Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for...
-
Upload
david-ashley-james -
Category
Documents
-
view
212 -
download
0
Transcript of Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for...
![Page 1: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/1.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Visualization forData Sharing
John S. Quarterman
InternetPerilsJay SwoffordJim Maloney
Corillian19 April 2005APWG London
![Page 2: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/2.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Seeing the Undead
• BBC (22 March): U.K. leads world in zombie PCs
• Many of them used for phishing• See the undead horde to help stop
it.
![Page 3: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/3.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
The Ant Bed
• Destinations: Websense
![Page 4: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/4.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
The Ant Bed
• 49 phishing servers• mostly found by Websense• with routing paths to each• Looks like an ant bed.• For each ant we know:
– address– domain name where reverse DNS work– routing– likely geographical location– performance
![Page 5: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/5.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Analyzing the Ant Bed
• Identify data sources and gather data• Organize data in database• Analyze data for patterns using
– rules of behavior– visualization– data mining
• Enhance data in database from analysis• Visualize and report results to stakeholders• Use the above to prepare for next attack
![Page 6: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/6.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zooming In
![Page 7: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/7.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zooming 7
![Page 8: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/8.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zooming 7
Zooming in on 65.39.211.249
ebay.accountreturning.com
The previous slide shows 7 hops out from the destination
![Page 9: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/9.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zoomed
![Page 10: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/10.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zoomed
• Two phishing nodes connected very similarly– ebay.accountreturning.com– charterone-information.net
• That's interesting in itself• Both connected via peer1.net• and via routers in Vancouver• Latencies from them to destinatons is low• Probably in Canada, possibly Vancouver
![Page 11: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/11.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Where in the World is65.75.176.120?
![Page 12: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/12.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Where in the World is65.75.176.120?
• Destination didn't respond to probes• Closest responding node: 64.154.102.5• assertive.managed.com• registered in San Diego, California• next hop out: assertive.above.net
– 64.125.30.94 so-0-0-0.er10a.sjc.us.above.net
– 64.125.30.90 so-2-0-0.er10a.sjc.us.above.net
• Routing indicates near San Jose, California
![Page 13: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/13.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Where in the World is65.75.176.120?
• But destination's netblock is registered to an individual in Ripley, Texas
• Destination didn't respond: no latency so can't tell whether it's in California or Texas
• Further examination could include:– hosting company offers distributed network?– or only one hosting center in California?– Are there other phishing nodes same center?
![Page 14: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/14.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
A Faked Domain
![Page 15: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/15.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
A Faked Domain
• 211.101.236.19 signin.ebay.com.sdll.us• Domain name appears to be in the U.S.• But SDLL is not a U.S. state code• It's registered to someone in San Diego• But its IP address is in China, prob.
Beijing• on capitalnet.com.cn• Nodes leading to it are also in China
![Page 16: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/16.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
FSTC Phases
• Financial Services Technology Consortium
• Counter-Phishing Initiative• Phishing Phases:
– Planning– Setup– Attack– Collection– Fraud– Post-Attack
![Page 17: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/17.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Visualization and Pattern Matching for FSTC
Phases• Collect data, visualize, analyze, etc. for each phase and for connections between, in order to:– help stop attacks– show how problems occurred– make problems visible for greater
awareness
![Page 18: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.](https://reader036.fdocuments.in/reader036/viewer/2022081603/56649ea45503460f94ba88e9/html5/thumbnails/18.jpg)
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Contact Information
John Quarterman [email protected]
www.internetperils.com