security trend of new computing era
TRANSCRIPT
![Page 1: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/1.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Security Trend of
New Computing Era
Presented by Roland Cheung
HKCERT
![Page 2: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/2.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Agenda
• Security Threat Overview
• Introduction of Botnet
• Impact of Botnet
• Fight Back Botnet
• Security Protection Scheme
![Page 3: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/3.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Security Threat
Overview
![Page 4: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/4.jpg)
Security Threat - Trend
• Cloud Computing
– Data
• Social Network
– Privacy
• Mobile Security
– Apps
Hong Kong Clean PC Day 2010 Seminar (Nov)
![Page 5: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/5.jpg)
Security Threat - Type
• Phishing/Defacement
• Malicious Code Injection / SQL Injection
• Distributed Denial of Service (DDoS)
• Malware
• Botnet
• etc…
Hong Kong Clean PC Day 2010 Seminar (Nov)
![Page 6: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/6.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Security Threat - Impact
• Financial Loss
• Data Loss
• Identity Theft
• Service unavailability
![Page 7: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/7.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Security Threat -Underground
Economy
Fig 1 - Sales ranking on underground economy (Source from Symantec)
![Page 8: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/8.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Introduction of
Botnet
![Page 9: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/9.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
What is Botnet?
• Botnet (aka Zombie Network, 殭屍網路)
• A collection of compromised computers
(called bots, zombie) under a common
command-and-control (called C&C)
infrastructure.
http://en.wikipedia.org/wiki/Botnet
![Page 10: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/10.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Botnet Structure
• Bot Herder/Master
• Command and Control Servers (C&C, C2)
• Bots
Fig 2 - Typical Botnet structure
![Page 11: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/11.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Spread Channel
• Website
• Instant Messenger (IM)
• P2P file sharing network
• Mobile device application
![Page 12: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/12.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Website• Code Injection
– Hidden iframe direct to the malicious website contains vulnerability exploit
– 1H of 2010, over 2,500 Common Vulnerabilities and Exposures (CVE) recorded. Apple is top vendors of CVE, issued about 180.
Fig 3 - Source from Trend Micro
![Page 13: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/13.jpg)
Website• Malicious Multimedia Content
– Exploit media player vulnerability
– Malicious codec file installation
Fig 4 – Fake YouTube website delivers malware (Kooface)Hong Kong Clean PC Day 2010 Seminar (Nov)
![Page 14: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/14.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Website• Search Engine Optimization Poisoning (aka
Black hat SEO)– Using unethical SEO techniques in order to obtain a higher
search ranking to post malicious link on hot topic
– Deliver Fake AV
Fig 5 - Black hat SEO exploit Google search
![Page 15: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/15.jpg)
Website• Malvertisting (malicious advertising)
– Use of online advertising to spread malware
Fig 6 - In Apr 2010, malicious advertisement display fake security warnings
Hong Kong Clean PC Day 2010 Seminar (Nov)
![Page 16: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/16.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
• Malicious attachment
– Ms office document, .doc, .xls, .ppt
– .lnk
– .swf
• Malicious link embedded
E.g. Pushdo, Waledac, Kooface
![Page 17: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/17.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Instant Messenger
• MSN, QQ
– Embedding link
– File transfer
E.g. Mariposa
![Page 18: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/18.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
P2P File sharing network
• BT, eMule, Foxy etc.
•
E.g. Storm, Waledac, Nugache
![Page 19: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/19.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Mobile Device Application
• Zeus ver 2.0, Man in the mobile (Mitmo)
• Reported in Sep 2010
• Installed in mobile devices like BlackBerry and
Symbian mobile phones
• Sniff all the SMS messages that are being
delivered.
• Steals both the online username and
password
![Page 20: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/20.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Malware
• Fig 7 - Top 10 malware hosting countries (Source from SOPHOS)
![Page 21: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/21.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Communication Channel
• IRC
• HTTP/HTTPS
• P2P
![Page 22: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/22.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Fig 8 . Botnet use twitter to deliver the command (Source from Arbot Networks)
![Page 23: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/23.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
• TwitterNet Builder- A kit for building Twitter
Botnet
![Page 24: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/24.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Impact of Botnet
![Page 25: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/25.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Global botnet infection rate
Fig 9 – Microsoft Security Intelligence Report Vol.9
• 88 locations around the world, no of computers cleaned for
every 1,000 execution of MSRT.
![Page 26: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/26.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Global botnet infection
Fig 10 – Bot infection statistics (Source from Mcafee)
![Page 27: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/27.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Active Botnet Families
Fig 11 - Top 10 bot families detected (Source from Microsoft)
![Page 28: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/28.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Botnet Ecosystem
Fig 12 - Source from microsoft
![Page 29: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/29.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Fight Back Botnet
![Page 30: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/30.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Fight Back
Year 2010 is becoming a good year in shutting
down big botnets.
• Mariposa
• Waledac
• Bredolab
• ZeuS
![Page 31: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/31.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Mariposa
• Mariposa, (butterfly in Spanish)
• Discovered in December 2008
• 12.7 million bots in more than
190 countries (Top country – India, Top city -
Seoul )
• Spread via IM, P2P file sharing, website exploit
IE vulnerability
![Page 32: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/32.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Mariposa
Fig 13 – Mariposa C&C server
• More than 200 binaries
• Connect the C&C using anonymous VPN service
![Page 33: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/33.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Mariposa
• Stole credit card, banking credentials, user
identity (username, password)
• Belonging to more than 800,000 users.
![Page 34: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/34.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Mariposa
• Mariposa Working Group (MWG) established
in May 2009
• Members:
![Page 35: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/35.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Mariposa
• In Dec 2009, MWG took control of the
Mariposa Botnet
• In Feb 2010 arrested the leader (alias
“Netkairo” ) by Spanish Civil Guard
• In Jul 2010, arrested the suspected creator
(alias “Iserdo”)by Slovenian police
![Page 36: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/36.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Mariposa
Lesson Learned
• 97% bots use DNS to locate C&C, detect the
bots by DNS activity
• Sinkhole the domain used by C&C server
![Page 37: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/37.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Waledac
• Waledac
• Discovered in Apr 2008
• Estimated 70,000 - 90,000 infected computers
• Spread via email
• 1.5 billion spam messages a day (about 1% of
the total global spam volume)
• Connect the C&C using P2P network
![Page 38: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/38.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study – Waledac
• Fraudulent greeting cards and breaking news
events.
• Email contains a link point to a malicious
websites
• Deliver exploit code when visited
– Adobe reader, Flash, IE, MS Office components
etc.
![Page 39: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/39.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Waledac
• Fig 14 - Waledac P2P communication structure (Source from Symantec)
![Page 40: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/40.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Waledac
• “Operation b49” initiated by Microsoft’s
Digital Crimes Unit
• Members:
• In Feb 2010, Cut off 273 “Harmful botnet
domains used by Waledac
![Page 41: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/41.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Waledac• Waledac Tracker
http://www.sudosecure.net/waledac/index.php
Fig 15 – Waledac Tracker (Source from sudosecure)
![Page 42: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/42.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Case Study - Waledac
Lesson learned
• Solved legal issue
– Microsoft Corporation v. John Does 1-27, et. al.http://www.microsoft.com/presspass/events/rsa/docs/Complaint.pdf
![Page 43: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/43.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Security
Protection Scheme
![Page 44: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/44.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Security Protection Scheme
• Anti-virus/Anti-malware
• Firewall
• Apply security patches
• Malicious Website detection
• File analysis
![Page 45: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/45.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Anti-virus/Anti-malware
• Deploy Cloud technology
• A unknown application is launched, ask the
cloud network to look up this application
• Immediate protection against the latest
threats
![Page 46: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/46.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Firewall
• In-bound and out-bound detection
• Open ports detection
• Unknown application warning
• System change warning
• Sandbox
• Logging
![Page 47: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/47.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Apply security patches• Vendor's OS and application update checking
features
• Secunia - Personal Software Inspector (PSI)http://secunia.com/vulnerability_scanning/personal/
![Page 48: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/48.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Malicious Website detection
• IE 8, Firefox 3 built-in website detection
features
![Page 49: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/49.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Malicious Website detection
• Google Safe Browsing
![Page 50: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/50.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Malicious Website detection
• Wepawethttp://www.mywot.com/en/download
• MonkeyWrenchhttp://monkeywrench.de/index.html
![Page 51: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/51.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Malicious Website detection
• Blocklist
– Malware Domain Blocklisthttp://www.malwaredomains.com/files/domains.txt
– ZeuS Blocklisthttps://zeustracker.abuse.ch/blocklist.php
– SpyEye Blocklisthttps://spyeyetracker.abuse.ch/blocklist.php
![Page 52: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/52.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
File Analysis• VirusTotalhttp://www.virustotal.com
![Page 53: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/53.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
File Analysis
• MalOfficehttp://mwanalysis.org/?site=7&page=submit
![Page 54: Security Trend of New Computing Era](https://reader035.vdocuments.site/reader035/viewer/2022071601/613d3b23736caf36b75ae021/html5/thumbnails/54.jpg)
Hong Kong Clean PC Day 2010 Seminar (Nov)
Q & A
Thank You
Emai: [email protected]
Hong Kong Clean PC Day 2010 Seminar (Nov) Security in the Social Networking and Cloud Computing Age