SlideShare a Scribd company logo

Capture-HPC talk@ OSDC.tw 2009

Da-Chang Guan
Da-Chang Guan

A introduction to use Capture-HPC in OSDC.tw 2009

Technology
1 of 22
Download to read offline
Identify Malicious URL using Capture-HPC David Guan dcguan@gmail.com
Who Are You? • You are interested in malicious webpage • You are interested in Capture-HPC • You are not interested in the other session or there are no more seats…
About This Session • NOT to protect your PC – You need to pay $$ for *protection* – Uninstall Windows might be a better idea • Experience sharing for large scale web crawling testing • Use open source software for security research – Even individual can build your security lab
Drive-by Download Landing Site Hopping Site Download Site
The EVIL Browser Plug-in Browser plug-in vulnerabilities Source: Secunia 2008 report
Malicious URL in Different Regions Region Total URL Total landing Total download site Scanned site China 41000 253 28 Japan 21263 105 3
Google Safe Browsing Database • Google gives you malicious URL – Md5 hash form – Quality data can be observed – safebrowsing-python + Django = ?
URL Selection and Verification • Google’s paper “All Your iFRAMEs Point to Us” Machine Virtual Malicious WWW Learning Machine URL Repository Score Verification
What is Honeypot? • A trap! • Collect malicious behavior • Server-side honeypot – Wait to be probed, attacked, and compromised • Client-side honeypot – Actively crawler the web – Compromised by server response
What is Capture-HPC ? • A high-interactive client honeypot • Part of the Honeynet Project • Interact with malicious web site and observe system activities • Freely available under GPL v2 – https://projects.honeynet.org/capture-hpc
Capture-HPC Concept VMWare Sever Capture-HPC Server Capture-HPC Client
Capture-HPC Architecture Config. Control xml VMWare Server Log Revert & Resume Capture-HPC Server Capture-HPC Internet Firefox Client Explorer Report Win32 Subsystem User Mode Process 1 File Process Registry Registry Process Change 2 Monitor Monitor Monitor File Create Capture Kernel Driver Process Registry 3 Create Kernel Mode VMWare Guest OS
Setup Server Environment VMWare server 1.0 Unpack Capture-HPC Linux is better instead of 2.0 server Edit Capture-HPC Set up multiple VM Server setting
Setup Client Environment Install Capture-HPC Install system monitor Adjust security level client tools NO Windows Update! Disable firewall
Make Yourself More Vulnerable! • Get old version software at http://oldapps.com
Editing Exception List • Filter normal system events – Windows prefetch – Windows update – Internet Explorer activities – Capture-HPC client activities • Events not filtered treat as malicious
Good URL? Bad URL? • Collect normal web page – Open Directory Project – Yahoo! – Other countries? • How about malicious page? – IT Information Security – Malware domain list – Blast's security lab
Execute Capture-HPC • java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – f <URL input file> • DEMO Time!
Time to Harvest System Target URL Result Configuration •Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours with 2G RAM from various sites (about 3000 URL per day) •VMWare server 1.0 •Total URL: 235 with 3 VM •Malicious: 34 •Network error: 13 (IE can not connect) •System error: 5 • Check log files – Safe.log – Malicious.log – Error.log
Large Scale Testing Issues • VMWare issue – Revert VM hang – Network broken after VM revert • Malicious software make guest OS unstable – Blue screen of death – Guest OS high CPU loading
Build Your Security Lab Using Open Source Software • Many open source software available – Capture-HPC – Malzilla – DecryptJS • Easy to adapt to your application • Your effort can make better tools!
Thank You! Comment and Question? dcguan@gmail.com

Recommended

Data fusion
Data fusionData fusion
Data fusionyousef emami
 
Brief introduction to satellite communications
Brief introduction to satellite communicationsBrief introduction to satellite communications
Brief introduction to satellite communicationsSally Sheridan
 
ネットワーク通信入門
ネットワーク通信入門ネットワーク通信入門
ネットワーク通信入門Yuki Suga
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesFull Stack Developer at Electro Mizan Andisheh
 
Socket programming
Socket programming Socket programming
Socket programming Rajivarnan (Rajiv)
 
DDoS
DDoSDDoS
DDoSMilan Petrásek
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application ToolkitByeongweon Moon
 

Recommended

Data fusion
Data fusionData fusion
Data fusionyousef emami
 
Brief introduction to satellite communications
Brief introduction to satellite communicationsBrief introduction to satellite communications
Brief introduction to satellite communicationsSally Sheridan
 
ネットワーク通信入門
ネットワーク通信入門ネットワーク通信入門
ネットワーク通信入門Yuki Suga
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesFull Stack Developer at Electro Mizan Andisheh
 
Socket programming
Socket programming Socket programming
Socket programming Rajivarnan (Rajiv)
 
DDoS
DDoSDDoS
DDoSMilan Petrásek
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application ToolkitByeongweon Moon
 
Localization &amp; calling
Localization &amp; callingLocalization &amp; calling
Localization &amp; callingRUpaliLohar
 
ORB SLAM Proposal for NTU GPU Programming Course 2016
ORB SLAM Proposal for NTU GPU Programming Course 2016ORB SLAM Proposal for NTU GPU Programming Course 2016
ORB SLAM Proposal for NTU GPU Programming Course 2016Mindos Cheng
 
Distance Vector Multicast Routing Protocol (DVMRP) : Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : PresentationDistance Vector Multicast Routing Protocol (DVMRP) : Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : PresentationSubhajit Sahu
 
系統程式 -- 第 0 章
系統程式 -- 第 0 章系統程式 -- 第 0 章
系統程式 -- 第 0 章鍾誠 陳鍾誠
 
B1-5 メール技術のいま
B1-5 メール技術のいまB1-5 メール技術のいま
B1-5 メール技術のいまJPAAWG (Japan Anti-Abuse Working Group)
 
Randomized algorithms all pairs shortest path
Randomized algorithms all pairs shortest pathRandomized algorithms all pairs shortest path
Randomized algorithms all pairs shortest pathMohammad Akbarizadeh
 
HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS
 
Rpl dodag
Rpl dodagRpl dodag
Rpl dodagTonachi Shika
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Iot rpl
Iot rplIot rpl
Iot rplDESHPANDE M
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Label propagation - Semisupervised Learning with Applications to NLP
Label propagation - Semisupervised Learning with Applications to NLPLabel propagation - Semisupervised Learning with Applications to NLP
Label propagation - Semisupervised Learning with Applications to NLPDavid Przybilla
 
Building and road detection from large aerial imagery
Building and road detection from large aerial imageryBuilding and road detection from large aerial imagery
Building and road detection from large aerial imageryShunta Saito
 
Coursera capstone report ajay kumar ppt
Coursera capstone report ajay kumar pptCoursera capstone report ajay kumar ppt
Coursera capstone report ajay kumar pptArtByLensByAj
 
Deep Learning’s Application in Radar Signal Data
Deep Learning’s Application in Radar Signal DataDeep Learning’s Application in Radar Signal Data
Deep Learning’s Application in Radar Signal DataYu Huang
 
系統程式 -- 第 1 章 系統軟體
系統程式 -- 第 1 章 系統軟體系統程式 -- 第 1 章 系統軟體
系統程式 -- 第 1 章 系統軟體鍾誠 陳鍾誠
 
Google Maps Api
Google Maps ApiGoogle Maps Api
Google Maps ApiAnas Alpure
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
系統程式 -- 第 7 章 高階語言
系統程式 -- 第 7 章 高階語言系統程式 -- 第 7 章 高階語言
系統程式 -- 第 7 章 高階語言鍾誠 陳鍾誠
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 

More Related Content

What's hot

Localization &amp; calling
Localization &amp; callingLocalization &amp; calling
Localization &amp; callingRUpaliLohar
 
ORB SLAM Proposal for NTU GPU Programming Course 2016
ORB SLAM Proposal for NTU GPU Programming Course 2016ORB SLAM Proposal for NTU GPU Programming Course 2016
ORB SLAM Proposal for NTU GPU Programming Course 2016Mindos Cheng
 
Distance Vector Multicast Routing Protocol (DVMRP) : Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : PresentationDistance Vector Multicast Routing Protocol (DVMRP) : Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : PresentationSubhajit Sahu
 
Randomized algorithms all pairs shortest path
Randomized algorithms all pairs shortest pathRandomized algorithms all pairs shortest path
Randomized algorithms all pairs shortest pathMohammad Akbarizadeh
 
HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Label propagation - Semisupervised Learning with Applications to NLP
Label propagation - Semisupervised Learning with Applications to NLPLabel propagation - Semisupervised Learning with Applications to NLP
Label propagation - Semisupervised Learning with Applications to NLPDavid Przybilla
 
Building and road detection from large aerial imagery
Building and road detection from large aerial imageryBuilding and road detection from large aerial imagery
Building and road detection from large aerial imageryShunta Saito
 
Coursera capstone report ajay kumar ppt
Coursera capstone report ajay kumar pptCoursera capstone report ajay kumar ppt
Coursera capstone report ajay kumar pptArtByLensByAj
 
Deep Learning’s Application in Radar Signal Data
Deep Learning’s Application in Radar Signal DataDeep Learning’s Application in Radar Signal Data
Deep Learning’s Application in Radar Signal DataYu Huang
 
系統程式 -- 第 1 章 系統軟體
系統程式 -- 第 1 章 系統軟體系統程式 -- 第 1 章 系統軟體
系統程式 -- 第 1 章 系統軟體鍾誠 陳鍾誠
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
系統程式 -- 第 7 章 高階語言
系統程式 -- 第 7 章 高階語言系統程式 -- 第 7 章 高階語言
系統程式 -- 第 7 章 高階語言鍾誠 陳鍾誠
 

What's hot (20)

Localization &amp; calling
Localization &amp; callingLocalization &amp; calling
Localization &amp; calling
 
ORB SLAM Proposal for NTU GPU Programming Course 2016
ORB SLAM Proposal for NTU GPU Programming Course 2016ORB SLAM Proposal for NTU GPU Programming Course 2016
ORB SLAM Proposal for NTU GPU Programming Course 2016
 
Distance Vector Multicast Routing Protocol (DVMRP) : Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : PresentationDistance Vector Multicast Routing Protocol (DVMRP) : Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Presentation
 
系統程式 -- 第 0 章
系統程式 -- 第 0 章系統程式 -- 第 0 章
系統程式 -- 第 0 章
 
B1-5 メール技術のいま
B1-5 メール技術のいまB1-5 メール技術のいま
B1-5 メール技術のいま
 
Randomized algorithms all pairs shortest path
Randomized algorithms all pairs shortest pathRandomized algorithms all pairs shortest path
Randomized algorithms all pairs shortest path
 
HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)
 
Rpl dodag
Rpl dodagRpl dodag
Rpl dodag
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
Iot rpl
Iot rplIot rpl
Iot rpl
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 
Label propagation - Semisupervised Learning with Applications to NLP
Label propagation - Semisupervised Learning with Applications to NLPLabel propagation - Semisupervised Learning with Applications to NLP
Label propagation - Semisupervised Learning with Applications to NLP
 
Building and road detection from large aerial imagery
Building and road detection from large aerial imageryBuilding and road detection from large aerial imagery
Building and road detection from large aerial imagery
 
Coursera capstone report ajay kumar ppt
Coursera capstone report ajay kumar pptCoursera capstone report ajay kumar ppt
Coursera capstone report ajay kumar ppt
 
Deep Learning’s Application in Radar Signal Data
Deep Learning’s Application in Radar Signal DataDeep Learning’s Application in Radar Signal Data
Deep Learning’s Application in Radar Signal Data
 
系統程式 -- 第 1 章 系統軟體
系統程式 -- 第 1 章 系統軟體系統程式 -- 第 1 章 系統軟體
系統程式 -- 第 1 章 系統軟體
 
Google Maps Api
Google Maps ApiGoogle Maps Api
Google Maps Api
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
系統程式 -- 第 7 章 高階語言
系統程式 -- 第 7 章 高階語言系統程式 -- 第 7 章 高階語言
系統程式 -- 第 7 章 高階語言
 

Similar to Capture-HPC talk@ OSDC.tw 2009

Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-stepMichelangelo van Dam
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsRails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsJonathan Weiss
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Towards secure & dependable storage services in cloud
Towards secure & dependable storage services in cloudTowards secure & dependable storage services in cloud
Towards secure & dependable storage services in cloudRahid Abdul Kalam
 
Supporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStackSupporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStackDonal Lafferty
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring BasicsRob Dunn
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity itplant
 
Oscon 2011-mueller-weinre
Oscon 2011-mueller-weinreOscon 2011-mueller-weinre
Oscon 2011-mueller-weinrepmuellr
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Windows Server 2008 Web Workload Overview
Windows Server 2008 Web Workload OverviewWindows Server 2008 Web Workload Overview
Windows Server 2008 Web Workload OverviewDavid Chou
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apacheguestd9aa5
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
Yahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely BedfellowsYahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely BedfellowsConSanFrancisco123
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1csharney
 

Similar to Capture-HPC talk@ OSDC.tw 2009 (20)

Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsRails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Towards secure & dependable storage services in cloud
Towards secure & dependable storage services in cloudTowards secure & dependable storage services in cloud
Towards secure & dependable storage services in cloud
 
Supporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStackSupporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStack
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity
 
Oscon 2011-mueller-weinre
Oscon 2011-mueller-weinreOscon 2011-mueller-weinre
Oscon 2011-mueller-weinre
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Windows Server 2008 Web Workload Overview
Windows Server 2008 Web Workload OverviewWindows Server 2008 Web Workload Overview
Windows Server 2008 Web Workload Overview
 
XS 2008 Boston Capacity Planning
XS 2008 Boston Capacity PlanningXS 2008 Boston Capacity Planning
XS 2008 Boston Capacity Planning
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apache
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Yahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely BedfellowsYahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely Bedfellows
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1
 

Recently uploaded

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Capture-HPC talk@ OSDC.tw 2009

  • 1. Identify Malicious URL using Capture-HPC David Guan dcguan@gmail.com
  • 2. Who Are You? • You are interested in malicious webpage • You are interested in Capture-HPC • You are not interested in the other session or there are no more seats…
  • 3. About This Session • NOT to protect your PC – You need to pay $$ for *protection* – Uninstall Windows might be a better idea • Experience sharing for large scale web crawling testing • Use open source software for security research – Even individual can build your security lab
  • 4. Drive-by Download Landing Site Hopping Site Download Site
  • 5. The EVIL Browser Plug-in Browser plug-in vulnerabilities Source: Secunia 2008 report
  • 6. Malicious URL in Different Regions Region Total URL Total landing Total download site Scanned site China 41000 253 28 Japan 21263 105 3
  • 7. Google Safe Browsing Database • Google gives you malicious URL – Md5 hash form – Quality data can be observed – safebrowsing-python + Django = ?
  • 8. URL Selection and Verification • Google’s paper “All Your iFRAMEs Point to Us” Machine Virtual Malicious WWW Learning Machine URL Repository Score Verification
  • 9. What is Honeypot? • A trap! • Collect malicious behavior • Server-side honeypot – Wait to be probed, attacked, and compromised • Client-side honeypot – Actively crawler the web – Compromised by server response
  • 10. What is Capture-HPC ? • A high-interactive client honeypot • Part of the Honeynet Project • Interact with malicious web site and observe system activities • Freely available under GPL v2 – https://projects.honeynet.org/capture-hpc
  • 11. Capture-HPC Concept VMWare Sever Capture-HPC Server Capture-HPC Client
  • 12. Capture-HPC Architecture Config. Control xml VMWare Server Log Revert & Resume Capture-HPC Server Capture-HPC Internet Firefox Client Explorer Report Win32 Subsystem User Mode Process 1 File Process Registry Registry Process Change 2 Monitor Monitor Monitor File Create Capture Kernel Driver Process Registry 3 Create Kernel Mode VMWare Guest OS
  • 13. Setup Server Environment VMWare server 1.0 Unpack Capture-HPC Linux is better instead of 2.0 server Edit Capture-HPC Set up multiple VM Server setting
  • 14. Setup Client Environment Install Capture-HPC Install system monitor Adjust security level client tools NO Windows Update! Disable firewall
  • 15. Make Yourself More Vulnerable! • Get old version software at http://oldapps.com
  • 16. Editing Exception List • Filter normal system events – Windows prefetch – Windows update – Internet Explorer activities – Capture-HPC client activities • Events not filtered treat as malicious
  • 17. Good URL? Bad URL? • Collect normal web page – Open Directory Project – Yahoo! – Other countries? • How about malicious page? – IT Information Security – Malware domain list – Blast's security lab
  • 18. Execute Capture-HPC • java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – f <URL input file> • DEMO Time!
  • 19. Time to Harvest System Target URL Result Configuration •Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours with 2G RAM from various sites (about 3000 URL per day) •VMWare server 1.0 •Total URL: 235 with 3 VM •Malicious: 34 •Network error: 13 (IE can not connect) •System error: 5 • Check log files – Safe.log – Malicious.log – Error.log
  • 20. Large Scale Testing Issues • VMWare issue – Revert VM hang – Network broken after VM revert • Malicious software make guest OS unstable – Blue screen of death – Guest OS high CPU loading
  • 21. Build Your Security Lab Using Open Source Software • Many open source software available – Capture-HPC – Malzilla – DecryptJS • Easy to adapt to your application • Your effort can make better tools!
  • 22. Thank You! Comment and Question? dcguan@gmail.com