SlideShare a Scribd company logo

Apricot2017 r12 1488291147

APNIC
APNIC

Presentation by Yasuyuki Tanaka at APRICOT 2017 on Monday, 1 March 2017.

Internet
1 of 30
Characteristic of Malware Site and its Blocking Countermeasure Apricot 2017 Yasuyuki Tanaka, CISSP Institute of Information Security (IISEC) NTT Communications Corporation 1
Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 2
Drive-by-download infection chain 3 Compromised Site Affiliate Advertising Attackerʼs ResourcesLegitimate Service HIY model Malware Owner Exploit Pack Developer Exploit as a Service model Pay Per Install model Malvertising model Victims
How to infect ? n Drive-by-download consists of three factors. • Landing site, Exploit site, Malware download site 4 Landing site Exploit site Malware download site Exploit site Landing site Landing site Landing site ① ② ③ ④ Victim PC
Characteristics of each site n existing in legitimate service n redirect to exploit site n short-lived n made of web attack toolkit n referrer from Landing site n short-lived n repeat run and stop n change malware n long-lived 5 Landing site Exploit site Malware download site In this paper we focused on Malware download Site.
OCN malware block service n In Feb. 2016, NTT communications started offering users of the internet service provider OCN a free malware blocker service, the first ISP in Japan to offer such a service. 6 Personal information, Credit card number, etc. Legitimate traffic Evil traffic DNS server Block ! User Attacker C&C Server DNS server based on FQDN blacklist Malware
FQDN Block vs URL Block 7 block method FQDN block URL block intelligence to use FQDN blacklist URL blacklist apply device example DNS, /etc/hosts L7 firewall pros lightweight simple detailed operation cons over blocking complexity high cost
Over blocking problem 8 http://www.aaa.com/111/222.php benign site http://www.aaa.com/aaa/z.php http://www.aaa.com/111/a.js http://www.aaa.com/111/222.exe http://www.aaa.com/yyy/zzz malicious site malicious site benign site benign site OVER BLOCKED OVER BLOCKED OVER BLOCKED
Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 9
Check Malware download URL status Malware Download Site Status Benign High Interaction Web crawler 10 Malicious Multi Anti-Virus software Active Stop every day check many Malware Download Site download file n In order to decide appropriate methods or period for blacklisting malware download site. n We check malware download site status everyday. n Total number of URLs : 43,034. n Observation Period : 1.5 years
Status record n status table • we recorded status of each URLs every day. • short stop span(url1), long stop span(url2,4). 11 DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 url1 ✔ ✔ ✔ X ✔ ✔ X ✔ X ✔ ✔ ✔ X X ✔ ✔ ✔ ✔ ✔ ✔ url2 X ✔ X X X ✔ X X X X X X X ✔ X X ✔ X X X url3 ✔ ✔ ✔ X ✔ ✔ X X ✔ ✔ ✔ X X X ✔ X X ✔ X ✔ url4 X X ✔ ✔ ✔ X ✔ ✔ ✔ ✔ X X X X X X ✔ ✔ X ✔ ✔ active X stop
Malware hash record 12 n We found a certain characteristics. n malware hash table • we recorded which files downloaded. • unchanged (url1,2) • every-time changed (url3) • change occasionally (url4) DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 url1 A A A A A A A A A A A A A A A url2 B B B B url3 C D F G H I J K L M N url4 O O O P O O O O O R big letter alphabet : malware’s hash
Category1 “unchanged” nhxxp://www.xunlei333.com/xl_28413.exe 13 only one sha1hash value number of malware time
Category2 “every-time changed” n hxxp://download.veterants.info/index.html?e=tnfd9&clsb=1&publ isher=11206&prv=TinyWallet&sfx=1&hid=169770297314061 96910&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&am p;ne=1&prs=4& 14 number of malware time every-time changed sha1hash value
Category3 “changed occasionally” n hxxp://proxy.piratenpartij.nl/web.icm.cn/vote/install_flash _player_active_x.exe 15 number of malware time most time same hash value different hash value sometimes
n In order to decide appropriate methods or period for blacklisting malware download site. n We defined three categories focusing on variation of malware. n We divided URLs on its definition. • UNC : unchanged • ETC : every-time changed • COC : changed occasionally n Total number of URLs : 43,034. n Observation Period : 1.5 years 16 Analytical purpose and procedure
nWe analyzed features in the three category UNC, ETC, and COC. • lifetime, revived activity, IP address resource, malware variation, etc. nWe considered the operation and resources of attackers and discussed how to mitigate these categories. 17 Analytical purpose and procedure
Lifetime and Active days definition n Lifetime • Period of first and last observation day. • here, we considered first and last only. n Active days • the number of active days. 18 our observation period : 1.5 year URL A Lifetime : 20 Active days : 4 URL B 40days ✔ 20days ✔ ✔✔ ✔ ✔✔✔ ✔✔ ✔ URL A Lifetime : 40 Active days : 7 URL B
Lifetime CDF 19 10% of UNC lives over 500 days Lifetime ETC < UNC, COC
Stop5, Stop10 definition nThe number of continuous stopped status • Stop5 : over 5days • Stop10 : over 10days 20 our observation priod : 1.5 year URL A 6days URL B 7days ✔ 13days 12days11days Stop5 : 2 Stop10 : 1 Stop5 : 3 Stop10 : 2 ✔✔ ✔✔ ✔✔ ✔✔✔✔✔
Stop5, Stop10 CDF 21 10% of COC revives over 15 times Revive activity ETC < UNC < COC
UniqIP CDF 22 2% of UNC used more than 180 IP
IP Entropy CDF 23 IP variation UNC < ETC < COC
24 Characteristics UNC ETC COC Lifetime Longevity Short-lived Longevity Revive NA NA many times IP resource Substantial Fewer Substantial IP variation Fewer Substantial Substantial Activity NA Sparse Intensive Malware Known Known Unknown URL NA Long query part NA Characteristics and countermeasure Counterme- asure Blacklisting TBD Blacklisting
Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 25
Suggestion - What should operators do ? n Fully extermination of malicious site is the most important. n When operators received abuse reports, they should perform concrete action until malicious site disappear fully. n but according to [1], about 60%(12/19) reports were not handled properly by ISPs. • case1: no reply. • case2: enable to locate an abuse@domain in WHOIS. • case3: good case ! immediately disconnected site. • case4: forwarded to customer by ISP, but the server was still alive. 26 [1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>
Suggestion - What should ISPs do ? nTodayʼs increasing Internet use has become plagued by malicious activity such as exploit-as-a-service model. nItʼs import to consider IP or FQDN block service such as “malware block service” of NTTcom OCN. nIP or FQDN block have over blocking problem. So in addition to IP and FQDN block, it is desirable to use URL blocking. 27
28 Personal information, Credit card number, etc. Legitimate traffic Evil traffic DNS server Block ! User Attacker C&C Serverbased on FQDN blacklist Suggestion - What should ISPs do ? L7 FW based on URL blacklist and Malware DNS server This is simple image. Only my opinion.
Discussion - FQDN, IP, and URL blocking nOur survey shows that URL blacklisting is effective for some malicious site. • UNC and COC, especially COC provide unknown malware. nURL blacklisting on ISP ? • high operation cost ? do you think realistic way? nHow about FQDN blacklisting on ISP ? • how about domain, IP address, AS ? • combination is important ? 29
30 Thank you very much. Any question ?

Recommended

Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Mesos 1.0
Mesos 1.0Mesos 1.0
Mesos 1.0Anand Mazumdar
 
Importancia de la maquetación
Importancia de la maquetaciónImportancia de la maquetación
Importancia de la maquetaciónJhon Vega Aguilar
 
Funciones
FuncionesFunciones
FuncionesDayanna96nena
 
Giacomo Leopardi
Giacomo LeopardiGiacomo Leopardi
Giacomo LeopardiIacopo Pappalardo
 
Project IOTA
Project IOTAProject IOTA
Project IOTARobert Wang
 
México rumbo a la Transición Energética (CELs)
México rumbo a la Transición Energética (CELs)México rumbo a la Transición Energética (CELs)
México rumbo a la Transición Energética (CELs)Jose Martinez G
 

Recommended

Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Mesos 1.0
Mesos 1.0Mesos 1.0
Mesos 1.0Anand Mazumdar
 
Importancia de la maquetación
Importancia de la maquetaciónImportancia de la maquetación
Importancia de la maquetaciónJhon Vega Aguilar
 
Funciones
FuncionesFunciones
FuncionesDayanna96nena
 
Giacomo Leopardi
Giacomo LeopardiGiacomo Leopardi
Giacomo LeopardiIacopo Pappalardo
 
Project IOTA
Project IOTAProject IOTA
Project IOTARobert Wang
 
México rumbo a la Transición Energética (CELs)
México rumbo a la Transición Energética (CELs)México rumbo a la Transición Energética (CELs)
México rumbo a la Transición Energética (CELs)Jose Martinez G
 
Dayana puma ejercicios con funciones
Dayana puma ejercicios con funcionesDayana puma ejercicios con funciones
Dayana puma ejercicios con funcionesDayanna96nena
 
La web-2.0 (1)
La web-2.0 (1)La web-2.0 (1)
La web-2.0 (1)Mario Pérez
 
Grafico y series (1)
Grafico y series (1)Grafico y series (1)
Grafico y series (1)Dayanna96nena
 
Syllabus contratacion estatal
Syllabus contratacion estatalSyllabus contratacion estatal
Syllabus contratacion estatalManuel Bedoya D
 
Gestión fiscal contratación estatal
Gestión fiscal contratación estatalGestión fiscal contratación estatal
Gestión fiscal contratación estatalManuel Bedoya D
 
Electrik Mobility Reaserch Analysis
Electrik Mobility Reaserch AnalysisElectrik Mobility Reaserch Analysis
Electrik Mobility Reaserch AnalysisPeter Machinist
 
Police September 2015 Mental Health, Syreeta Lund
Police September 2015 Mental Health, Syreeta LundPolice September 2015 Mental Health, Syreeta Lund
Police September 2015 Mental Health, Syreeta LundSyreeta Lund
 
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every DayLebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every DayDaniel Tobin (DOE)
 
Shot Gun Community
Shot Gun CommunityShot Gun Community
Shot Gun CommunityHyun Chung
 
Vigas curvas horizontais
Vigas curvas horizontaisVigas curvas horizontais
Vigas curvas horizontaisTimóteo Rocha
 
Individual Project
Individual ProjectIndividual Project
Individual Projectudara65
 
Reinforced brickwork
Reinforced brickworkReinforced brickwork
Reinforced brickworkBINDRESH KR. SAHANI (NOMAN)
 
Generalidades de cardiovascular.
Generalidades de cardiovascular.Generalidades de cardiovascular.
Generalidades de cardiovascular.Jhonny Freire Heredia
 
10 l2 poetry - themes
10 l2 poetry - themes10 l2 poetry - themes
10 l2 poetry - themesmrhoward12
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudyAndrew Gerber
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
thesisSlides
thesisSlidesthesisSlides
thesisSlidesJoey Allen
 
thesisSlides
thesisSlidesthesisSlides
thesisSlidesJoey Allen
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingAPNIC
 
Irm 6-website-defacement
Irm 6-website-defacementIrm 6-website-defacement
Irm 6-website-defacementKasper de Waard
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingCyren, Inc
 

More Related Content

Viewers also liked

Dayana puma ejercicios con funciones
Dayana puma ejercicios con funcionesDayana puma ejercicios con funciones
Dayana puma ejercicios con funcionesDayanna96nena
 
Grafico y series (1)
Grafico y series (1)Grafico y series (1)
Grafico y series (1)Dayanna96nena
 
Syllabus contratacion estatal
Syllabus contratacion estatalSyllabus contratacion estatal
Syllabus contratacion estatalManuel Bedoya D
 
Gestión fiscal contratación estatal
Gestión fiscal contratación estatalGestión fiscal contratación estatal
Gestión fiscal contratación estatalManuel Bedoya D
 
Electrik Mobility Reaserch Analysis
Electrik Mobility Reaserch AnalysisElectrik Mobility Reaserch Analysis
Electrik Mobility Reaserch AnalysisPeter Machinist
 
Police September 2015 Mental Health, Syreeta Lund
Police September 2015 Mental Health, Syreeta LundPolice September 2015 Mental Health, Syreeta Lund
Police September 2015 Mental Health, Syreeta LundSyreeta Lund
 
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every DayLebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every DayDaniel Tobin (DOE)
 
Shot Gun Community
Shot Gun CommunityShot Gun Community
Shot Gun CommunityHyun Chung
 
Vigas curvas horizontais
Vigas curvas horizontaisVigas curvas horizontais
Vigas curvas horizontaisTimóteo Rocha
 
Individual Project
Individual ProjectIndividual Project
Individual Projectudara65
 
10 l2 poetry - themes
10 l2 poetry - themes10 l2 poetry - themes
10 l2 poetry - themesmrhoward12
 

Viewers also liked (14)

Dayana puma ejercicios con funciones
Dayana puma ejercicios con funcionesDayana puma ejercicios con funciones
Dayana puma ejercicios con funciones
 
La web-2.0 (1)
La web-2.0 (1)La web-2.0 (1)
La web-2.0 (1)
 
Grafico y series (1)
Grafico y series (1)Grafico y series (1)
Grafico y series (1)
 
Syllabus contratacion estatal
Syllabus contratacion estatalSyllabus contratacion estatal
Syllabus contratacion estatal
 
Gestión fiscal contratación estatal
Gestión fiscal contratación estatalGestión fiscal contratación estatal
Gestión fiscal contratación estatal
 
Electrik Mobility Reaserch Analysis
Electrik Mobility Reaserch AnalysisElectrik Mobility Reaserch Analysis
Electrik Mobility Reaserch Analysis
 
Police September 2015 Mental Health, Syreeta Lund
Police September 2015 Mental Health, Syreeta LundPolice September 2015 Mental Health, Syreeta Lund
Police September 2015 Mental Health, Syreeta Lund
 
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every DayLebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
Lebanon, Tennessee, will Turn 32 Tons of Trash into Fuel Every Day
 
Shot Gun Community
Shot Gun CommunityShot Gun Community
Shot Gun Community
 
Vigas curvas horizontais
Vigas curvas horizontaisVigas curvas horizontais
Vigas curvas horizontais
 
Individual Project
Individual ProjectIndividual Project
Individual Project
 
Reinforced brickwork
Reinforced brickworkReinforced brickwork
Reinforced brickwork
 
Generalidades de cardiovascular.
Generalidades de cardiovascular.Generalidades de cardiovascular.
Generalidades de cardiovascular.
 
10 l2 poetry - themes
10 l2 poetry - themes10 l2 poetry - themes
10 l2 poetry - themes
 

Similar to Apricot2017 r12 1488291147

Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudyAndrew Gerber
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingAPNIC
 
Irm 6-website-defacement
Irm 6-website-defacementIrm 6-website-defacement
Irm 6-website-defacementKasper de Waard
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingCyren, Inc
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
SplunkLive! New York Dec 2012 - SNAP Interactive
SplunkLive! New York Dec 2012 - SNAP InteractiveSplunkLive! New York Dec 2012 - SNAP Interactive
SplunkLive! New York Dec 2012 - SNAP InteractiveSplunk
 
Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetAPNIC
 
DDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetDDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetTom Paseka
 
Android pro tips trilogy
Android pro tips trilogyAndroid pro tips trilogy
Android pro tips trilogyVitali Pekelis
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportCyren, Inc
 
StormCrawler in the wild
StormCrawler in the wildStormCrawler in the wild
StormCrawler in the wildJulien Nioche
 

Similar to Apricot2017 r12 1488291147 (20)

Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case Study
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
thesisSlides
thesisSlidesthesisSlides
thesisSlides
 
thesisSlides
thesisSlidesthesisSlides
thesisSlides
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & Handling
 
Irm 6-website-defacement
Irm 6-website-defacementIrm 6-website-defacement
Irm 6-website-defacement
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
SplunkLive! New York Dec 2012 - SNAP Interactive
SplunkLive! New York Dec 2012 - SNAP InteractiveSplunkLive! New York Dec 2012 - SNAP Interactive
SplunkLive! New York Dec 2012 - SNAP Interactive
 
Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized Internet
 
DDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internetDDoS And Spoofing, a risk to the decentralized internet
DDoS And Spoofing, a risk to the decentralized internet
 
Android pro tips trilogy
Android pro tips trilogyAndroid pro tips trilogy
Android pro tips trilogy
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
 
StormCrawler in the wild
StormCrawler in the wildStormCrawler in the wild
StormCrawler in the wild
 
4
44
4
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 

Recently uploaded (20)

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 

Apricot2017 r12 1488291147

  • 1. Characteristic of Malware Site and its Blocking Countermeasure Apricot 2017 Yasuyuki Tanaka, CISSP Institute of Information Security (IISEC) NTT Communications Corporation 1
  • 2. Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 2
  • 3. Drive-by-download infection chain 3 Compromised Site Affiliate Advertising Attackerʼs ResourcesLegitimate Service HIY model Malware Owner Exploit Pack Developer Exploit as a Service model Pay Per Install model Malvertising model Victims
  • 4. How to infect ? n Drive-by-download consists of three factors. • Landing site, Exploit site, Malware download site 4 Landing site Exploit site Malware download site Exploit site Landing site Landing site Landing site ① ② ③ ④ Victim PC
  • 5. Characteristics of each site n existing in legitimate service n redirect to exploit site n short-lived n made of web attack toolkit n referrer from Landing site n short-lived n repeat run and stop n change malware n long-lived 5 Landing site Exploit site Malware download site In this paper we focused on Malware download Site.
  • 6. OCN malware block service n In Feb. 2016, NTT communications started offering users of the internet service provider OCN a free malware blocker service, the first ISP in Japan to offer such a service. 6 Personal information, Credit card number, etc. Legitimate traffic Evil traffic DNS server Block ! User Attacker C&C Server DNS server based on FQDN blacklist Malware
  • 7. FQDN Block vs URL Block 7 block method FQDN block URL block intelligence to use FQDN blacklist URL blacklist apply device example DNS, /etc/hosts L7 firewall pros lightweight simple detailed operation cons over blocking complexity high cost
  • 8. Over blocking problem 8 http://www.aaa.com/111/222.php benign site http://www.aaa.com/aaa/z.php http://www.aaa.com/111/a.js http://www.aaa.com/111/222.exe http://www.aaa.com/yyy/zzz malicious site malicious site benign site benign site OVER BLOCKED OVER BLOCKED OVER BLOCKED
  • 9. Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 9
  • 10. Check Malware download URL status Malware Download Site Status Benign High Interaction Web crawler 10 Malicious Multi Anti-Virus software Active Stop every day check many Malware Download Site download file n In order to decide appropriate methods or period for blacklisting malware download site. n We check malware download site status everyday. n Total number of URLs : 43,034. n Observation Period : 1.5 years
  • 11. Status record n status table • we recorded status of each URLs every day. • short stop span(url1), long stop span(url2,4). 11 DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 url1 ✔ ✔ ✔ X ✔ ✔ X ✔ X ✔ ✔ ✔ X X ✔ ✔ ✔ ✔ ✔ ✔ url2 X ✔ X X X ✔ X X X X X X X ✔ X X ✔ X X X url3 ✔ ✔ ✔ X ✔ ✔ X X ✔ ✔ ✔ X X X ✔ X X ✔ X ✔ url4 X X ✔ ✔ ✔ X ✔ ✔ ✔ ✔ X X X X X X ✔ ✔ X ✔ ✔ active X stop
  • 12. Malware hash record 12 n We found a certain characteristics. n malware hash table • we recorded which files downloaded. • unchanged (url1,2) • every-time changed (url3) • change occasionally (url4) DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 url1 A A A A A A A A A A A A A A A url2 B B B B url3 C D F G H I J K L M N url4 O O O P O O O O O R big letter alphabet : malware’s hash
  • 14. Category2 “every-time changed” n hxxp://download.veterants.info/index.html?e=tnfd9&amp;clsb=1&amp;publ isher=11206&amp;prv=TinyWallet&amp;sfx=1&amp;hid=169770297314061 96910&amp;cht=2&amp;dcu=1&amp;cpatch=2&amp;dcs=1&amp;pf=1&am p;ne=1&amp;prs=4& 14 number of malware time every-time changed sha1hash value
  • 15. Category3 “changed occasionally” n hxxp://proxy.piratenpartij.nl/web.icm.cn/vote/install_flash _player_active_x.exe 15 number of malware time most time same hash value different hash value sometimes
  • 16. n In order to decide appropriate methods or period for blacklisting malware download site. n We defined three categories focusing on variation of malware. n We divided URLs on its definition. • UNC : unchanged • ETC : every-time changed • COC : changed occasionally n Total number of URLs : 43,034. n Observation Period : 1.5 years 16 Analytical purpose and procedure
  • 17. nWe analyzed features in the three category UNC, ETC, and COC. • lifetime, revived activity, IP address resource, malware variation, etc. nWe considered the operation and resources of attackers and discussed how to mitigate these categories. 17 Analytical purpose and procedure
  • 18. Lifetime and Active days definition n Lifetime • Period of first and last observation day. • here, we considered first and last only. n Active days • the number of active days. 18 our observation period : 1.5 year URL A Lifetime : 20 Active days : 4 URL B 40days ✔ 20days ✔ ✔✔ ✔ ✔✔✔ ✔✔ ✔ URL A Lifetime : 40 Active days : 7 URL B
  • 19. Lifetime CDF 19 10% of UNC lives over 500 days Lifetime ETC < UNC, COC
  • 20. Stop5, Stop10 definition nThe number of continuous stopped status • Stop5 : over 5days • Stop10 : over 10days 20 our observation priod : 1.5 year URL A 6days URL B 7days ✔ 13days 12days11days Stop5 : 2 Stop10 : 1 Stop5 : 3 Stop10 : 2 ✔✔ ✔✔ ✔✔ ✔✔✔✔✔
  • 21. Stop5, Stop10 CDF 21 10% of COC revives over 15 times Revive activity ETC < UNC < COC
  • 22. UniqIP CDF 22 2% of UNC used more than 180 IP
  • 23. IP Entropy CDF 23 IP variation UNC < ETC < COC
  • 24. 24 Characteristics UNC ETC COC Lifetime Longevity Short-lived Longevity Revive NA NA many times IP resource Substantial Fewer Substantial IP variation Fewer Substantial Substantial Activity NA Sparse Intensive Malware Known Known Unknown URL NA Long query part NA Characteristics and countermeasure Counterme- asure Blacklisting TBD Blacklisting
  • 25. Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 25
  • 26. Suggestion - What should operators do ? n Fully extermination of malicious site is the most important. n When operators received abuse reports, they should perform concrete action until malicious site disappear fully. n but according to [1], about 60%(12/19) reports were not handled properly by ISPs. • case1: no reply. • case2: enable to locate an abuse@domain in WHOIS. • case3: good case ! immediately disconnected site. • case4: forwarded to customer by ISP, but the server was still alive. 26 [1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>
  • 27. Suggestion - What should ISPs do ? nTodayʼs increasing Internet use has become plagued by malicious activity such as exploit-as-a-service model. nItʼs import to consider IP or FQDN block service such as “malware block service” of NTTcom OCN. nIP or FQDN block have over blocking problem. So in addition to IP and FQDN block, it is desirable to use URL blocking. 27
  • 28. 28 Personal information, Credit card number, etc. Legitimate traffic Evil traffic DNS server Block ! User Attacker C&C Serverbased on FQDN blacklist Suggestion - What should ISPs do ? L7 FW based on URL blacklist and Malware DNS server This is simple image. Only my opinion.
  • 29. Discussion - FQDN, IP, and URL blocking nOur survey shows that URL blacklisting is effective for some malicious site. • UNC and COC, especially COC provide unknown malware. nURL blacklisting on ISP ? • high operation cost ? do you think realistic way? nHow about FQDN blacklisting on ISP ? • how about domain, IP address, AS ? • combination is important ? 29
  • 30. 30 Thank you very much. Any question ?