20101018 資安新聞簡報
Post on 23-Feb-2016
66 Views
Preview:
DESCRIPTION
TRANSCRIPT
20101018 資安新聞簡報報告者:曾家雄、劉旭哲、莊承恩
NEW MALWARE MUROFET FOLLOWING CONFICKER'S LEADOctober 15, 2010Dennis Fisher
Conficker• A computer worm targeting the Microsoft Windows
operating system • Be detected in November 2008• Co-opt machines and link them into a virtual computer
that can be commanded remotely
Conficker Variant• Five variants of the Conficker worm are known and have
been dubbed Conficker A, B, C, D and E
Conficker Variant
Conficker Variant
Payload Propagation• Variant A
• Generates a list of 250 domain names every day across five TLDs• The domain names are generated from a pseudo-random number
generator seeded with the current date
Payload Propagation• Variant B increases the number of TLDs to eight, and
produce domain names disjoint from those of the variant A• Variant D generates daily a pool of 50000 domains across
110 TLDs, from which it randomly chooses 500 to attempt for that day
• The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics
Murofet• The main similarity between Conficker and Murofet is that
both pieces of malware use a pre-determined algorithm to generate seemingly random domain
• It generates pseudo-random domain names based on the year, month, day, and minute of execution
• Upon executing, Murofet starts a thread that attempts to download malware updates
Pseudo-Random Domain Algorithm• It generates two DWORD values
• The first is composed of the month, day, and low byte of the year of the date of execution, plus 0x30 (48)
• The second DWORD value is based on the minute of execution, multiplied by 0x11 (17)
Pseudo-Random Domain Algorithm
Pseudo-Random Domain Algorithm
Day Month Year
+ 0x30
First Dword
Minute
* 0x11
Second Dword
First Dword Second Dword
64 bits => 共 16個 nibles
Reference• http://community.websense.com/blogs/securitylabs/archiv
e/2010/10/14/murofet-domain-generation-ala-conficker.aspx
• http://threatpost.com/en_us/blogs/new-malware-murofet-following-confickers-lead-101510
• http://www.symantec.com/connect/blogs/w32downadupc-pseudo-random-domain-name-generation
MICROSOFT WANTS TO CORDON OFF BOTNET-INFECTED COMPUTERS報告者:劉旭哲
• Botnets = Zombie Network• DDoS• Spread spam
• "collective action" to combat cyberthreats -- particularly botnets.
1. individual defense• firewalls, antivirus, and automatic updates
2. collective defense• Computer Emergency Response Teams (CERTs)
3. active defense4. Offense
• new users, devices, and application.
• Zeus botnet that captured users' banking sign-on information.
• New thinking and expanded approaches need to be applied to combat cyber threats
• " If you were the person whose computer was infected, wouldn't you want to know? “
• Public Health Model• Computer = Human
Public Health Model• Two complementary approaches:
① bolstering efforts to identify infected devices② promoting efforts to better demonstrate device health
• Identify infected devices• Restrict infected devices• at least one access provider is now attempting this approach:
Comcast
Comcast• Constant Guard• Damballa, a botnet research firm• Use toolbar• The first ISP to provide this type of in-browser notification
• Demonstrate device health:① a mechanism to produce a health certificate② trust③ access providers request health certificates and take
appropriate action④ create supporting policies and rules
Defect• If there are some emergency services, infected computers
may still be permitted
• For example, cell phone.
• At least two advantages:① Before online banking activities② More effective remediation• ISP could know specific device
Conclusion• Not perfect• Balance security and privacy• Building a socially acceptable and financially sustainable
model• Collective action
Reference• http://www.technewsworld.com/story/70998.html• http://go.microsoft.com/?linkid=9746317• http://www.comcast.com/default.cspx• http://www.damballa.com/• http://
news.cnet.com/8301-27080_3-20018168-245.html#ixzz1133KPVK8
WEBGOAT莊承恩
top related