Download - GRNET CERT 2012
http://www.grnet.gr
GRNET CERT 2012by Alex Zaharis
Website: http://cert.grnet.grEmail: [email protected] Team: GRNET-CERTPhone: +30 210 7475718
Overview
• GRNET-CERT Info & Deliverables• GRNET-CERT Services• Workload Statistics• Case 1: Phishing Attack• Case 2: SQL Injection Attack• Case 3: Malware Analysis• Case 4: Anon• Tools of the Trade
Ημερομηνία Τίτλος παρουσίασης 2
GNET-CERT AT A GLANCE
• Created in 2002.• National Point of contact for all Educational &
Research Institutes.• Protecting the Greek Critical Internet
Infrastructure.• Participating on National Cyber Defense
Committee
30/2/2012 GRNET-CERT 3
Other Greek CERTs:• GR-NCERT• FORTHCERT• AUTH-CERT
GRNET-CERT Deliverables
• Create an Overview of the risks the use of Internet poses in GREECE.
• Through Communication with other CERTs create a CYBER DEFENCE Coordination Team that can handle any kind of Cyber / Electronic attack.
• Participated/Co-ordinated the National Cyber Defense Exercise 2011.
• TF–CERT members
30/2/2012 GRNET-CERT 4
CERT Cooperation Plan
22/5/2012 GRNET-CERT 5
XCERT
GRNETCERT
CERT
YCERT
Law Enforcement
incidents incidentsincidents
incidents
incidents
National Cyber Space
National Cyber Defense Committee
Foreign Cyber Space
CERTKnowledge Pool
GRNET-CERT SERVICES
30/2/2012 GRNET-CERT 6
1. Issue Alerts & Warnings2. Incident Handling -Incident Analysis -Incident Response Coordination3. Vulnerability Handling -Vulnerability Analysis4. Artifact Handling -Artifact Analysis5. Forensics
Reactive Services
1. Security Announcements2. Technology Watch3. Security Audits & Assessments4. Development of Security Tools5. Intrusion Detection Services
Proactive Services
Ημερομηνία Τίτλος παρουσίασης 7
Τίτλος παρουσίασης 8
Some Statistics• For 2012 (5 months)
-900+ Various Abuse Reports Mitigated
-500+ Infringement Notices Handled -397 Network Scans-22 DOS Attacks-20 DDOS Attacks-Over 20 Cases of Phishing / Defacing etc.-2 Malware Analysis (Trojan, Scareware)-1 Anonymous Attack-Vulnerability (SQLi,XSS) Warning issued for:http://eclass.aspete.gr
• For 2011 (last 3 months)-600+ Abuse Reports Mitigated-350+ Infringement Notices Handled-Vulnerability (SQLi,XSS) Warning issued for:http://labs.opengov.grhttp://www.presidency.gr/
22/5/2012 GRNET -CERT 9
Various Abuse ReportsInfridgment NoticeDOSDDOSNetwork/Port Scan, Brute-force
SPAM MAILSSH Brute ForceREGBOTBADBOT
Website
Ημερομηνία Τίτλος παρουσίασης 10
Cases
Ημερομηνία Τίτλος παρουσίασης 11
ΙΚΑ Phishing
22/5/2012 GRNET-CERT 12
• Scam email Received.• Attack Site detected & scanned.• Original Phishing Forms along with contact info
recovered. (emails used by attackers)• Police Authorities Informed.
Type Of Attack: Phishing
High Profile Warning issued
• Labs.opengov.gr SQLi on facebook module
22/5/2012 GRNET -CERT 13
Type Of Attack: SQLi
Malware Analysis
Ημερομηνία Τίτλος παρουσίασης 14
Type Of Attack: Scareware \ Malware
CONTACTING IP: 91.232.29.95 (Ukraine)http://91.232.29.95/?0bbccd2979886358e559cd8ebc45985d
Anonymous Attack
• DNS requests (ANY) για το isc.org• Source IP = Spoofed IPs., PORT 80 • Destination Ips = Ips του φοιτητικού DSL,PORT 53 (UDP). • Φοιτητικά DSL modems με ανοιχτό recursive nameserver (dnsmasq)
και forwarders αυτούς που έλαβαν από το PPP, δηλ. τους rns0.grnet.gr & rns1.grnet.gr
• Προωθούν το ίδιο query στους rns μας. Οι rns μας απαντούν στα modems, και κατόπιν οι dnsmasq των modems απαντούν στον αρχικό (spoofed) προορισμό.
• Η ιδιαιτερότητα εδώ είναι ότι το isc.org είναι από τις πρώτες DNSSEC-signed ζώνες, που σημαίνει πως η απάντηση στο αρχικό DNS query είναι μεγάλη (> 512 bytes), οπότε σύμφωνα με το πρωτόκολλο, κάνει upgrade σε EDNS, που είναι TCP. Αποτέλεσμα είναι, ότι όλες αυτές οι χιλιάδες διευθύνσεις του φοιτητικού, ανοίγουν TCP connection στην port 80 (HTTP) στα targeted hosts (δηλ. στις spoofed αυτές διευθύνσεις) και κατά συνέπεια κάνουν DoS
22/5/2012 15GRNET -CERT
Type Of Attack: Reflective Amplified DNS Spoofing Attack
Tools• Websites:
– https://apps.db.ripe.net/search/query.html#resultsAnchor– http://cqcounter.com/whois/– http://projecthoneypot.org/– http://www.phishtank.com/– http://www.exploit-db.com/– https://www.virustotal.com/– http://anubis.iseclab.org– http://www.iptrackeronline.com/header.php– http://www.liveipmap.com/
• Tools:– Netsparker, Acunetix, Metasploit – Wireshark, Burp Suite– Nmap, Zenmap– BackTrack (Various Tools)– Sqlmap, Havij– Vmware Workstation– Sysintelnals– FTK
22/5/2012 GRNET -CERT 16
Questions?
22/5/2012 GRNET-CERT 17
Personal Info:Name: Alex ZaharisEmail: [email protected] Team: GRNET-CERTPhone: +30 210 7475718