Àq z ¡ô - ycrc.tanet.edu.twycrc.tanet.edu.tw/note/seminar/socialeng_20101020.pdf · nc.exe : ¤...
TRANSCRIPT
��Q��ÝÚ
• �°B��lÛ��¼• ���aRD1�_wM
–�Æ–xå–Y;
• Àåà=
3
��Q�aR
• fc�ãW�• &�Þ�éj«éC�é!/éØ´�-éÈ»éË���kV–yTähtPì–ç2��u} �Uì–í< �–
4
] vs. �—Ąß}Á��ZÓ0��§©• #±14t34Ŷ½�• ƒƏŽ�ƺ• �m¨ª½�(• Ǹ³s��ƏŽĉ�
"+½LŻÁ• â�ǣ¥�¸�ą• �MƬÑƟƇ• ȅř; �NjġƄý®ĥ/ġƽ
• ǩŬÃnj®Ļč�ı
9
:ÃǓâO½LŻŚi�ÖȀ�Ő
• LŻijǭǮşǧƻĔǔŚiƋ�a Web Ɵć�ň�Âq�0
• ȅ¥ƟƇƦu�ƿ�Ƌǜĥžġƽ½LŻĹȉ³ȈjÄ
10
SpywareSpam
Mass MailersVulnerabilities
Worm/Outbreaks
Threat Environment Evolution to CrimewareC
ompl
exity
200720032001 2004 2005
IntelligentBotnets
Crimeware
?Web Based
Malware Attacks
•Multi-Vector•Multi-Component •Web Polymorphic•Rapid Variants•Single Instance•Single Target•Regional Attacks•Silent, Hidden •Hard to Clean•Botnet Enabled
15
ôƄȅ¥2i
• 0NjĄß• ©�ŧT• Key Logger• ƟƇŁń• HTML Injection• Spyware
16
ôƄȅ¥2i
• Botnet• SQL injection• Cross Site Script• Clickjacking• Google hacking
17
3H NTT DoCoMo iMode 0Njā
iMode�MÁk£ĄßĠŘ½ŋ}ƭŧT��¿ĩrÕ�ŧTƀð½ťļŝÒ�0NjŴsĘƴž£110ƞÓŇāƏƃ
21
Spam Problem: Worse Than Ever• Ş�bƶ½ÈTŀÚ©�ŧT�r7�Ǫ½Ư=
• Zombies§BotnetsȋŘď©�ŧTȇ½�ø²�įa©�ŧTʼn9Ú�MoƝƌőƵ
• Spamų�ĵ�Ǫ½ƕŦ� dImage Spam
• Ù��źĭ¥Ǝǫ©�ŧT��Ũ½©�ŧTč!ŗ{M�Ǘư�z´LJøŨ§¢;½ƟƇĚǴ
22
Key-logger ǧƻĔǔŚi• Key-loggerŚi@Ĕǔ¯msǧƻǐ��e$��Ģ¢f��ċǔǠ(log file)��
• âÖȀċǔǧƻǐ��key-loggerŚiäZ±�ĊǛMŚi�ūƉ�Windows registry�7ūģdž±ċljȉŸ�ğu
• ǘÐ@ǮNŔ�key-loggerŚi�ĔǔƏŽ�MÁǧ��ƟƇĥž�Ãnjġƽ�ãt±ô Njġ1T�ŗÒBū¥ħċǔǠ(log file)��@ȅ¥[ƚƏ�Ƅý
25
ÕǧȅȄLJ½Ɗ}2i
H123456789
H123456789
********
whatever
�", �*1��)-�;$PC�#�+58/
+56�)! �7PC�"���)-$���9
�.��&��<
26
ƟƇŁń�Ǟ• xǏƟƇŁń (phishing)�
– ƟƇŁńÚ�ƚĕ¥Ĩ�'½ŕǼ2i�ţǼ ��M[ƚǵǼ0ÞȋĨō�;ó¯ƨ½ô Ƅý� dÈM?žƽ�ġƽ�ĥž®¢;Ƅý�ƟƇŁń½Ŀú@:ľƎ ®Əƃ�aƿ�ÍÚźN©�ÈT®ƲƈiŢś
• ƟƇŁńţǼ½DȌƐ ƪ�– Ǽ�½ţǼ�ĵŦ��;ó½ƟƇŁńŧTơƟñ��Ʒ�;óĻģǁƢ«2Ɵñ½ƑƐơ¢;íëăƳ
– ƟƇŁńţǼÈT½ƾ �
29
ƟƇŁń�Ǟ
30
ƟƇŁń�Ǟ
31
ƟƇŁń�Ǟ• ƟƇŁń (phishing)ţǼ½Ə�ŧTăƳ
– ƼƣĨ½ĥž– Ǎű½íëÐ/– dµĨ�a 48 �þ%_ǰ�Ĩ½ĥžĢĶǹł– Õ��:�ļŝ¡f¥Ĩ½ĥž
• Masked URL w�ƾ
• ƒ±@ƗÈT½Ǜȇ2i– ǡǤ@ƗÈT– ǨǑƏ�ŧT�½ťļŝþǂ�.– �MĨô ĀȆ®¾īaƟ�Y�ǐ�Ɵ�– ŸĨaƟćǐ�ô ®ÃnjƄýÌƼƣgXǶŃ(SSL)– �ëaƈ<Ţś�ǐ�ô ®ÃnjƄý– źģǡÝĨ½ÈM?ơƦu³IJ
32
• ţǼƟƇƦu�ƿ�Ƌǜĥžâ8ëOƸ• �MÀQ�Ś¸ǣ¥�¸�ą
ƟƇŁńKǢ
33
�Ʈ÷½ƟĜ/�ŭī (pharming)• Pharming�ƟĜ/�ŭī�ƅPhishing�ƟƇŁń�ņ�½�ZÚ�ÒÁRËƦuŜÃnjNjƔŘ<ĤmĒƟ�ļŝ½E-mail�rPharming�ƟĜ/�ŭī�ĭM�ǺǷĆ½ƟĜ/�ŭī0¸
• ^âEÚǮN�ÉDNS� Domain Name Server�z´LJ½2i�Ŕ�ŋůŚiõ�HOSTSǠā��MÁ��ǐ�JƼƟ��źDNS½IPv�DZŏ��Ŵ�¿�ǿ`ĶLj-£đĽƟć
• ǘÐmNjŴȅ¥ô ½NjġƄý�a[�Ųň-ǝ�Čǃę:)ÀQƟƇƟćŘ�ŋůļŝ�ǮoŰÛƱ�½�MÁĮż�ƟƇŻLǦŴ�M�<.š½ÀQ�Ś0¸-Ƥ®ŕǼ¦÷ÁÕ�ļŝ®Ľķ�DŽŰÛ½Ɵć
34
Spyware
Spyware Threat• ƪÚũǎĹȉ
– ¯Ǐ½ũǎĹȉÚ�ôıƛ�º×ŴaIź�MÁZů½ĩ¹�ŦuƱ��kŪ� Ƅč�®õ�ƏŽĸªŜuâ½Ĺȉ
• ũǎĹȉ½ăƳ– ��Ǫå£Ʊ�Ţś– �½ĸªDŽ£���r7Ŗ¸ÔŊöH½ĸª– �½ƟñǬȁLJ<įdzD½$T�|���ċħ�ƉƎĺ�$T
– �½ƏŽȇħ*ǛǒǀãtŸNj
40
Spyware Threat• '¶&A IDC a 2004 h 11 4¯ē½æ��yì�èp'� 67 ½ĂŤÁ PC ŀ�¦£ÜƚÎi½ũǎĹȉ½ŰÛ
• ũǎĹȉ@ǣħ�ą�¯:KǢĩ�3ąǽí• �ǯm½ũǎĹȉŀm³Ƽ½ƍ¸uâ
– �MÁģģŖ.½Zů�ŤĹȉ½ EULAs
Phishing.org Info
41
-50-
Are You Using Crack Version Software?
• Intervalhehehe: included in cracked version of WinRAR
• Self-extractor runs WinRAR installer and a “explore.exe”
• Redirect google.com, yahoo.com, etc. to websites that distribute rogue antivirus and antispyware solutions
42
xǏ Bot & Botnet• Bot
–�ƛâƩǙŚi®ƩǙǯ�DŽ¦ŰÛÒģ�½uâdZƩǙ®ȎÑĊ@¦ƥƜm. �NJĪoƏŽ
• Botnet–�ƛȎÑƟƇ Zombie Network�®NjLJ ƟƇ
Robot Network���ż Bot ¯ijj½ƏŽƟƇ–ǘÐǮN IRC ŜƝƌƥƜĪ¤¦ŰÛ½8Nj�@ŘĘƟƇ�Ǟ�>Øȅ¥�ġƄý�ƟƇŁń(Phishing)�őF©�ŧT(Spam)�ŘĘÆǪi´ė(DDoS)—ûǚĶǘƟćŜLŻuâ
49
�ǞơőƵ2i
• ǘÐ�MSQL injectionäǹ�ĵŔ�ŋůļŝt[�¿]Ɵć
• �MÁļ�¿]Ɵć�Ò�DŽéŒLj\ŋůļŝ�Ƃŋůļŝ�MŮĹ½ùǨaM/ƜğuŋůŚi¥ħȃî
• ¦ŰÛ½�MÁƏŽŴ£ƬÑƟƇ�Ɖ¢;½ŋůŚi(OÌŘįǻÎ�âăàS5ĐǻνĄß)
• ăàS5ĐĄßmȅ¥�MÁƏŽƄý½uâ
50
��¹WT�
º VU��om » c�IK©�
ǮN¿]ƟćőƵ
}'��
¼�\<(IK©�
p��WT
WT
WT
IK©�
½c�vj�¤-
SQL injection
51
�c��¤-xvjL`n
WT
ļƿtƬÑƟƇ�Ɖ�b½ŋůŚi
vj�¤-Downloader
��
��
����
c�vj"�¤-x�>²�(ïm�~
52
-70-
4. &�SQL Injectionâ�F1Êi!
#��Êiµâ�F1!
SQL InjectionPƾ
57
-71-
5. &�SQL Injectionâ�'ÜÊi!
Ï�’;drop table���M�
SQL InjectionPƾ
58
-72-
6. &�SQL Injectionâ�'ÜÊi]*!
I³! K_Table���¸�!!
SQL InjectionPƾ
59
-73-
7. &�SQL Injectionâ�jA��©
¦�'; exec master..xp_cmdshell 'net users 1111 1111 /add'—K.³kZ4�u�1111
SQL InjectionPƾ
60
-74-
8. &�SQL Injectionâ�jA��©]*!
/·s¢YA�d�³kZ4�u�1111
JJ{, 5_µ8Z4�r�h°?�]5�?
SQL InjectionPƾ
61
-75-
9. &�SQL Injectionâ�'Ü��©]*!
�u�1111��!!JJ{, 5_µ8S?�¬�±]5�?
SQL InjectionPƾ
62
-76-
��|n�MSQL InjectionŔ�5Đ��l
��i: �uSQLl�"stored procedure
¡¢YA�d�Cµ8�d�!�¤E®�Bnetcat
63
-77-
µ8�d�xtftp server´�¢YA�d®,���¤E®�Bnc.exe!!
DH�)~!!
��|n(¦)
�MSQL InjectionŔ�5Đ��l
64
-78-
nc.exe�:��¤�¢YA�dxSystem32z�
��|n(¦)
�MSQL InjectionŔ�5Đ��l
65
-79-
�@�uSQLl�"stored procedure¡¢YA�d�!;nc.exe3�/
port 8080
=[ Ny�80802xE®�B,!!
��|n�MSQL InjectionŔ�5Đ��l
66
-80-
��|n
unetstatfawq: ¢YA�d|x�!;nc.exe3�/port 8080
�;c��xpass.txteb§�ncx8080 port
�MSQL InjectionŔ�5Đ��l
67
-81-
��|n
/µ8�d�telnet�¢YA�dx80802�{{µ8% {�t¸?
�MSQL InjectionŔ�5Đ��l
68
-82-
��|n
¢YA�d�xpass.txteb�9�µ8��!!
Q^¨�!�$��i¶=7N�¢Y~!!
�MSQL InjectionŔ�5Đ��l
69
-83-
Z4�u���¢�, �/01g�¦�java script
ª�£�VU
XSSƆć�ǞPƾ1. jA��©��ʽ
70
-84-
R~�B���x�B«¥(M�[�XP�X&�*)!! �%G�)! �%³k�#¢YA�d�xeb�9!!
2. rÁ��©½ZXSSƆć�ǞPƾ
71
-85-
M�[´��u�qqqqx¢�*, F¸ N“�¯O� �+~!!”
ÑPmXSSÌ�ge~!!
3. �ge]*!
XSSƆć�ǞPƾ
72
dxǥ�ô ƄýDá
• N���,bº�áÃé�¾é�½¯áEÕ�Ö·OWëN��L�m4�wv7Q��Ö·�b5Äwv+��Åê
• �·�[d�"3^Gs9����ʽë.6��Êi¯�¤qvê
• �·>���d(����Êi^É-ʽë�·<\Çí{ãʽ�áEÕ�
87
dxǥ�ô ƄýDá
• p�Å£�H ¿J)ë�·�Ï��^É-ʽ
• �[ URL �z�X• ±o���8ë�b¬¥Ä£�^"3ë�·èÔ£���Ò¡Ò�
• H¶4�éz��Û~ÎæéÛ��é@?Õ�Óî:
88