botnet Developer
3. Infected Bot
Controlled
4. Sell botnets 5.Control
botnets
6. Criminal Activities inside Botnets
YouTube ddos exploits
downlaod
Phishing Sites Click Information
Stealer DDOS Exploits /
New malware
SSH Brute
Flooding (new target)
Feedback Pcap
Bot IP
command
Idea: 1.Monitoring inside the botnets 2.Collect pcap-traffic and command 3. Analyze and incident Reporting
Page 109 109
Page 110
Fast-Flux Domain Detection
110
Page 111
Fast-Flux Domain Detection (Cont.)
Fast-Flux : Fast-FluxContent Distributed Networks Botnetbotbotnet servic
eFast-FluxBotnetBotmaster
111
Page 112 Bot
Page 113
Fast-Flux Domain Detection A Hierarchical FF Detection Method:
Flux-score: Thorsten Holz, et. al., Measuring and Detecting Fast-Flux Service Networks, in Proceedings of the 15th Network & Distributed System Security Symposium (NDSS), 2008.
Phase 1: (Detect the FF domain and CDNs) Use different behavior conditions of FF to detect FF domain If it satisfies more than 4 conditions, it may be a ambiguous domain
which may be FF or the domain using CDNs
Phase 2: (Detect the FF domain exactly) Use Flux-score to further detect the FF domain from the ambiguous
domain
Page 114
Fast-Flux Domain Detection
CDNA record ASN
114
Page 115
Fast-Flux Domain Detection
A recordASN IPB Class
115
Page 116
Inside the botnets : Methodology
2. Sample Analysis
Sample analysis to extract C&C information (IP, nickname, passwd, channel, command)
Analysis Tools: 1. CWSandbox / Anubis 2. VirusTotal 3. Libemu: Shellcode 4. Pkaii: PHP Analyzer
3. Infiltration Send the bot to join C&C server
Collect command, traffic and activities insides C&C
Monitoring Tools: 1. rishi: bot traffic monitor 2. infiltrator: 3. Xchat + vmware
1. Collection
Honeypot Technology 1. Malware collect HP 2. Malicious RFI HP 3. Malicious Web HP
Honeypot Tools : 1. Nepenthes 2. mwcollectd 3. Glastof / HIHAT 4. CaptureHPC 5. PhoneyC
Page 117
Inside the botnets : Methodology (Cont.)
4. Feedback
Collect network pcap files Feedback information to IRC server (command, botIP, attacked targets)
Feedback Tools: 1. Scripts by myself 2. IRC server 3. weechat
5. Analysis
Data analysis using search engine tool
Data Visualization for pcap traffic analysis
Analysis Tools: 1. tshark 2. chaosreader 3. Splunk free version 4. Picviz
6. Reporting
Share data with trusted organizations
Ticket System: 1. OTRS2 (npt ready)
Page 118
1. Collection : (Cont.)
Using HONEYPOT technology to collect attacking data and malicious samples
Why we use honeypot on data collection? Objective: Get infected hosts and capture malicious content Infected host with vulnerabilities may probe and attack honeypot with
the same vulnerability emulated.
Honeypot
Page 119
1. Collection : (Cont.)
Honeypot Design v.s Purpose ROO Honeywell (Collect attacking traffic and grab novel zero-day attacks ) Malware honeypot (Emulate windows vulnerabilities to collect malwares ) Client honeypot (Emulate browser behavior to detect malicious web content) RFI honeypot (Emulate vulnerable web applications to collect RFI attacks
Honeypot Deployment: ROO Honeywall and High-Interaction winxp Honeypots Malware honeypot (3) : Nepenthes / Dionaea / mwcollectd Client honeypot (3): capture-hpc / PhoneyC RFI honeypot (3): Glastof
Page 120
1. Collection : (Cont.)
Malware Honeypot (Nepenthes, Dionaea, mwcollectd): Honeypot Malicious Web Page (Capture-HPC, Phoneyc):
RFI Compromised Web (RFI Scripts Detection):
(Scripts)HTTP Botnet (RFI bot) Web Honeypotweb application vulnerabilitiesPHP Bot
Others: URL LinkPhishing
120
Page 121
1. Collection : Nepenthes / Dionaea / mwcollecd
Botnet(Botnet C&C Server C&C Server
(Autonomously Spreading)
Nepenthes () / Dionaea () mwcollectd (Dionaea + honey trap )
Nepenthes: http://nepenthes.mwcollect.org Dionaea: http://dionaea.carnivore.it/ mwcollectd: http://code.mwcollect.org/projects/show/mwcollectd
Page 122
1. Collection :
(
Page 123
1. Collection : (Cont.)
( MD5
Page 124
1. Collection : (Cont.)
1: Infected Hosts ( ) 2:
3:
Page 125
1. Collection :
(Malicious Javascripts and Shellcode) Capture-HPC(Browser)(Malicious Web)
125
Page 126
1. Collection : (Cont.)
Capture-HPC
1
N
(URL
)
(URL)
. . .
Page 127
1. Collection :
Landing Sites: http://www.bit361.com/ http://www.bit361.com/bbs
Hopping Sites: http://%77%2E%6A%73%67%75%61%6E%67%6A%69%2E%63%6E http://%77%2E%6A%73%67%75%61%6E%67%6A%69%2E%63%6E http://w.jsguangji.cn/03.htm http://w.jsguangji.cn/456.htm http://w.jsguangji.cn/1.jpg http://w.jsguangji.cn/2.jpg http://w.jsguangji.cn/dex.html http://w.jsguangji.cn/click.js http://js.tongji.linezing.com/1209024/tongji.js
Download Sites: http://w.taogu.org.cn/a.exe http://w.taogu.org.cn/b.exe http://w.taogu.org.cn/c.exe http://w.taogu.org.cn/d.exe
Page 128
(Cont.)
Capture-HPC "registry","5/8/2009 18:17:38.333","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile","-1"
"registry","5/8/2009 18:17:38.333","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile","-1" "registry","5/8/2009 18:17:38.521","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKCU\Software\Microsoft\Internet Explorer\Main\NotifyDownloadComplete","-1"
"process","5/8/2009 18:17:39.568","C:\Program Files\Internet Explorer\IEXPLORE.EXE","created","1624","C:\WINDOWS\system32\wscript.exe"
registry: SetValueKey 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> -1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile registry: SetValueKey 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> -1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ registry: SetValueKey 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> -1 HKCU\Software\Microsoft\Internet Explorer\Main\NotifyDownloadComplete process: created 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\WINDOWS\system32\wscript.exe 3072 process: terminated 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\WINDOWS\system32\wscript.exe 3072 process: created 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\WINDOWS\system32\cmd.exe 3892 process: created 3892 C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS\system32\cmd.exe 3016 process: created 3016 C:\WINDOWS\system32\cmd.exe -> C:\Documents and Settings\HPC\Local Settings\Temporary Internet Files\Content.IE5\8Y7MSOWW\alg3[1].exe 2192 registry: SetValueKey 784 C:\WINDOWS\system32\notepad.exe -> -1 HKCU\Software\Microsoft\Notepad\lfEscapement
Page 129
JScripthttp://w.jsguangji.cn/03.htm
Page 130
PhonecyCJavascripts Shllcode
PhoneyC Obfustrated JavascriptsShellcode
Page 131
Shellcode
Heap spayBuffer Overflow
util.printf function triggered shellcode
131
Page 132
Shellcode
Heap spay
util.printf function triggered shellcode
132
Page 133
1. Collection : RFI Introduction
Remote File Inclusion (RFI)
/RFI (Web Server) Why hackers loves vulnerable web server ?
(Web Server ) (99% is online service)
133
Page 134
1. Collection: RFI Scripts
RFI Scripts
Page 135
1. Collection: RFI Scripts (Cont.)
RFI Scripts
Page 136
1. Collection: RFI Scripts (Cont.)
RFI Scripts
( Exploit Codes )
Page 137
:
Honeynet (Nepenthes): Honeypot
Malicious Web Page (Capture-HPC):
Compromised Web(RFI Detection): (Scripts)HTTP Botnet (RFI bot)
Others: URL LinkPhishing
137
Page 138
2. Sample Analysis
Malware DB
Anti-Virus
Behavior Analysis
Static Analysis
Sandbox Real-Testbed
Sample Profiling
Profile : n Activities on OS : Registry, Process, File n Connection on Network: Propagation, Remote Controller n Signature Generation
Page 139
2. Sample Analysis: Binary Samples using CWsandbox and Anubis
1. Network Activity to get C&C Information 2. Setup Virtual Lab and execute samples
for getting C&C information
Page 140
Virus Total : http://www.virustotal.com/
Page 141
Tool Analysis
Binary Analysis (Static): IDA Pro, OllyDBG IDA Pro: http://www.hex-rays.com/idapro/ OllDbg: http://www.ollydbg.de/
SysAnalyzer : automated malcode run time analysis application http://labs.idefense.com/software/malcode.php
Malcode Analysis Pack: http://labs.idefense.com/software/malcode.php#more_malcode
+analysis+pack
Page 142
Page 143
:
Honeynet (Nepenthes)
l() l ( Attack Log)
l l IRC C&C Server l
Malicious Web
(Capture-HPC)
l () l ( Log) l ( )
lMalware File Server ( ) l() lIRC C&C & HTTP C&C Server l
RFI Detection
lScripts (Scripts) l l lRFI Bot lC&C Server
Others l l143
Page 144
2. Sample Analysis: RFI Scripts Analysis using PHP analyzer
PHP analysis using function hooking to get C&C Information
Page 145
C&C information Analysis in RFI Scripts
Page 146
3. Infiltration & Feedback
Binary Samples
Send the bot to join C&C server Collect command, traffic and activities insides C&C
Rishi
PHP execute RFI Samples
Winxp wireshark
xchat C&C Samples
Snort-Inline
C&C Servers
Activities collecting and analzing (No execute)
Switch
Virtual Machine
IRC server Pool
Feedback
Data-Feed
(Execute RFIScripts)
(Execute Samples)
Page 147
3. Infiltration ( Cont.)
Live C&C ServerBotC&C ServerC&C Server
C&C Observation
Page 148
4. Feedback :
C&C Server
Page 149
5. Analysis:
1. Malware Samples Statistics 2. Attacking Statistics 3. Infected hosts (By Honeynet) 4. C&C Server information (Time, IP, port, account, ASN) (By Sample
Analysis) 5. Real Bots Connection (Inside the Botnets) 6. Botnet Activities (Insides the Botnets) 7. Attacked Targets (Insides the Botnets) 8. Command Controllers (Insides the Botnets)
Page 151
1. (by Honeypot) ( Unique Samples: 23170 ) 2009/01~ 2009/12 : 16813 Collect malware binaries (50+), malicious PDF, malicious documents and RFI scripts (php bot, perl bot) (5+) everyday
Page 152
2.
Page 153
3. Infected Hosts 467736 (2010/05/05 Update)
Taiwan (1264)
27%
China (965) 21%
Russian (373) 8%
Japan (349) 7%
Malaysia (227) 5%
Unite States (468) 10%
Canada (132) 3%
Romania(110) 2%
Korea(119) 3%
French(98) 2% Others(336) 7%
German(236) 5%
Taiwan (1264)
China (965)
Russian (373)
Japan (349)
Malaysia (227)
Unite States (468)
Canada (132)
Romania(110)
Korea(119)
French(98)
Others(336)
German(236)
Page 154
Botnet
rep3le.locean-indien.com IRC (6667 TCP) France
symantec.loves.the.cock.pheer.biz IRC (18067 TCP) US
getsome.minilauncher.net IRC (62567TCP) CN
n0n0.d0d0n0.info IRC (8585 TCP) US
213.202.205.171 IRC (6667 TCP) DE
online.ircstyle.net IRC (6667 TCP) Netherlands
manz.urshell.com IRC (7000 TCP) US
123.dragonbreath.ru IRC (3195 TCP) US, RU KR (Fast-Flux)
camelot.blacknight.ie WWW(80) MailServer(25) Ireland
avgw.enternet.hu SMTP (25) US
Web2.denirulz.com www (81 TCP) Netherlands
capdr.com www (80 TCP) DE h$p://capdr.com/feed/
xx.nadnadzz.info IRC (10324 TCP) US (X)
Priv.gigaservice.it IRC (55003 TCP) UE, DE CN (Fast-Flux)
nhg1.cjb.net IRC (4244 TCP) RU
shops.vaiosys.com IRC (1234 TCP) US, CN
xx.ka3ek.com IRC (8080 TCP) CN, MY, US (Fast-Flux)
botz.noretards.com IRC (65146 TCP) FR
Ganbang.my3jn.org IRC (43000 TCP) US
Scan.kizlarevi.net IRC (4646 TCP) DE
Wmim.solu3onofmsn.org IRC (1234 TCP) US
Fix.drshells.com IRC (5555 TCP) PORTUGAL
60.10.179.100 IRC (8680 TCP) CN
More than 100 bots in the C & C Server
Page 155
4. Live C&C Server Statistics:
45 live C&C Servers (Testing on June 30th)C&C Servers300Bots
US (8) 18%
JP (6) 13%
CN (7) 16%
RU (4) 9%
DE (4) 9%
FR (2) 4%
NL (2) 4%
MY (4) 9%
CA (3) 7%
Others (5) 11%
US (8)
JP (6)
CN (7)
RU (4)
DE (4)
FR (2)
NL (2)
MY (4)
CA (3)
Others (5)
Page 156
4. Live C&C Server ( 2010/06/30 update)
v v v v v v v v
Page 157
5. Real Bots Connection to C&C Server
2010/01/01 ~2010/06/30 40~78 C&C Servers (HTTP, IRC) Bots 60
14024
11095
26037
24165
Page 158
5. Real Bots Inside the Botnet
US:15.69%
Page 159
6. Botnet Activities Inside the Botnet:
DDOS_CMD: 57223 flood http blog.stsc.co.kr/1/1024518222.gif flood http 81.222.236.97/s88.exe flood udp CardServ2.com ddos_start tcp www.ddbp.ru 80 Dd1 http://www.azncommunity.net/ http_start http://nalog-pravo.net/index.php?article=3 flood udp sat-navi.net flood udp vipshara.dyndns.tv
Page 160
6. Botnet Activities Inside the Botnet: (Cont.)
SCAN_CMD:5926 Scan Right Reserved Type: @karl For My List Of: 90,523 Files Slots: 0/2 Queued: 3
Speed: 52,525cps Next: 0m Served: 1,428,774 List: Jun 4th Search
SCAN_STATUS: 532 scan_source='323605A3.645CFD8A.4BB43273.IP', scan_target='76.x.x.x scan_source='Konvics-D0C34FD9.fbx.proxad.net', scan_target='76.x.x.x scan_source='Konvics-30B31C44.artem-catv.ru', scan_target='76.x.x.x',
Page 161
6. Botnet Activities Inside the Botnet: (Cont.)
EXPLOIT_STATUS:2125 exploit_source='5AA7BDF5.F38BEC2.7DB8B3C.IP', exploit_target='76.246.253.206
Page 162
7. Botnet Controllers Inside the Botnets
Page 163
8 Infected Hosts and Real Bots in Taiwan
1264 Infected hosts in Taiwan to attack honeypots: Hinet : 867 TANET: 261 Others: 136 221 bots in Taiwan to join C&C Servers :
Hinet : 142 TANET: 47 Others : 32
Page 164
Antivirus
35
2010/03/01 ~ 2010/03/30
Page 165
Observation 1:
W32.Virut65 Worm.Allaple21 Trojan.IRCBot: 39 Trojan.Spybot: 18 Trojan.Zbot : 11 Trojan.MyBot: 24
Page 166
Observation 2:
166 153$ paypal ONLY
700 DDoSeR bots for selling
Page 167
Observation 3: Conflicker Samples
Malware Honeypot Conflicker (W32/Conficker!Generic ) 2010/04 : 68 2010/05 : 143 2010/06 : 82
17:00 ~19:00 Conflicker
Page 169
http://datalossdb.org/statistics The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).
Page 170
Page 171
CCN : Credit Card Numbers SSN: Social Security Numbers NAA: Name and Address MISC: Miscellaneous ACC: Account information (Financial) DOB: Date of Birth
Page 172
CSI70%
ICM39%52%86%
Page 173
2010427
IT
Page 174 http://www.microsoft.com/taiwan/security/privacy/
Page 175
Page 176
25
Page 177
Page 178
:
3:
17:
10:
1115:
11234:
Page 179
20
Page 180
URL
Page 181
Page 182
:
Page 183
Page 184
(TrueCrypt+KeePass)
/