gcg2g^g '56ëfûfÚfág >Ì +# >fþ0bfØg ìfû ¥fáfö>Ìglgyg4g5g0 º/²h...
TRANSCRIPT
1
2
� 20 /
� 21
Richard Skrenta Elk Cloner
� 2010 Hacktivism Cyber Espionage
Anonymous
3
• Malware = Malicious( )+ Software
� �
�
�
� �
�
�
�
�
� �
�
�
4 GIZMODE Japan
��
�
��
�
��
�
��
�
5
��
�
6
Year Malware
1990 1260 (1st polymorphic virus), Form, Whale
1991 Tequila, Michelangelo, Anti-Telefonica, Eliza
1992 Peach (1st anti-antivirus programs), Win.Vir_1_4 (1st Windows virus)
1993 PMBS
1994 Good Times (1st hoax)
1995 Concept (1st macro virus)
1996 Laroux, Staog (1st Linux m.w.)
1997 ShareFun, Homer, Esperanto
1998 Accessiv, StrangeBrew (1st Java m.w.), Chernobyl
1999 Happy99, Tristate, Melissa, ExploreZip, BubbleBoy, Babylonia
2000 Loveletter, Resume, MTX, Hybris
2001 Anna Kournikova, BadTrans, CodeRed I, Sircam, CodeRed II, Nimda, Klez
2002 LFM-926 (1st Flash m.w.), Chick, Fbound, Shakira, Bugbear
2003 Sobig, SQLSlammer, Deloder, Sdbot, Mimail, Antinny, MSBlaster, Welchia, Agobot, Swen, Sober
2004 Bagle, MyDoom, Doomjuice, Netsky, WildJP, Witty, Sasser, Wallon, Bobax, Rbot, Cabir (1st Symbian m.w.), Amus, Upchan , Revcuss, Lunii, Minuka, Vundo
2005 Bropia, Locknut, BankAsh, Banbra, Anicmoo, Commwarrior, Pgpcoder, Zotob, Gargafx, Peerload, Cardblock, PSPBrick (1st PSP m.w), DSBrick (1st Nintendo DS m.w.), Dasher
2006 Kaiten, Leap (1st Mac OS X m.w.), Redbrowser, Cxover, Exponny, Mdropper, Flexispy, Spaceflash, Stration, Mocbot, Fujacks, Allaple
2007 Storm Worm, Pirlames, Zlob, Srizbi (1st full-kernel m.w.), Silly, Pidief
2008 Mebroot, Infomeiti, Conficker
2009 Virux, Yxes,Gumbler, Induc, Ikee (1st iPhone m.w.)
2010 Zimuse, Trojan-SMS. AndroidOS.FakePlayer (1st Android m.w.), Stuxnet
Year Malware
1970
1971 Creeper (1st worm)
1972 # The term “virus” first appeared in a SF novel “When HARLIE Was One”.
1973
1974
1975 # The term “worm” first appeared in a SF novel“The Shockwave Rider”.
1976
1977
1978
1979
1980 Xerox PARC Worm
1981
1982 Elk Cloner (1st virus)
1983
1984 # Cohen defined virus in his paper “Computer Viruses - Theory and Experiments”.
1985
1986 Brain (1st IBMPC virus), PC-Write (1st Trojan horse), Virdem
1987 Cascade, Jerusalem, Lehigh, Christmas Tree, MacMag
1988 Byte Bandit, Stoned, Scores, Morris Worm
1989 AIDS (1st ransomware), Yankee Doodle, WANK
Year Malware
1990 1260 (1st polymorphic virus), Form, Whale
1991 Tequila, Michelangelo, Anti-Telefonica, Eliza
1992 Peach (1st anti-antivirus programs), Win.Vir_1_4 (1st Windows virus)
1993 PMBS
1994 Good Times (1st hoax)
1995 Concept (1st macro virus)
1996 Laroux, Staog (1st Linux m.w.)
1997 ShareFun, Homer, Esperanto
1998 Accessiv, StrangeBrew (1st Java m.w.), Chernobyl
1999 Happy99, Tristate, Melissa, ExploreZip, BubbleBoy, Babylonia
2000 Loveletter, Resume, MTX, Hybris
2001 Anna Kournikova, BadTrans, CodeRed I, Sircam, CodeRed II, Nimda, Klez
2002 LFM-926 (1st Flash m.w.), Chick, Fbound, Shakira, Bugbear
2003 Sobig, SQLSlammer, Deloder, Sdbot, Mimail, Antinny, MSBlaster, Welchia, Agobot, Swen, Sober
2004 Bagle, MyDoom, Doomjuice, Netsky, WildJP, Witty, Sasser, Wallon, Bobax, Rbot, Cabir (1st Symbian m.w.), Amus, Upchan , Revcuss, Lunii, Minuka, Vundo
2005 Bropia, Locknut, BankAsh, Banbra, Anicmoo, Commwarrior, Pgpcoder, Zotob, Gargafx, Peerload, Cardblock, PSPBrick (1st PSP m.w), DSBrick (1st Nintendo DS m.w.), Dasher
2006 Kaiten, Leap (1st Mac OS X m.w.), Redbrowser, Cxover, Exponny, Mdropper, Flexispy, Spaceflash, Stration, Mocbot, Fujacks, Allaple
2007 Storm Worm, Pirlames, Zlob, Srizbi (1st full-kernel m.w.), Silly, Pidief
2008 Mebroot, Infomeiti, Conficker
2009 Virux, Yxes,Gumbler, Induc, Ikee (1st iPhone m.w.)
2010 Zimuse, Trojan-SMS. AndroidOS.FakePlayer (1st Android m.w.), Stuxnet
Year Malware
1970
1971 Creeper (1st worm)
1972 # The term “virus” first appeared in a SF novel “When HARLIE Was One”.
1973
1974
1975 # The term “worm” first appeared in a SF novel“The Shockwave Rider”.
1976
1977
1978
1979
1980 Xerox PARC Worm
1981
1982 Elk Cloner (1st virus)
1983
1984 # Cohen defined virus in his paper “Computer Viruses - Theory and Experiments”.
1985
1986 Brain (1st IBMPC virus), PC-Write (1st Trojan horse), Virdem
1987 Cascade, Jerusalem, Lehigh, Christmas Tree, MacMag
1988 Byte Bandit, Stoned, Scores, Morris Worm
1989 AIDS (1st ransomware), Yankee Doodle, WANK
Was O
Rider
aand Exp
r”
Nimda K
er, We
lon, Bka, Vu
gpcod(1st N
y, Md
Pidief
, Stuxnet
a, K
elc
Bobun
erNinnn
dro
Ninnn
dro
irus)
7
hoax)
oncept (1st macro virus)
1996 Laroux, Staog (1st Linux m.w.)ww
1997 ShareFun, Homer, Esperanto
1998 Accessiv, StrangeBrew (1st Java m.w.)ww , Ch
1999 Happy99, Tristate, Melissa, E
2000 Loveletter, Resum
2001 Anna
200
Comp
8
nicter
(nicter: Network Incident analysis Center
for Tactical Emergency Response)
9
: •
• • • -
nicter = Network Incident analysis Center for Tactical Emergency Response
10
!
!
!
Tiles Cube
Atlas
19
1 5000
30 1
Alert ------------ ------------ ------------
11
���
Darknet
12
13
UDP TCP SYN TCP SYN/ACK TCP Other ICMP
•
•
•
14 IPv4
14
�
0
500
1000
1500
2000
2500
0
1000000
2000000
3000000
4000000
5000000
6000000
7000000
8000000
9000000
10000000
2006
.04.
0120
06.0
5.26
2006
.07.
2020
06.0
9.13
2006
.11.
0720
07.0
1.01
2007
.02.
2520
07.0
4.21
2007
.06.
1520
07.0
8.09
2007
.10.
0320
07.1
1.27
2008
.01.
2120
08.0
3.16
2008
.05.
1020
08.0
7.04
2008
.08.
2820
08.1
0.22
2008
.12.
1620
09.0
2.09
2009
.04.
0520
09.0
5.30
2009
.07.
2420
09.0
9.17
2009
.11.
1120
10.0
1.05
2010
.03.
0120
10.0
4.25
2010
.06.
1920
10.0
8.13
2010
.10.
0720
10.1
2.01
2011
.01.
2520
11.0
3.21
2011
.05.
1520
11.0
7.09
2011
.09.
0220
11.1
0.27
90 ( ) 90 ( )
15
16
UDP TCP SYN TCP SYN/ACK TCP Other ICMP
Sour
ce IP
Add
ress
Des
tinat
ion
IP A
ddre
ss
• 3
•
• IP
3D
• 2008 10 23 Microsoft – MS08-067 –
• MicrosoftServer Service –
• Conficker Downadup – 2008 11 21
• Microsoft 25 – 2009 2 12
• Blaster
17
18
0
5000
10000
15000
20000
25000
0
100000
200000
300000
400000
500000
2008/11/01 2008/11/21 2008/12/11 2008/12/31 2009/01/20 2009/02/09 2009/03/01 2009/03/21 2009/04/10 2009/04/30
Date (Nov 1st 2008 – Apr 30th 2009)
Conficker A (11/21)
Conficker B (12/29)
Conficker C (2/20)
Conficker D (3/4)
Conficker E (4/7)
19
• 1 30 1 • •
20
IP
IP
•
Source Destination
21
: – –
: –
•
– 1 6 10 • 1 1200 2000
: – –
22
23
Data Analyzer
Internet Emulator
DNS FTP
HTTP
SMTP TFTP
IRC
Victim Host
Malware API Log
Analysis Result (XML)
Packet Data
(PCAP)
Server Log
Behavior Pattern
Database
NTP HTTPS
• • OS Victim Host • Internet Emulator
24
BKDR_GOBOT.K PE_VIRT.D
• Web
25
( ) •
•
•
26
In the Wild
In the Lab
Correlation
27
NemeSys Correlation Manager
Malware kNOwledge Pool (MNOP)
Profiler
Correlator
Profile parameter 1 parameter 2 parameter 3 parameter 4 …
PF of MW1 parameter 1 parameter 2 parameter 3 parameter 4 …
… PF of MW2
parameter 1 parameter 2 parameter 3 parameter 4 …
PF of MW3 parameter 1 parameter 2 parameter 3 parameter 4 …
PF of MW4 parameter 1 parameter 2 parameter 3 parameter 4 …
PF of MW5 parameter 1 parameter 2 parameter 3 parameter 4 …
Scan from a certain host
1st Candidate
28
•
•
A B
C
L-SOC
I-SOC
•
•
•
PC
(1)
(2)
(3)
(4)
•
• JPCERT/CC
@Police
IPA
University
•
•
•
nicter DAEDALUS
DAEDALUS: Direct Alert Environment for Darknet And Livenet Unified Security
30
IP
31
Analysis Center
: Darknet : Livenet
32
DAEDALUS 3
33
: :
A
C
D E
F
G
B
A
C
D E
F
G
B
A
C
D E
F
G
B
Analysis Center
: Darknet : Livenet
: Infected Host 34
Analysis Center
Darknet Traffic
: Darknet : Livenet
: Infected Host 35
36 3636
• •
(Advanced Persistent Threat)
• SNS
• IPv6 etc…
•
•
•�
•
37
38
! ?
39
• •
40
41
�
� 1 �
�
�
�
�