1 / 37

2010.11.22 資安新聞簡報

2010.11.22 資安新聞簡報. 報告 者: 劉旭哲 、曾家雄. Spam down, but malware up. 報告者:劉旭哲. Nov 17 McAfee Threats Report: Third Quarter 2010 Spam is declined, but malware is increasing. Spam is still high It continued its overall decline from January, both globally and nationally.

qiana
Télécharger la présentation

2010.11.22 資安新聞簡報

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2010.11.22資安新聞簡報 報告者:劉旭哲、曾家雄

  2. Spam down, but malware up 報告者:劉旭哲

  3. Nov 17 McAfee Threats Report: Third Quarter 2010 Spam is declined, but malware is increasing.

  4. Spam is still high • It continued its overall decline from January, both globally and nationally. • But identity theft, phishing attacks, and malicious links remain as serious as ever. • eg: US

  5. Malware continues to be the biggest threat. This year they have identified more than 14 million unique pieces of malware. Over one million more malware than at the same time last year. Increase has slowed, but the growth continues.

  6. A mix of many established standards. Mainly in the form of password-stealing Trojans, AutoRun malware, and fake AV software. For example: Zeus, Koobface

  7. Conclusion Cybercriminals are becoming more smart Attacks are becoming increasingly more severe Focus on mobile devices and social-networking sites.

  8. reference http://news.cnet.com/8301-1009_3-20023067-83.html?tag=mncol;title http://www.mcafee.com/us/local_content/reports/q32010_threats_report_en.pdf

  10. Delivery Status Notification

  11. Koobface: Inside a Crimeware Network November 12, 2010 By NART VILLENEUVE

  12. A New Botnet From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobfacebotnet

  13. Koobface • Koobface maintains a system that uses social networking platforms to send malicious linkssuch as: • Bebo, Facebook, Friendster, Fubar, • Hi5, MySpace, Netlog, Tagged, Twitter......etc. • Koobface also leverages connections to other malware groups associated with Bredolab, Gumblar, Meredrop, and Piptea

  14. Koobface • The Koobface operators also employ counter-measures against security efforts to counter their operations • The “banlist” of Internet protocol • Koobface operators carefully monitor whether any of their URLs have been flagged as malicious one by Facebook, or Google

  15. Propagation Koobface spreads by using credentials on compromised computers to login to the victim’s account It sends messages that contain links to malware to friends that are linked to the account

  16. Propagation

  17. Propagation The malicious link is often concealed using the URL shortening service It redirects victim to a malicious Web page that encourages the user to run the accompanying executable These malicious pages purport to be YouTube pages that require a new codec or an Adobe Flash upgrade in order to view the video

  18. Propagation

  19. Infrastructure • Koobface maintains an infrastructure that integrates command and control capabilities • Zombie proxies obscure the location of C&C

  20. Command and Control • Koobface’s main command and control server is hosted on 85.13.206.115 (Coreix, GB) • It maintains a database that contains information on the infrastructure of the Koobfacebotnet • The compromised hosts that have been turned into relays • And used by the operators to proxy requests

  21. Command and Control Koobface maintains a number of fraudulent accounts with third party services Koobface also appears to use compromised computers to host landing pages

  22. Command and Control The Koobface malware has a modular structure that allows the botnet operators to install additional components on compromised computers based on specific criteria The compromised computer connects to one of Koobface’s relay Web servers, which act as proxies of C&C

  23. Command and Control • The malware on the compromised host requests URLs that contain parameters • fbgen • ldgen • ppgen • CAPTCHA

  24. fbgen This file determines the contents of the message and the Koobface URL to send to the Facebook friends associated with Facebook accounts found on the compromised computer

  25. ldgen This file determines what further binaries the compromised host will download from the command and control server IP address in a range

  26. ppgen • These URLs point to rogue security software affiliates on Google searches for keywords such as • Antivirus • best+spyware+remover • adware+spyware+removal • It triggers the search hijacker when the user clicks on any of the links returned by Google

  27. CAPTCHA Koobface uses random samplings of real Facebook profile information stolen from compromised accounts to create fictitious accounts The popup window suggests that the computer will shutdown if the CAPTCHA is not solved

  28. CAPTCHA

  29. Monitoring & Countermeasures The operators of the Koobfacebotnet have a system in place to monitor the operations of the botnet and to ensure that the system continues to maintain the infrastructure that is required to operate it

  30. Monitoring & Countermeasures

  31. Monitoring & Countermeasures Koobface carefully monitors its links through the Google Safe Browsing API and checks if any of their URLs have been flagged as malicious by bit.ly or Facebook

  32. Monitoring & Countermeasures

  33. Monitoring Installations Koobface keeps count of successful installations and traffic generated by the botnet

  34. Monitoring Installations

  35. Monitoring Installations • When an Internet user visits a Koobface landing page and installs the malware, the malware connects through a relay server to C&C and sends the • Compromised user’s IP address • Geographic location • Unique identifier • Koobface user identifier • Malware identifier • This allows Koobface to keep track of malware installations

  36. Reference http://krebsonsecurity.com/2010/11/pursuing-koobface-and-partnerka/ http://www.infowar-monitor.net/reports/iwm-koobface.pdf

More Related