Identify Malicious URL using
        Capture-HPC
         David Guan
      dcguan@gmail.com
Who Are You?
• You are interested in malicious webpage
• You are interested in Capture-HPC
• You are not interested in the...
About This Session
• NOT to protect your PC
   – You need to pay $$ for *protection*
   – Uninstall Windows might be a bet...
Drive-by Download
 Landing Site




  Hopping Site




  Download Site
The EVIL Browser Plug-in
               Browser plug-in vulnerabilities
               Source: Secunia 2008 report
Malicious URL in Different
          Regions
Region   Total URL   Total landing   Total download site
         Scanned    ...
Google Safe Browsing Database
• Google gives you malicious URL
  – Md5 hash form
  – Quality data can be observed
  – safe...
URL Selection and Verification

• Google’s paper “All Your iFRAMEs Point to Us”




                  Machine      Virtual...
What is Honeypot?
• A trap!
• Collect malicious behavior
• Server-side honeypot
  – Wait to be probed, attacked, and
    c...
What is Capture-HPC ?
• A high-interactive client honeypot
• Part of the Honeynet Project
• Interact with malicious web si...
Capture-HPC Concept
VMWare Sever

                                    Capture-HPC
                                      Se...
Capture-HPC Architecture
  Config.
                                      Control
   xml                                   ...
Setup Server Environment


                   VMWare server 1.0     Unpack Capture-HPC
Linux is better    instead of 2.0  ...
Setup Client Environment



Install Capture-HPC   Install system monitor   Adjust security level
client                too...
Make Yourself More Vulnerable!




• Get old version software at
  http://oldapps.com
Editing Exception List
 • Filter normal system events
    – Windows prefetch
    – Windows update
    – Internet Explorer ...
Good URL? Bad URL?
  • Collect normal web page
    – Open Directory Project
    – Yahoo!
    – Other countries?
  • How ab...
Execute Capture-HPC
• java
   – Djava.net.preferIPv4Stack=true
   – jar CaptureServer.jar
   – s <IP listening address>:<I...
Time to Harvest
System                 Target URL           Result
Configuration
•Intel E6420 (2.13GHz) •Malicious URL    ...
Large Scale Testing Issues
• VMWare issue
  – Revert VM hang
  – Network broken after VM revert
• Malicious software make ...
Build Your Security Lab
   Using Open Source Software
• Many open source software available
  – Capture-HPC
  – Malzilla
 ...
Thank You!

Comment and Question?
    dcguan@gmail.com
Upcoming SlideShare
Loading in...5
×

Capture-HPC talk@ OSDC.tw 2009

1,987

Published on

A introduction to use Capture-HPC in OSDC.tw 2009

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,987
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
111
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Capture-HPC talk@ OSDC.tw 2009

  1. 1. Identify Malicious URL using Capture-HPC David Guan dcguan@gmail.com
  2. 2. Who Are You? • You are interested in malicious webpage • You are interested in Capture-HPC • You are not interested in the other session or there are no more seats…
  3. 3. About This Session • NOT to protect your PC – You need to pay $$ for *protection* – Uninstall Windows might be a better idea • Experience sharing for large scale web crawling testing • Use open source software for security research – Even individual can build your security lab
  4. 4. Drive-by Download Landing Site Hopping Site Download Site
  5. 5. The EVIL Browser Plug-in Browser plug-in vulnerabilities Source: Secunia 2008 report
  6. 6. Malicious URL in Different Regions Region Total URL Total landing Total download site Scanned site China 41000 253 28 Japan 21263 105 3
  7. 7. Google Safe Browsing Database • Google gives you malicious URL – Md5 hash form – Quality data can be observed – safebrowsing-python + Django = ?
  8. 8. URL Selection and Verification • Google’s paper “All Your iFRAMEs Point to Us” Machine Virtual Malicious WWW Learning Machine URL Repository Score Verification
  9. 9. What is Honeypot? • A trap! • Collect malicious behavior • Server-side honeypot – Wait to be probed, attacked, and compromised • Client-side honeypot – Actively crawler the web – Compromised by server response
  10. 10. What is Capture-HPC ? • A high-interactive client honeypot • Part of the Honeynet Project • Interact with malicious web site and observe system activities • Freely available under GPL v2 – https://projects.honeynet.org/capture-hpc
  11. 11. Capture-HPC Concept VMWare Sever Capture-HPC Server Capture-HPC Client
  12. 12. Capture-HPC Architecture Config. Control xml VMWare Server Log Revert & Resume Capture-HPC Server Capture-HPC Internet Firefox Client Explorer Report Win32 Subsystem User Mode Process 1 File Process Registry Registry Process Change 2 Monitor Monitor Monitor File Create Capture Kernel Driver Process Registry 3 Create Kernel Mode VMWare Guest OS
  13. 13. Setup Server Environment VMWare server 1.0 Unpack Capture-HPC Linux is better instead of 2.0 server Edit Capture-HPC Set up multiple VM Server setting
  14. 14. Setup Client Environment Install Capture-HPC Install system monitor Adjust security level client tools NO Windows Update! Disable firewall
  15. 15. Make Yourself More Vulnerable! • Get old version software at http://oldapps.com
  16. 16. Editing Exception List • Filter normal system events – Windows prefetch – Windows update – Internet Explorer activities – Capture-HPC client activities • Events not filtered treat as malicious
  17. 17. Good URL? Bad URL? • Collect normal web page – Open Directory Project – Yahoo! – Other countries? • How about malicious page? – IT Information Security – Malware domain list – Blast's security lab
  18. 18. Execute Capture-HPC • java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – f <URL input file> • DEMO Time!
  19. 19. Time to Harvest System Target URL Result Configuration •Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours with 2G RAM from various sites (about 3000 URL per day) •VMWare server 1.0 •Total URL: 235 with 3 VM •Malicious: 34 •Network error: 13 (IE can not connect) •System error: 5 • Check log files – Safe.log – Malicious.log – Error.log
  20. 20. Large Scale Testing Issues • VMWare issue – Revert VM hang – Network broken after VM revert • Malicious software make guest OS unstable – Blue screen of death – Guest OS high CPU loading
  21. 21. Build Your Security Lab Using Open Source Software • Many open source software available – Capture-HPC – Malzilla – DecryptJS • Easy to adapt to your application • Your effort can make better tools!
  22. 22. Thank You! Comment and Question? dcguan@gmail.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×