• No results found

20101124 01 pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "20101124 01 pdf"

Copied!
54
0
0

Loading.... (view fulltext now)

Download now ( 54 Page )

Full text

(1)

Security Trend of

New Computing Era

(2)

Agenda

Security Threat Overview

Introduction of Botnet

Impact of Botnet

Fight Back Botnet

(3)
(4)

Security Threat - Trend

• Cloud Computing

– Data

• Social Network

– Privacy

• Mobile Security

(5)

Security Threat - Type

• Phishing/Defacement

• Malicious Code Injection / SQL Injection

• Distributed Denial of Service (DDoS)

• Malware

• Botnet

(6)

Security Threat - Impact

• Financial Loss

• Data Loss

• Identity Theft

(7)
[image:7.595.64.780.25.501.2]

Security Threat -Underground

Economy

(8)
(9)

What is Botnet?

• Botnet (aka Zombie Network, 殭屍網路)

• A collection of compromised computers (called bots, zombie) under a common command-and-control (called C&C)

infrastructure.

(10)

Botnet Structure

• Bot Herder/Master

• Command and Control Servers (C&C, C2)

[image:10.595.48.810.24.542.2]

• Bots

(11)

Spread Channel

• Website

• Email

• Instant Messenger (IM)

• P2P file sharing network

(12)

Website

• Code Injection

– Hidden iframe direct to the malicious website contains vulnerability exploit

[image:12.595.293.767.266.529.2]

– 1H of 2010, over 2,500 Common Vulnerabilities and Exposures (CVE) recorded. Apple is top vendors of CVE, issued about 180.

(13)

Website

• Malicious Multimedia Content

– Exploit media player vulnerability

[image:13.595.239.545.271.517.2]

– Malicious codec file installation

(14)

Website

• Search Engine Optimization Poisoning (aka Black hat SEO)

– Using unethical SEO techniques in order to obtain a higher search ranking to post malicious link on hot topic

[image:14.595.70.731.220.545.2]

– Deliver Fake AV

(15)

Website

• Malvertisting (malicious advertising)

[image:15.595.110.694.132.497.2]

– Use of online advertising to spread malware

(16)

Email

• Malicious attachment

– Ms office document, .doc, .xls, .ppt

– .pdf

– .lnk

– .swf

• Malicious link embedded

(17)

Instant Messenger

• MSN, QQ

– Embedding link

– File transfer

(18)

P2P File sharing network

• BT, eMule, Foxy etc.

(19)

Mobile Device Application

• Zeus ver 2.0, Man in the mobile (Mitmo)

• Reported in Sep 2010

• Installed in mobile devices like BlackBerry and Symbian mobile phones

• Sniff all the SMS messages that are being delivered.

(20)

Malware

[image:20.595.69.812.25.508.2]
(21)

Communication Channel

• IRC

• HTTP/HTTPS

• P2P

(22)
[image:22.595.71.770.26.461.2]

Twitter

(23)

Twitter

(24)
(25)
[image:25.595.68.783.28.431.2]

Global botnet infection rate

Fig 9 – Microsoft Security Intelligence Report Vol.9

(26)
[image:26.595.68.772.33.521.2]

Global botnet infection

(27)
[image:27.595.65.785.29.478.2]

Active Botnet Families

(28)
[image:28.595.82.740.30.523.2]

Botnet Ecosystem

(29)
(30)

Fight Back

Year 2010 is becoming a good year in shutting down big botnets.

• Mariposa

• Waledac

• Bredolab

(31)

Case Study - Mariposa

• Mariposa, (butterfly in Spanish)

• Discovered in December 2008

• 12.7 million bots in more than

190 countries (Top country – India, Top city -Seoul )

(32)
[image:32.595.70.764.33.555.2]

Case Study - Mariposa

Fig 13 – Mariposa C&C server

• More than 200 binaries

(33)

Case Study - Mariposa

• Stole credit card, banking credentials, user identity (username, password)

(34)

Case Study - Mariposa

• Mariposa Working Group (MWG) established in May 2009

(35)

Case Study - Mariposa

• In Dec 2009, MWG took control of the Mariposa Botnet

• In Feb 2010 arrested the leader (alias “Netkairo” ) by Spanish Civil Guard

(36)

Case Study - Mariposa

Lesson Learned

• 97% bots use DNS to locate C&C, detect the bots by DNS activity

(37)

Case Study - Waledac

• Waledac

• Discovered in Apr 2008

• Estimated 70,000 - 90,000 infected computers

• Spread via email

• 1.5 billion spam messages a day (about 1% of the total global spam volume)

(38)

Case Study – Waledac

• Fraudulent greeting cards and breaking news events.

• Email contains a link point to a malicious websites

• Deliver exploit code when visited

(39)

Case Study - Waledac

[image:39.595.81.778.29.497.2]
(40)

Case Study - Waledac

• “Operation b49” initiated by Microsoft’s Digital Crimes Unit

• Members:

(41)

Case Study - Waledac

• Waledac Tracker

[image:41.595.107.776.27.511.2]

http://www.sudosecure.net/waledac/index.php

(42)

Case Study - Waledac

Lesson learned

• Solved legal issue

– Microsoft Corporation v. John Does 1-27, et. al.

(43)

Security

(44)

Security Protection Scheme

• Anti-virus/Anti-malware

• Firewall

• Apply security patches

• Malicious Website detection

(45)

Anti-virus/Anti-malware

• Deploy Cloud technology

• A unknown application is launched, ask the cloud network to look up this application

(46)

Firewall

• In-bound and out-bound detection

• Open ports detection

• Unknown application warning

• System change warning

• Sandbox

(47)

Apply security patches

• Vendor's OS and application update checking features

(48)

Malicious Website detection

(49)

Malicious Website detection

(50)

Malicious Website detection

• Wepawet

http://www.mywot.com/en/download

MonkeyWrench

(51)

Malicious Website detection

• Blocklist

– Malware Domain Blocklist

http://www.malwaredomains.com/files/domains.txt

– ZeuS Blocklist

https://zeustracker.abuse.ch/blocklist.php

– SpyEye Blocklist

(52)

File Analysis

• VirusTotal

(53)

File Analysis

• MalOffice

(54)

Q & A

Thank You

Figure

Fig 1 - Sales ranking on underground economy (Source from Symantec)
Fig 2 - Typical Botnet structure
Fig 3 - Source from Trend Micro
Fig 4 – Fake YouTube website delivers malware (Kooface)
+7

References

Download now ( PDF - 54 Page - 2.32 MB )

Related documents

Adams County Adult Correctional Complex

Inmates will be charged for the following general services at a rate established by the Warden (refer to current Schedule of Inmate Fees posted in your housing unit):.

Revisiting Metacognition and Metaliteracy in the ACRL Framework

When the first draft of the ACRL Information Literacy Framework for Higher Education was released in 2014, it clearly was an entirely new conception meant to replace, rather than

Everything Old Is New Again: Enforcing Tribal Treaty Provisions to Protect Climate Change-Threatened Resources

The U.S. Supreme Court, however, has also recognized a second category—a claim for breach of a bare or limited trust responsibility. A “general trust claim” refers to a

Chandipura virus: a major cause of acute encephalitis in children in North Telangana, Andhra Pradesh, India

A hospital-based surveillance was undertaken between May 2005 and April 2006 to elucidate the contribution of Chandipura virus (CHPV) to acute viral encephalitis cases in

Effects of Service-Learning on Student Attitudes Toward Academic Engagement and Civic Responsibility

The purpose of this chapter is to provide a review and synthesis of the literature that is related to a theory of service-learning, a review of empirical studies of service-

Molecular Structure and Modeling of Water-Air and Ice-Air Interfaces Monitored by Sum-Frequency Generation.

58 − 60 , 118 This explains why the inclusion of the nuclear quantum e ffects or corresponding frequency shift provides a frequency of 3700 cm −1 free O −H peak for several

On classical n-absorbing submodules

In this paper, we introduce the notion of classical n-absorbing sub- modules of a module M over a commutative ring R with identity, which is a generalization of classical

CataLOG. - Catalyzing Logistics

SaaS, in simple terms, is the hosting and maintenance of software, hardware and associated infrastructure by a certain party, who leases out a single instance of