SlideShare a Scribd company logo

Capture-HPC talk@ OSDC.tw 2009

Da-Chang Guan
Da-Chang Guan

A introduction to use Capture-HPC in OSDC.tw 2009

Technology
1 of 22
Download to read offline
Identify Malicious URL using Capture-HPC David Guan dcguan@gmail.com
Who Are You? • You are interested in malicious webpage • You are interested in Capture-HPC • You are not interested in the other session or there are no more seats…
About This Session • NOT to protect your PC – You need to pay $$ for *protection* – Uninstall Windows might be a better idea • Experience sharing for large scale web crawling testing • Use open source software for security research – Even individual can build your security lab
Drive-by Download Landing Site Hopping Site Download Site
The EVIL Browser Plug-in Browser plug-in vulnerabilities Source: Secunia 2008 report
Malicious URL in Different Regions Region Total URL Total landing Total download site Scanned site China 41000 253 28 Japan 21263 105 3
Google Safe Browsing Database • Google gives you malicious URL – Md5 hash form – Quality data can be observed – safebrowsing-python + Django = ?
URL Selection and Verification • Google’s paper “All Your iFRAMEs Point to Us” Machine Virtual Malicious WWW Learning Machine URL Repository Score Verification
What is Honeypot? • A trap! • Collect malicious behavior • Server-side honeypot – Wait to be probed, attacked, and compromised • Client-side honeypot – Actively crawler the web – Compromised by server response
What is Capture-HPC ? • A high-interactive client honeypot • Part of the Honeynet Project • Interact with malicious web site and observe system activities • Freely available under GPL v2 – https://projects.honeynet.org/capture-hpc
Capture-HPC Concept VMWare Sever Capture-HPC Server Capture-HPC Client
Capture-HPC Architecture Config. Control xml VMWare Server Log Revert & Resume Capture-HPC Server Capture-HPC Internet Firefox Client Explorer Report Win32 Subsystem User Mode Process 1 File Process Registry Registry Process Change 2 Monitor Monitor Monitor File Create Capture Kernel Driver Process Registry 3 Create Kernel Mode VMWare Guest OS
Setup Server Environment VMWare server 1.0 Unpack Capture-HPC Linux is better instead of 2.0 server Edit Capture-HPC Set up multiple VM Server setting
Setup Client Environment Install Capture-HPC Install system monitor Adjust security level client tools NO Windows Update! Disable firewall
Make Yourself More Vulnerable! • Get old version software at http://oldapps.com
Editing Exception List • Filter normal system events – Windows prefetch – Windows update – Internet Explorer activities – Capture-HPC client activities • Events not filtered treat as malicious
Good URL? Bad URL? • Collect normal web page – Open Directory Project – Yahoo! – Other countries? • How about malicious page? – IT Information Security – Malware domain list – Blast's security lab
Execute Capture-HPC • java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – f <URL input file> • DEMO Time!
Time to Harvest System Target URL Result Configuration •Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours with 2G RAM from various sites (about 3000 URL per day) •VMWare server 1.0 •Total URL: 235 with 3 VM •Malicious: 34 •Network error: 13 (IE can not connect) •System error: 5 • Check log files – Safe.log – Malicious.log – Error.log
Large Scale Testing Issues • VMWare issue – Revert VM hang – Network broken after VM revert • Malicious software make guest OS unstable – Blue screen of death – Guest OS high CPU loading
Build Your Security Lab Using Open Source Software • Many open source software available – Capture-HPC – Malzilla – DecryptJS • Easy to adapt to your application • Your effort can make better tools!
Thank You! Comment and Question? dcguan@gmail.com

Recommended

CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
Static Routing
Static RoutingStatic Routing
Static Routing
Sachii Dosti
 
MPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label SwitchingMPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label Switching
Peter R. Egli
 
MPLS + BGP Presentation
MPLS + BGP PresentationMPLS + BGP Presentation
MPLS + BGP Presentation
Gino McCarty
 
Chapter 17 : static routing
Chapter 17 : static routingChapter 17 : static routing
Chapter 17 : static routing
teknetir
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer Protocol
Peter R. Egli
 
BOOTP and DHCP.ppt
BOOTP and DHCP.pptBOOTP and DHCP.ppt
BOOTP and DHCP.ppt
anik301
 
Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking) Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking)
Jubayer Al Mahmud
 

Recommended

CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
Static Routing
Static RoutingStatic Routing
Static Routing
Sachii Dosti
 
MPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label SwitchingMPLS - Multiprotocol Label Switching
MPLS - Multiprotocol Label Switching
Peter R. Egli
 
MPLS + BGP Presentation
MPLS + BGP PresentationMPLS + BGP Presentation
MPLS + BGP Presentation
Gino McCarty
 
Chapter 17 : static routing
Chapter 17 : static routingChapter 17 : static routing
Chapter 17 : static routing
teknetir
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer Protocol
Peter R. Egli
 
BOOTP and DHCP.ppt
BOOTP and DHCP.pptBOOTP and DHCP.ppt
BOOTP and DHCP.ppt
anik301
 
Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking) Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking)
Jubayer Al Mahmud
 
Ip addressing
Ip addressingIp addressing
Ip addressing
Mansour Naslcheraghi
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
APNIC
 
CCNA CDP LLDP NTP
CCNA CDP LLDP NTP CCNA CDP LLDP NTP
CCNA CDP LLDP NTP
Networkel
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and Subnetting
cbtvid
 
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)
Faisal Jatt
 
Tracing An IP Address or Domain Name by Raghu Khimani
Tracing An IP Address or Domain Name by Raghu KhimaniTracing An IP Address or Domain Name by Raghu Khimani
Tracing An IP Address or Domain Name by Raghu Khimani
Dr Raghu Khimani
 
Cisco ios overview
Cisco ios overviewCisco ios overview
Cisco ios overview
NetProtocol Xpert
 
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip NetworksCCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
Vuz Dở Hơi
 
FTP
FTPFTP
FTP
bhavanatmithun
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
ThousandEyes
 
Internet Protocols
Internet ProtocolsInternet Protocols
Internet Protocols
Ramakrishna Kongalla
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
Sachii Dosti
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
Nguyen Thanh
 
OPEN SHORTEST PATH FIRST (OSPF)
OPEN SHORTEST PATH FIRST (OSPF)OPEN SHORTEST PATH FIRST (OSPF)
OPEN SHORTEST PATH FIRST (OSPF)
Ann Joseph
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
 
BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)
NetProtocol Xpert
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
TCP/IP Protocol Architeture
TCP/IP Protocol ArchitetureTCP/IP Protocol Architeture
TCP/IP Protocol Architeture
Manoj Kumar
 
Routing Protocols
Routing ProtocolsRouting Protocols
Routing Protocols
NetProtocol Xpert
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
Varnnit Jain
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
xabean
 
Open Audit
Open AuditOpen Audit
Open Audit
ncspa
 

More Related Content

What's hot

IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and Subnetting
cbtvid
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
Nguyen Thanh
 

What's hot (20)

Ip addressing
Ip addressingIp addressing
Ip addressing
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
CCNA CDP LLDP NTP
CCNA CDP LLDP NTP CCNA CDP LLDP NTP
CCNA CDP LLDP NTP
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and Subnetting
 
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)
 
Tracing An IP Address or Domain Name by Raghu Khimani
Tracing An IP Address or Domain Name by Raghu KhimaniTracing An IP Address or Domain Name by Raghu Khimani
Tracing An IP Address or Domain Name by Raghu Khimani
 
Cisco ios overview
Cisco ios overviewCisco ios overview
Cisco ios overview
 
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip NetworksCCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
 
FTP
FTPFTP
FTP
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 
Internet Protocols
Internet ProtocolsInternet Protocols
Internet Protocols
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
 
OPEN SHORTEST PATH FIRST (OSPF)
OPEN SHORTEST PATH FIRST (OSPF)OPEN SHORTEST PATH FIRST (OSPF)
OPEN SHORTEST PATH FIRST (OSPF)
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
 
BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
TCP/IP Protocol Architeture
TCP/IP Protocol ArchitetureTCP/IP Protocol Architeture
TCP/IP Protocol Architeture
 
Routing Protocols
Routing ProtocolsRouting Protocols
Routing Protocols
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 

Similar to Capture-HPC talk@ OSDC.tw 2009

Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
ownerkhan
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
Supporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStackSupporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStack
Donal Lafferty
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apache
guestd9aa5
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Yahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely BedfellowsYahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely Bedfellows
ConSanFrancisco123
 

Similar to Capture-HPC talk@ OSDC.tw 2009 (20)

Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsRails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Towards secure & dependable storage services in cloud
Towards secure & dependable storage services in cloudTowards secure & dependable storage services in cloud
Towards secure & dependable storage services in cloud
 
Supporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStackSupporting Hyper-V 3.0 on Apache CloudStack
Supporting Hyper-V 3.0 on Apache CloudStack
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity
 
Oscon 2011-mueller-weinre
Oscon 2011-mueller-weinreOscon 2011-mueller-weinre
Oscon 2011-mueller-weinre
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Windows Server 2008 Web Workload Overview
Windows Server 2008 Web Workload OverviewWindows Server 2008 Web Workload Overview
Windows Server 2008 Web Workload Overview
 
XS 2008 Boston Capacity Planning
XS 2008 Boston Capacity PlanningXS 2008 Boston Capacity Planning
XS 2008 Boston Capacity Planning
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apache
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Yahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely BedfellowsYahoo Communities Architecture Unlikely Bedfellows
Yahoo Communities Architecture Unlikely Bedfellows
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Capture-HPC talk@ OSDC.tw 2009

  • 1. Identify Malicious URL using Capture-HPC David Guan dcguan@gmail.com
  • 2. Who Are You? • You are interested in malicious webpage • You are interested in Capture-HPC • You are not interested in the other session or there are no more seats…
  • 3. About This Session • NOT to protect your PC – You need to pay $$ for *protection* – Uninstall Windows might be a better idea • Experience sharing for large scale web crawling testing • Use open source software for security research – Even individual can build your security lab
  • 4. Drive-by Download Landing Site Hopping Site Download Site
  • 5. The EVIL Browser Plug-in Browser plug-in vulnerabilities Source: Secunia 2008 report
  • 6. Malicious URL in Different Regions Region Total URL Total landing Total download site Scanned site China 41000 253 28 Japan 21263 105 3
  • 7. Google Safe Browsing Database • Google gives you malicious URL – Md5 hash form – Quality data can be observed – safebrowsing-python + Django = ?
  • 8. URL Selection and Verification • Google’s paper “All Your iFRAMEs Point to Us” Machine Virtual Malicious WWW Learning Machine URL Repository Score Verification
  • 9. What is Honeypot? • A trap! • Collect malicious behavior • Server-side honeypot – Wait to be probed, attacked, and compromised • Client-side honeypot – Actively crawler the web – Compromised by server response
  • 10. What is Capture-HPC ? • A high-interactive client honeypot • Part of the Honeynet Project • Interact with malicious web site and observe system activities • Freely available under GPL v2 – https://projects.honeynet.org/capture-hpc
  • 11. Capture-HPC Concept VMWare Sever Capture-HPC Server Capture-HPC Client
  • 12. Capture-HPC Architecture Config. Control xml VMWare Server Log Revert & Resume Capture-HPC Server Capture-HPC Internet Firefox Client Explorer Report Win32 Subsystem User Mode Process 1 File Process Registry Registry Process Change 2 Monitor Monitor Monitor File Create Capture Kernel Driver Process Registry 3 Create Kernel Mode VMWare Guest OS
  • 13. Setup Server Environment VMWare server 1.0 Unpack Capture-HPC Linux is better instead of 2.0 server Edit Capture-HPC Set up multiple VM Server setting
  • 14. Setup Client Environment Install Capture-HPC Install system monitor Adjust security level client tools NO Windows Update! Disable firewall
  • 15. Make Yourself More Vulnerable! • Get old version software at http://oldapps.com
  • 16. Editing Exception List • Filter normal system events – Windows prefetch – Windows update – Internet Explorer activities – Capture-HPC client activities • Events not filtered treat as malicious
  • 17. Good URL? Bad URL? • Collect normal web page – Open Directory Project – Yahoo! – Other countries? • How about malicious page? – IT Information Security – Malware domain list – Blast's security lab
  • 18. Execute Capture-HPC • java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – f <URL input file> • DEMO Time!
  • 19. Time to Harvest System Target URL Result Configuration •Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours with 2G RAM from various sites (about 3000 URL per day) •VMWare server 1.0 •Total URL: 235 with 3 VM •Malicious: 34 •Network error: 13 (IE can not connect) •System error: 5 • Check log files – Safe.log – Malicious.log – Error.log
  • 20. Large Scale Testing Issues • VMWare issue – Revert VM hang – Network broken after VM revert • Malicious software make guest OS unstable – Blue screen of death – Guest OS high CPU loading
  • 21. Build Your Security Lab Using Open Source Software • Many open source software available – Capture-HPC – Malzilla – DecryptJS • Easy to adapt to your application • Your effort can make better tools!
  • 22. Thank You! Comment and Question? dcguan@gmail.com