grnet cert 2012

http://www.grnet.gr

GRNET CERT 2012by Alex Zaharis

Website: http://cert.grnet.grEmail: cert@grnet.gr Team: GRNET-CERTPhone: +30 210 7475718

Overview

• GRNET-CERT Info & Deliverables• GRNET-CERT Services• Workload Statistics• Case 1: Phishing Attack• Case 2: SQL Injection Attack• Case 3: Malware Analysis• Case 4: Anon• Tools of the Trade

Ημερομηνία Τίτλος παρουσίασης 2

GNET-CERT AT A GLANCE

• Created in 2002.• National Point of contact for all Educational &

Research Institutes.• Protecting the Greek Critical Internet

Infrastructure.• Participating on National Cyber Defense

Committee

30/2/2012 GRNET-CERT 3

Other Greek CERTs:• GR-NCERT• FORTHCERT• AUTH-CERT

GRNET-CERT Deliverables

• Create an Overview of the risks the use of Internet poses in GREECE.

• Through Communication with other CERTs create a CYBER DEFENCE Coordination Team that can handle any kind of Cyber / Electronic attack.

• Participated/Co-ordinated the National Cyber Defense Exercise 2011.

• TF–CERT members

30/2/2012 GRNET-CERT 4

CERT Cooperation Plan

22/5/2012 GRNET-CERT 5

XCERT

GRNETCERT

CERT

YCERT

Law Enforcement

incidents incidentsincidents

incidents

incidents

National Cyber Space

National Cyber Defense Committee

Foreign Cyber Space

CERTKnowledge Pool

GRNET-CERT SERVICES

30/2/2012 GRNET-CERT 6

1. Issue Alerts & Warnings2. Incident Handling -Incident Analysis -Incident Response Coordination3. Vulnerability Handling -Vulnerability Analysis4. Artifact Handling -Artifact Analysis5. Forensics

Reactive Services

1. Security Announcements2. Technology Watch3. Security Audits & Assessments4. Development of Security Tools5. Intrusion Detection Services

Proactive Services

Ημερομηνία Τίτλος παρουσίασης 7

Τίτλος παρουσίασης 8

Some Statistics• For 2012 (5 months)

-900+ Various Abuse Reports Mitigated

-500+ Infringement Notices Handled -397 Network Scans-22 DOS Attacks-20 DDOS Attacks-Over 20 Cases of Phishing / Defacing etc.-2 Malware Analysis (Trojan, Scareware)-1 Anonymous Attack-Vulnerability (SQLi,XSS) Warning issued for:http://eclass.aspete.gr

• For 2011 (last 3 months)-600+ Abuse Reports Mitigated-350+ Infringement Notices Handled-Vulnerability (SQLi,XSS) Warning issued for:http://labs.opengov.grhttp://www.presidency.gr/

22/5/2012 GRNET -CERT 9

Various Abuse ReportsInfridgment NoticeDOSDDOSNetwork/Port Scan, Brute-force

SPAM MAILSSH Brute ForceREGBOTBADBOT

Website

Ημερομηνία Τίτλος παρουσίασης 10

Cases

Ημερομηνία Τίτλος παρουσίασης 11

ΙΚΑ Phishing

22/5/2012 GRNET-CERT 12

• Scam email Received.• Attack Site detected & scanned.• Original Phishing Forms along with contact info

recovered. (emails used by attackers)• Police Authorities Informed.

Type Of Attack: Phishing

High Profile Warning issued

• Labs.opengov.gr SQLi on facebook module

22/5/2012 GRNET -CERT 13

Type Of Attack: SQLi

Malware Analysis

Ημερομηνία Τίτλος παρουσίασης 14

Type Of Attack: Scareware \ Malware

CONTACTING IP: 91.232.29.95 (Ukraine)http://91.232.29.95/?0bbccd2979886358e559cd8ebc45985d

Anonymous Attack

• DNS requests (ANY) για το isc.org• Source IP = Spoofed IPs., PORT 80 • Destination Ips = Ips του φοιτητικού DSL,PORT 53 (UDP). • Φοιτητικά DSL modems με ανοιχτό recursive nameserver (dnsmasq)

και forwarders αυτούς που έλαβαν από το PPP, δηλ. τους rns0.grnet.gr & rns1.grnet.gr

• Προωθούν το ίδιο query στους rns μας. Οι rns μας απαντούν στα modems, και κατόπιν οι dnsmasq των modems απαντούν στον αρχικό (spoofed) προορισμό.

• Η ιδιαιτερότητα εδώ είναι ότι το isc.org είναι από τις πρώτες DNSSEC-signed ζώνες, που σημαίνει πως η απάντηση στο αρχικό DNS query είναι μεγάλη (> 512 bytes), οπότε σύμφωνα με το πρωτόκολλο, κάνει upgrade σε EDNS, που είναι TCP. Αποτέλεσμα είναι, ότι όλες αυτές οι χιλιάδες διευθύνσεις του φοιτητικού, ανοίγουν TCP connection στην port 80 (HTTP) στα targeted hosts (δηλ. στις spoofed αυτές διευθύνσεις) και κατά συνέπεια κάνουν DoS

22/5/2012 15GRNET -CERT

Type Of Attack: Reflective Amplified DNS Spoofing Attack

Tools• Websites:

– https://apps.db.ripe.net/search/query.html#resultsAnchor– http://cqcounter.com/whois/– http://projecthoneypot.org/– http://www.phishtank.com/– http://www.exploit-db.com/– https://www.virustotal.com/– http://anubis.iseclab.org– http://www.iptrackeronline.com/header.php– http://www.liveipmap.com/

• Tools:– Netsparker, Acunetix, Metasploit – Wireshark, Burp Suite– Nmap, Zenmap– BackTrack (Various Tools)– Sqlmap, Havij– Vmware Workstation– Sysintelnals– FTK

22/5/2012 GRNET -CERT 16

Questions?

22/5/2012 GRNET-CERT 17

Personal Info:Name: Alex ZaharisEmail: azaharis@admin.grnet.gr Team: GRNET-CERTPhone: +30 210 7475718