Î Æ P ðÔ - HKCERT

Post on 29-Jan-2022

2 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Î Æ P ðÔ - HKCERT

!

!

!

!

!

!

!!!!!!!!

!

!! !

!2015( !

!!

! !

1!

!! !

4 1 ! oh

uj

oh uj R

n BC . :(C&C)

.hk . !

!

HKCERT H 4

M oh 6 oh IP

BC uj n t

— uj uj !

HKCERT- Information!Feed!Analysis!System!(IFAS)! m uj

v uj ! ( 1)! s S

!

I uj T uj

!

oh ! T !

n

BC . !

!

N 6 u !

:

(C&C)!

!

N 6 IP u !

!

!

N 6 IP

u !

!

!

2!

!

I uj S n I

ujn I hkcert@hkcert.org I

C !

!

!

uj Z m y m y.

uj

!

!

: w uj

, j Z :

uj G d :

!

!

X !

Z ! CC! ! 4.0! !X HKCERT

!

http://creativecommons.org/licenses/by/4.0/!

!

! !

3!

! !!

� !..................................................................................................................................!4!

!

uj!................................................................................................................................!11!

1.! n!..........................................................................................................!11!

1.1! uj !....................................................................................................!11!

2.! !..........................................................................................................!13!

2.1! uj !....................................................................................................!13!

3.! BC . !..................................................................................................!15!

3.1! uj !....................................................................................................!15!

4.! !..........................................................................................................!17!

4.1! :(C&C)!...........................................................................!17!

4.2! !....................................................................................................!18!

!

!........................................................................................................................................!20!

1!– v !..........................................................................................................!20!

2!– y !..........................................................................................!20!

3!– !..................................................................................................!21!

!

4!

� !

(

!

( ohuj uj

m Nm p

!

1!–3

!

99% 10,851 2013( w

!

!

:!BC . n

:!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1

! IFAS!S!Information!Feed!Analysis!System(IFAS)! HKCERT!- m

uj !

2

! 1!S v !

3

!u t n !

16,589!

18,087!

12,437!

10,936!

21,787!

Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015

Unique!security!events

������

5!

!

2!–4

!

u 2015( 7 5,867 16,338

BC . w !

noh u 9 5% A oh BC . oh

168% 412% !

) oh oh

L oh

N oh H oh

u

! !

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4

!u t n !

4,522!

2,926!

1,644! 1,604! 1,692!

2,557!

3,048!

1,883!2,934!

7,836!

1,561!

5,760!

2,735!1,329!

6,810!

S

2,000!

4,000!

6,000!

8,000!

10,000!

12,000!

14,000!

16,000!

18,000!

Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015

Malware!

hosting!

����

Phishing!

�"��

Defacement!!!

�!�

6!

BC . 41% 2828 HTML/Drop.Agent.ABBC .

BC . Ramnit !

!

3SHTML/Drop.Agent.AB !

7 3 HTML/Drop.Agent.AB Ramnit

Ramnit 5 Ramnit BC .

BC . 5 8 I

!

!

G .

!! w . w

!! w G . a w

!! U M

!! M G .

!! 0

!! ?

!

!

!

:(C&C)! ! ! ug 0 ─

T 2 ! !

! ! m :(C&C)! T

2 !

0

200

400

600

800

1000

1200

1400

1600

2015S01 2015S02 2015S03 2015S04 2015S05 2015S06

HTML/Drop.Agent.AB ��

7!

!

: !

:(C&C) :!

!

4!– :(C&C) !

!

: u S !

!

4! : Zeus :

IRC : !

!

!

:!

2!

5!

3!

4! 4!

Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015

:(C&C)

Botnet!(C&Cs)

��������(C&C)

8!

!

!

5!S !

!

9 2014( !

!

2015( D u 8% Virut 87%

ZeusH ! ( 14)! !

H

( 13)!

Ramnit!

Ramnit rD v R Fj FTP

Fj cookies oh i

BC . !

Ramnit 2010( cs D5

R 9 i Ramnit g

Ramnit H !

Ramnit D oh FTP

sf !

!

Tinba!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!5

! http://www.symantec.com/connect/blogs/ramnitScybercrimeSgroupShitSmajorSlawSenforcementSoperation!

7947

63486172

5065

5445

Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015

Trend!of!Botnet!(Bots)!security!events

( )

Botnet!(Bots)

�� �

9!

. oh Fj

( M 5 V 6

P 7

M n

.

4

oh sf

. (H u 8

M

M M T

P 5 M

M 33 H 5 s.

x oh M d

P 9 P

:u g : .

k : g : P

q H BC

.

sf

!! w . w

!! q W_

!! 0

!!

!! w

2013( 6 : m G

)

R

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6

! https://blog.avast.com/2014/09/15/tinySbankerStrojanStargetsScustomersSofSmajorSbanksSworldwide/!

7

! https://www.fSsecure.com/weblog/archives/00002810.html!

8

! http://securityintelligence.com/dyreSwolf/!

9

! http://www.seculert.com/blog/2015/04/newSdyreSversionSevadesSsandboxes.html!

10!

: BC .D

S

!

T/

!! T/

! !

11!

uj!

1.! n!

1.1! uj !

!

6!–! n10

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!10

u t n !

4522

2926

1644 16041692

683 654478 441

569

Q2 Q3 Q4 Q1 Q2

n

Unique!URL!

���

Unique!IP

��IP

n

!! n X ohy n

2

!! t

!!

!! g d

!! oh

12!

!

!

7!–! n /IP !

!

!

v :! !

!! ZoneSH! !

! !

6.62!

4.47!

3.44!3.64!

2.97!

Q2 Q3 Q4 Q1 Q2

n /IP

URL/IP!ratio

���/IP�

! ! /IP !

!! u IP

u !

!

!! u u

4 !

!! IP u u !

!! !

13!

2.! !

2.1!uj !

! ! !

8!–! !

2557

3048

1883

2934

7836

443 354 280 208373

Q2 Q3 Q4 Q1 Q2

Unique!URL

���

Unique!IP

��IP

!!

2

!! v d

!!

!! g d

!! oh

14!

!

!

9!–! /IP !

!

!

v :! !

!! ArborNetwork!–!Atlas!SRF! !

!! CleanMX!–!phishing! !

!! Millersmiles! !

!! Phishtank! !

! !

5.77!

8.61!

6.73!

14.11!

21.01!

Q2 Q3 Q4 Q1 Q2

/IP

URL/IP!ratio

���/IP�

! ! /IP !

!! u IP

u !

!

!! u u

4 !

!! IP u u !

!! !

15!

3.! BC . !

3.1!uj !

!

! !

10!–!BC . !

!

1561

5760

2735

1329

6810

351 408603

391664

Q2 Q3 Q4 Q1 Q2

BC .

Unique!URL

���

Unique!IP

��IP

BC .

!! BC . sfBC .

2

!! BC . BC .

!!

!! g d

!! oh

16!

!

11!–!BC . /IP !

!

!

!

!

v :!

!! Abuse.ch:!Zeus!Tracker!–!Binary!URL! !

!! Abuse.ch:!SpyEye!Tracker!–!Binary!URL!

!! CleanMX!–!Malware! !

!! Malc0de! !

!! MalwareDomainList! !

!! Sacour.cn!

! !

4.45!

14.12!

4.54!

3.40!

10.26!

Q2 Q3 Q4 Q1 Q2

BC . /IP

URL/IP!ratio

���/IP�

! ! /IP !

!! u IP

u !

!

!! u u

4 !

!! IP u u !

!! !

17!

4.! !

4.1! :(C&C)!

! !

!

12!–! ( :) !

!

!

v :!

!! Zeus!Tracker! !

!! SpyEye!Tracker! !

!! Palevo!Tracker! !

!! Shadowserver!–!C&Cs! !

1

2 2

3 31

3

1

1 1

0

1

2

3

4

5

6

Q2 Q3 Q4 Q1 Q2

:

HTTP

IRC

:

!! : ─

BC ? ? s.

x oh

2

!! 4

!! m uj

18!

4.2! !

4.2.1! 11!

IP u

b N

G N u !

!

!

!

! "#! !

IP !

( u )!

!

1! S! Conficker! ! 2,083! ! S5%!

2! "! Virut! ! 1,101! ! 87%!

3! # Zeus! ! 765! ! S25%!

4! S ZeroAccess! ! 523! ! S8%!

5! S! Pushdo! ! 352! ! S4%!

6! NEW! Ramnit! ! 146! ! NA!

7! NEW! Tinba! ! 94! ! NA!

8! # Citadel! ! 91! ! S13%!

9! NEW! Dyre! ! 55! ! NA!

10! " Wapomi! ! 25! ! S22%!

13!–! u !

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11

T S uj !

2,083!

1,101!

765!523!

352!

146!

94!

91!

55!

54!

Conficker

Virut

Zeus

ZeroAccess

Pushdo

Ramnit

Tinba

Citadel

Dyre

19!

!

14!–12!

!

v :!

!! ArborNetwork!–!Atlas!SRF!–!conficker! !

!! ShadowServer!–!botnet_drone!

!! ShadowServer!–!sinkhole_http_drone!

!! ShadowServer!–!Microsoft_sinkhole!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!12

! Virut u t!

Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015

Conficker 2945 2597 2419 2185 2083

Virut 277 263 559 588 1101

Zeus 2512 1897 1472 1020 765

ZeroAccess 1407 1062 838 569 523

Pushdo 211 63 406 367 352

0

500

1000

1500

2000

2500

3000

3500

!! H u –

BC .D H D 5 BC . y

6 T oh

2

!!

!! v d

!! T BC sfBC . s.

x oh

20!

��!

1!– v !

v :!

oh v

n

BC .

BC .

BC .

BC .

BC .

BC .

:

:

:

:

!

!

!!

2!– y !

I Z y y !

!

y w

!!!

21!

3!–

!

D y oh2

BankPatch! !!MultiBanker!

!!Patcher!

!!BankPatcher!.

!! H !

!!

!

!! !

!! !

!!

M

v rD uj!

BlackEnergy!

.

!! rootkitP S !

!! P !

!!g 0 P

!

!! s. x o

h(DDoS)!

Citadel!

.

!!

!

!

!! v

rD v!

!!U !

!!K l !

!! l !

!! oe!

!! !

Conficker! !!Downadup!

!!Kido!

!! E !

(DGA)! !

!! P2P !

!! !

!! Window

MS08S067 !

!!

f!

!! Window

(autoSrun)

f!

Dyre! !

.

!! ! !!

v!

!! ─ !

Gamarue! !!Andromeda! !! oh !

!! !

!!9 Word !

!! !

!! rD !

!! X !

!! BC .!

22!

Glupteba! ! . !! .

(driveSbySdownload)D

!

!! ─ !

!! h S!

IRC!Botnet! . !! IRC ! !!5 . X

!

!! s. x o

h(DDoS)!

!! ─ !

Palevo! !!Rimecud!

!!Butterfly!

bot!

!!Pilleuz!

!!Mariposa!

!!Vaklik!

!! ,!

!

!!5 . X

!

!! v r

D v!

!! O

!

Pushdo! !!Cutwail!

!!Pandex!

!! BC !

!! E !

(DGA)! !

!! .

(driveSbySdownload)D

!

!! a !

!!

BC .( :!Zeus!

! Spyeye)!

!! s. x o

h(DDoS)!

!! ─ !

Ramnit! ! !!D !

!! oh !

!! FTP !

!!5 . X

!

!! v r

D v!

Sality! . !! rootkitP S !

!! P2P !

!!

f!

!! !

!! E

Entry!Point!

Obscuring P D

!

!! ─ !

!! !

!! rD v!

!!D /

!

!! BC .!

23!

Slenfbot! !!

f!

!

!!5 . X

!

!!

BC .!

!! s. x o

h(DDoS)!

!! ─ !

Tinba! !!TinyBanker!

!!Zusy!

! .

!! oh !

!! !

!! v r

D v!

Torpig! !!Sinowal!

!!Anserin

. !! rootkitP S !

(Mebroot!rootkit)!

!! E !

(DGA)! !

!! .

(driveSbySdownload)D

!

!! rD v!

!! oe!

Virut! ! . !!

f!

!

!! ─ !

!! s. x o

h(DDoS)!

!! !

!! v!

!!!

Wapomi! !!

f!

!!D !

!!5 . X

!

!! BC .!

!!n

!

!!m uj

v

q !

24!

ZeroAccess! !!max++!

!!Sirefef

. !! rootkitP S !

!! P2P !

!! .

(driveSbySdownload)D

!

!! H q ( :

keygen)!

!! BC .!

!!Z & h!

Zeus! !!Gameover

.

!! P !

!! .

(driveSbySdownload)D

!

!! P2P !

!

!! v

rD v!

!! oe!

!!U !

!! BC .( :!

Cryptolocker)!

!! s. x o

h(DDoS)!

!

Top related

2018 Work Map 012518-PJDculvert - pwht… · Æ% Æ· Æ· Æ· Æ% Æ% Æþ Æ% Æ% Æ% Æ% Æ% Æ% Æ% Æþ Æþ Æ% Æ% Æ% Æ% Æ% Æ· Æ· Æ· Æ· Æ· Æ· Æ· Æ% Æþ
 Documents
Security Threats to e-Commerce - HKCERT
 Documents
Scanned by CamScanner hoc Dot T8 - Luat.pdf · TS Cao Anh Ðô DÐ: 0917.356.899 TS cao Anh Ðô TS cao Anh Ðô Ts Cao Anh Ðô Il. Câu höi thåo luân l. Ðôi tuqng nghiên cúu
 Documents
JORDAN - Al Za'atari Refugee Camp Production Date: 21 October 2015 …reliefweb.int/sites/reliefweb.int/files/resources/REACH... · 2015. 10. 23. · Æ& Æ& Æ& Æ& Æ& Æ& Æ &
 Documents
Impact of Botnets on the Health of Internet - HKCERT
 Documents
1. CC Traffic Stations ³ - tn.gov · k k k k k k k k k k k k k k k k k k æ æ æ æ æ æ æ æ æ æ!!!!! #!!!! !! !!!!! !!!!! !!!!! #!!!!!.!.!.!.!.!.!.!. %%340
 Documents
PAMELA e bosons de gauge leptopfilicosangra/files/v_encontro/PAMELA e bosons... · Possible Hint of dark matter annihilation æ æ æ æ æ ææ æ æ æ ì ì ì ì ì ì ì ò ò
 Documents
APRIL 2020 | Nº3º3.pdf · #ª;p¼Æ |£ ;ìï ìî ;Æ ;Gp¼Æ À;ÀÆpÆ ;Æ pÆ;6Æ ;Æ ¼©;¯ ;¹¼¯Æ |Æ ¯ª; ¯¼;¼ ÆÀ;¯ ;pª;pÊÆ ¯¼;¯ ;p
 Documents
$NXYR[ 63 5 * æ æ æ - Akuvox
 Documents
IVC MARKET INTELLIGENCE REPORT - InterVISTAS · Æ 5.1% 73.2% Æ 2.8pts 609 Æ 33.8% 832 Æ 28.6% 1 85.2 % Æ 0.7 pts 1,312 Æ 7.6% 1,540 Æ 6.8% 1 86.1% Æ 1.6 pts 6,586 Æ 9.4%
 Documents
Damping interarea oscillations with generator redispatch ... › gridscience › media › Seminars › Dobson.pdf2 æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ æ
 Documents
Õ ³ å ïù§»é¬ - FUJI IMPULSE1j.pdfÕ ³ å ïù »é¬ AT ³æ / LOS ³æ / FiF ³æ AT ³æ 2500mm 2000mm 1500mm FiF ³æ 1500mm 1200mm 1000mm 800mm LOS ³æ 1200mm 1000mm
 Documents
The Internetæ æ æ æ æ æLæ æZæKæ æ…æAæ æ“æyæIæc · في البداية سوف نتعرف على ما هو البوربوينت Author ahmed Created Date 20120511173131Z
 Documents
09â è ¹è¶ å° å¦æ ¡æ è ²æ ¹é ©ã ã ©ã ³ R2ï¼ æ çµ ï¼ ...Title Microsoft PowerPoint - 09â è ¹è å å æ ¡æ è ²æ ¹é ©ã ã ©ã ³ R2ï¼ æ çµ
 Documents
Defense for Evolving Cyber Attacks - HKCERT
 Documents
« ¥ 7 µ ·Ë & · Ñ N - Aichi Prefecture · 2020. 3. 3. · Title: Microsoft PowerPoint - R0202XXæµ å æ§½ä¿ å® ç ¹æ¤ æ³ æ ¡ä¾ æ ¹æ£èª¬æ ä¼ rev .pptx
 Documents
æ æ ± ° æ - ROLLMOPS THEATRE
 Documents
IoT Device (Zigbee) Security Study - HKCERT · 2020. 12. 22. · HKCERT IoT Device (ZigBee) Security Study 6 2. Study in ZigBee Technology 2.1 Introduction of ZigBee ZigBee technology
 Documents
HKCERT CTF 2021 Webinar 01
 Documents
æ t æ u æ · ä t æ
 Documents

Copyright © 2022 FDOCUMENTS