Ȋŷç�ęĜDžě�ŵĴ ĖĴÄ

Ħÿȍ CCIE #13673, PMP

ÀQ�ŚơôƄȅ¥Ɓ¶

Agenda• '��(��• �4)�0• %$:32�

2

��Q��ÝÚ

• �°B��lÛ��¼• ���aRD1�_wM

–�Æ–xå–Y;

• Àåà=

3

��Q�aR

• fc�ãW�• &�Þ�éj«éC�é!/éØ´�-éÈ»éË���kV–yTähtP­ì–ç2��u} �Uì–í­< �–

4

ƟƇÏĈį¹

ƟƇÏĈį¹

ęĜ­�OƸ­

â9�geébͪ�ØÙ&��)d¨×

ß²web�¹ª�Web-Based

���geS¢Ð�

8

] vs. �—Ąß}Á��ZÓ0��§©• #±14t34Ŷ½�­• ƒƏŽ�ƺ• �m¨ª½�(• Ǹ³s��ƏŽĉ�

"+½LŻÁ• â�ǣ¥�¸�ą• �MƬÑƟƇ• ȅř; �NjġƄý®ĥ/ġƽ

• ǩŬÃnj®Ļč�ı

9

:ÃǓâO½LŻŚi�ÖȀ�Ő

• LŻijǭǮşǧƻĔǔŚiƋ�a Web Ɵć�ň�Âq�0

• ȅ¥ƟƇƦu�ƿ�Ƌǜĥžġƽ½LŻĹȉ³ȈjÄ

10

Web Threat ǽíÏĈ¯mƏŽM/

11

12

ř¥Ɵ°ĥžġƽ

13

14

SpywareSpam

Mass MailersVulnerabilities

Worm/Outbreaks

Threat Environment Evolution to CrimewareC

ompl

exity

200720032001 2004 2005

IntelligentBotnets

Crimeware

?Web Based

Malware Attacks

•Multi-Vector•Multi-Component •Web Polymorphic•Rapid Variants•Single Instance•Single Target•Regional Attacks•Silent, Hidden •Hard to Clean•Botnet Enabled

15

ôƄȅ¥2i

• 0NjĄß• ©�ŧT• Key Logger• ƟƇŁń• HTML Injection• Spyware

16

ôƄȅ¥2i

• Botnet• SQL injection• Cross Site Script• Clickjacking• Google hacking

17

3H NTT DoCoMo iMode 0Njā 

iMode�MÁk£ĄßĠŘ½ŋ}ƭŧT��¿ĩrÕ�ŧTƀð½ťļŝÒ�0NjŴsĘƴž£110ƞÓŇāƏƃ

iPhone Virus

©�ŧT

21

Spam Problem: Worse Than Ever• Ş�bƶ½ÈTŀÚ©�ŧT�r7�Ǫ½Ư=

• Zombies§BotnetsȋŘď©�ŧTȇ½�ø²�įa©�ŧTʼn9Ú�MoƝƌőƵ

• Spamų�ĵ�Ǫ½ƕŦ� dImage Spam

• Ù��źĭ¥Ǝǫ©�ŧT��Ũ½©�ŧTč!ŗ{M�Ǘư�z´LJøŨ§¢;½ƟƇĚǴ

22

©�ŧT�BmƱ�

X6

23

Key Logger

Key-logger ǧƻĔǔŚi• Key-loggerŚi@Ĕǔ¯msǧƻǐ��e$��Ģ¢f��ċǔǠ(log file)��

• âÖȀċǔǧƻǐ��key-loggerŚiäZ±�ĊǛMŚi�ūƉ�Windows registry�7ūģdž±ċljȉŸ�ğu

• ǘÐ@ǮNŔ�key-loggerŚi�ĔǔƏŽ�MÁǧ��ƟƇĥž�Ãnjġƽ�ãt±ô Njġ1T�ŗÒBū¥ħċǔǠ(log file)��@ȅ¥[ƚƏ�Ƅý

25

ÕǧȅȄLJ½Ɗ}2i

H123456789

H123456789

********

whatever

�", �*1��)-�;$PC�#�+58/

+56�)! �7PC�"���)-$���9

�.��&��<

26

+ĞŠǟǾ»ƚǻb 5Đř“+Ɠ”

27

ƟƇŁń

ƟƇŁń�Ǟ• xǏƟƇŁń (phishing)�

– ƟƇŁńÚ�ƚĕ¥Ĩ�'½ŕǼ2i�ţǼ ��M[ƚǵǼ0ÞȋĨō�;ó¯ƨ½ô Ƅý� dÈM?žƽ�ġƽ�ĥž®¢;Ƅý�ƟƇŁń½Ŀú@:ľƎ ®Əƃ�aƿ�ÍÚźN©�ÈT®ƲƈiŢś

• ƟƇŁńţǼ½DȌƐ ƪ�– Ǽ�½ţǼ�ĵŦ��;ó½ƟƇŁńŧTơƟñ��Ʒ�;óĻģǁƢ«2Ɵñ½ƑƐơ¢;íëăƳ

– ƟƇŁńţǼÈT½ƾ �

29

ƟƇŁń�Ǟ

30

ƟƇŁń�Ǟ

31

ƟƇŁń�Ǟ• ƟƇŁń (phishing)ţǼ½Ə�ŧTăƳ

– ƼƣĨ½ĥž– Ǎű½íëÐ/– dµĨ�a 48 �þ%_ǰ�Ĩ½ĥžĢĶǹł– Õ��:�ļŝ¡f¥Ĩ½ĥž

• Masked URL w�ƾ 

• ƒ±@ƗÈT½Ǜȇ2i– ǡǤ@ƗÈT– ǨǑƏ�ŧT�½ťļŝþǂ�.– �MĨô ĀȆ®¾īaƟ�Y�ǐ�Ɵ�– ŸĨaƟćǐ�ô ®ÃnjƄýÌƼƣgXǶŃ(SSL)– �ëaƈ<Ţś�ǐ�ô ®ÃnjƄý– źģǡÝĨ½ÈM?ơƦu³IJ

32

• ţǼƟƇƦu�ƿ�Ƌǜĥžâ8ëOƸ• �MÀQ�Ś¸ǣ¥�¸�ą

ƟƇŁńKǢ

33

�Ʈ÷½ƟĜ/�ŭī (pharming)• Pharming�ƟĜ/�ŭī�ƅPhishing�ƟƇŁń�ņ�½�ZÚ�ÒÁRËƦuŜÃnjNjƔŘ<ĤmĒƟ�ļŝ½E-mail�rPharming�ƟĜ/�ŭī�ĭM�ǺǷĆ½ƟĜ/�ŭī0¸

• ^âEÚǮN�ÉDNS� Domain Name Server�z´LJ½2i�Ŕ�ŋůŚiõ�HOSTSǠā��MÁ��ǐ�JƼƟ��źDNS½IPv�DZŏ��Ŵ�¿�ǿ`ĶLj-£đĽƟć

• ǘÐmNjŴȅ¥ô ½NjġƄý�a[�Ųň-ǝ�Čǃę:)ÀQƟƇƟćŘ�ŋůļŝ�ǮoŰÛƱ�½�MÁĮż�ƟƇŻLǦŴ�M�<.š½ÀQ�Ś0¸-Ƥ®ŕǼ¦÷ÁÕ�ļŝ®Ľķ�DŽŰÛ½Ɵć

34

HTML Injection

-44-

HTML Injection

36

-45-

Form Grabber

37

-46-

Form Grabber

38

Spyware

Spyware Threat• ƪÚũǎĹȉ

– ¯Ǐ½ũǎĹȉÚ�ôıƛ�º×ŴaIź�MÁZů½ĩ¹�ŦuƱ��kŪ� Ƅč�®õ�ƏŽĸªŜuâ½Ĺȉ

• ũǎĹȉ½ăƳ– ��Ǫå£Ʊ�Ţś– �½ĸªDŽ£���r7Ŗ¸ÔŊöH½ĸª– �½ƟñǬȁLJ<įdzD½$T�|���ċħ�ƉƎĺ�$T

– �½ƏŽȇħ*ǛǒǀãtŸNj

40

Spyware Threat• '¶&A IDC a 2004 h 11 4¯ē½æ��yì�èp'� 67 ½ĂŤÁ PC ŀ�¦£ÜƚÎi½ũǎĹȉ½ŰÛ

• ũǎĹȉ@ǣħ�ą�¯:KǢĩ�3ąǽí• �ǯm½ũǎĹȉŀm³Ƽ½ƍ¸uâ

– �MÁģģŖ.½Zů�ŤĹȉ½ EULAs

Phishing.org Info

41

-50-

Are You Using Crack Version Software?

• Intervalhehehe: included in cracked version of WinRAR

• Self-extractor runs WinRAR installer and a “explore.exe”

• Redirect google.com, yahoo.com, etc. to websites that distribute rogue antivirus and antispyware solutions

42

-51-

Are You Using Crack Version Software?

43

-52-

Antivirus 2009

44

Antivirus 2009

45

Botnet

ƺÅųƠ

47

ƬÑƟƇ�u¢ƌ• yìm7pŹC½ƬÑƏŽ• ťƎ8j©�ŧT½$W• �ht,-ĎťƎ10ƫn½click fraud• G��4jÄ15%

48

xǏ Bot & Botnet• Bot

–�ƛâƩǙŚi®ƩǙǯ�DŽ¦ŰÛÒģ�½uâdZƩǙ®ȎÑĊ@¦ƥƜm. �NJĪoƏŽ

• Botnet–�ƛȎÑƟƇ Zombie Network�®NjLJ ƟƇ

Robot Network���ż Bot ¯ijj½ƏŽƟƇ–ǘÐǮN IRC ŜƝƌƥƜĪ¤¦ŰÛ½8Nj�@ŘĘƟƇ�Ǟ�>Øȅ¥�ġƄý�ƟƇŁń(Phishing)�őF©�ŧT(Spam)�ŘĘÆǪi´ė(DDoS)—ûǚĶǘƟćŜLŻuâ

49

�ǞơőƵ2i

• ǘÐ�MSQL injectionäǹ�ĵŔ�ŋůļŝt[�¿]Ɵć

• �MÁļ�¿]Ɵć�Ò�DŽéŒLj\ŋůļŝ�Ƃŋůļŝ�MŮĹ½ùǨaM/ƜğuŋůŚi¥ħȃî

• ¦ŰÛ½�MÁƏŽŴ£ƬÑƟƇ�Ɖ¢;½ŋůŚi(OÌŘįǻÎ�âăàS5ĐǻνĄß)

• ăàS5ĐĄßmȅ¥�MÁƏŽƄý½uâ

50

��¹WT�

º VU��om » c�IK©�

ǮN¿]ƟćőƵ

}'��

¼�\<(IK©�

p��WT

WT

WT

IK©�

½c�vj�¤-

SQL injection

51

�c��¤-xvjL`n

WT

ļƿtƬÑƟƇ�Ɖ�b½ŋůŚi

vj�¤-Downloader

��

��

����

c�vj"�¤-x�>²�(ïm�~

52

SQL Injection

-67-

1. Jģǐ�ĥž)ġƽSQL InjectionPƾ

54

-68-

2. Ï$��©Ê½SQL InjectionPƾ

55

-69-

3. &�SQL Injection%$`oÊi

Ï�’or1=1—���M�

SQL InjectionPƾ

56

-70-

4. &�SQL Injectionâ�F1Êi!

#��Êiµâ�F1!

SQL InjectionPƾ

57

-71-

5. &�SQL Injectionâ�'ÜÊi!

Ï�’;drop table���M�

SQL InjectionPƾ

58

-72-

6. &�SQL Injectionâ�'ÜÊi]*!

I³! K_Table���¸�!!

SQL InjectionPƾ

59

-73-

7. &�SQL Injectionâ�jA��©

¦�'; exec master..xp_cmdshell 'net users 1111 1111 /add'—K.³kZ4�u�1111

SQL InjectionPƾ

60

-74-

8. &�SQL Injectionâ�jA��©]*!

/·s¢YA�d�³kZ4�u�1111

JJ{, 5_µ8Z4�r�h°?�]5�?

SQL InjectionPƾ

61

-75-

9. &�SQL Injectionâ�'Ü��©]*!

�u�1111��!!JJ{, 5_µ8S?�¬�±]5�?

SQL InjectionPƾ

62

-76-

��|n�MSQL InjectionŔ�5Đ��l

��i: �uSQLl�"stored procedure

¡¢YA�d�Cµ8�d�!�¤E®�Bnetcat

63

-77-

µ8�d�xtftp server´�¢YA�d®,���¤E®�Bnc.exe!!

DH�)~!!

��|n(¦)

�MSQL InjectionŔ�5Đ��l

64

-78-

nc.exe�:��¤�¢YA�dxSystem32z­�

��|n(¦)

�MSQL InjectionŔ�5Đ��l

65

-79-

�@�uSQLl�"stored procedure¡¢YA�d�!;nc.exe3�/

port 8080

=[ Ny�80802xE®�B,!!

��|n�MSQL InjectionŔ�5Đ��l

66

-80-

��|n

unetstatfawq: ¢YA�d|x�!;nc.exe3�/port 8080

�;c��xpass.txteb§�ncx8080 port

�MSQL InjectionŔ�5Đ��l

67

-81-

��|n

/µ8�d�telnet�¢YA�dx80802�{{µ8% {�t¸?

�MSQL InjectionŔ�5Đ��l

68

-82-

��|n

¢YA�d�xpass.txteb�9�µ8��!!

Q^¨�!�$��i¶=7N�¢Y~!!

�MSQL InjectionŔ�5Đ��l

69

-83-

Z4�u���¢�, �/01g�¦�java script

ª�£�VU

XSSƆć�ǞPƾ1. jA��©��ʽ

70

-84-

R~�B���x�B«¥(M�[�XP�X&�*)!! �%G�)! �%³k�#¢YA�d�xeb�9!!

2. rÁ��©½ZXSSƆć�ǞPƾ

71

-85-

M�[´��u�qqqqx¢�*, F¸ N“�¯O� �+~!!”

ÑPmXSSÌ�ge~!!

3. �ge]*!

XSSƆć�ǞPƾ

72

Clickjacking

Clickjacking Demo

74

Clickjacking Demo

75

Clickjacking Demo

76

Google Hacking

Google Hacking Database (GHDB)

78

Google Hacking Database (GHDB)

79

Google Hacking Database (GHDB)

80

Google Hacking Database (GHDB)

81

Koobface

Koobface

83

Koobface

84

Koobface

85

JƼmü½�ȂȌ¬

dxǥ�ô ƄýDá

• N���,bº�áÃé�¾é�½¯áEÕ�Ö·OWëN��L�m4�wv7Q��Ö·�b5Äwv+��Åê

• �·�[d�"3^Gs9����ʽë.6��Êi¯�¤qvê

• �·>���d(����Êi^É-ʽë�·<\Çí{ãʽ�áEÕ�

87

dxǥ�ô ƄýDá

• p�Å£�H ¿J)ë�·�Ï��^É-ʽ

• �[ URL �z�X• ±o���8ë�b¬¥Ä£�^"3ë�·èÔ£���Ò¡Ò�

• H¶4�éz��Û~ÎæéÛ��é@?Õ�Óî:

88

• ªœ��ĥžơġƽ�ņcÚê1=�ƶe���áƖ�;

• gſņ,½�ı$T�ï~Ķ�ɽòǖ• gſņų½Server Pack)Hot Fix�ƼÊBugsŀ�źõŊ

• ǹł�ƨë½´ė§ĝ(Ports)• ƥDz¡Ƈ�³½Ĺȉ�Ǡā�Ƙ6)Vƙ ��Ǖþ·ůƏŽİģ¼¹

• ŌŎĄßĩŇ�Ǖþ·ůņų½ĄßųƠ• ªœ�ųĄßƽ�Ĭß-ǝ)Śi• ªœŅU

ðƒƟƧƟƇƹaÏĈ½2¸

89

Q&A

90