Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Capture-HPC talk@ 2009


Published on

A introduction to use Capture-HPC in 2009

Published in: Technology
  • Be the first to comment

Capture-HPC talk@ 2009

  1. Identify Malicious URL using Capture-HPC David Guan
  2. Who Are You? • You are interested in malicious webpage • You are interested in Capture-HPC • You are not interested in the other session or there are no more seats…
  3. About This Session • NOT to protect your PC – You need to pay $$ for *protection* – Uninstall Windows might be a better idea • Experience sharing for large scale web crawling testing • Use open source software for security research – Even individual can build your security lab
  4. Drive-by Download Landing Site Hopping Site Download Site
  5. The EVIL Browser Plug-in Browser plug-in vulnerabilities Source: Secunia 2008 report
  6. Malicious URL in Different Regions Region Total URL Total landing Total download site Scanned site China 41000 253 28 Japan 21263 105 3
  7. Google Safe Browsing Database • Google gives you malicious URL – Md5 hash form – Quality data can be observed – safebrowsing-python + Django = ?
  8. URL Selection and Verification • Google’s paper “All Your iFRAMEs Point to Us” Machine Virtual Malicious WWW Learning Machine URL Repository Score Verification
  9. What is Honeypot? • A trap! • Collect malicious behavior • Server-side honeypot – Wait to be probed, attacked, and compromised • Client-side honeypot – Actively crawler the web – Compromised by server response
  10. What is Capture-HPC ? • A high-interactive client honeypot • Part of the Honeynet Project • Interact with malicious web site and observe system activities • Freely available under GPL v2 –
  11. Capture-HPC Concept VMWare Sever Capture-HPC Server Capture-HPC Client
  12. Capture-HPC Architecture Config. Control xml VMWare Server Log Revert & Resume Capture-HPC Server Capture-HPC Internet Firefox Client Explorer Report Win32 Subsystem User Mode Process 1 File Process Registry Registry Process Change 2 Monitor Monitor Monitor File Create Capture Kernel Driver Process Registry 3 Create Kernel Mode VMWare Guest OS
  13. Setup Server Environment VMWare server 1.0 Unpack Capture-HPC Linux is better instead of 2.0 server Edit Capture-HPC Set up multiple VM Server setting
  14. Setup Client Environment Install Capture-HPC Install system monitor Adjust security level client tools NO Windows Update! Disable firewall
  15. Make Yourself More Vulnerable! • Get old version software at
  16. Editing Exception List • Filter normal system events – Windows prefetch – Windows update – Internet Explorer activities – Capture-HPC client activities • Events not filtered treat as malicious
  17. Good URL? Bad URL? • Collect normal web page – Open Directory Project – Yahoo! – Other countries? • How about malicious page? – IT Information Security – Malware domain list – Blast's security lab
  18. Execute Capture-HPC • java – – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – f <URL input file> • DEMO Time!
  19. Time to Harvest System Target URL Result Configuration •Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours with 2G RAM from various sites (about 3000 URL per day) •VMWare server 1.0 •Total URL: 235 with 3 VM •Malicious: 34 •Network error: 13 (IE can not connect) •System error: 5 • Check log files – Safe.log – Malicious.log – Error.log
  20. Large Scale Testing Issues • VMWare issue – Revert VM hang – Network broken after VM revert • Malicious software make guest OS unstable – Blue screen of death – Guest OS high CPU loading
  21. Build Your Security Lab Using Open Source Software • Many open source software available – Capture-HPC – Malzilla – DecryptJS • Easy to adapt to your application • Your effort can make better tools!
  22. Thank You! Comment and Question?