370 likes | 534 Views
2010.11.22 資安新聞簡報. 報告 者: 劉旭哲 、曾家雄. Spam down, but malware up. 報告者:劉旭哲. Nov 17 McAfee Threats Report: Third Quarter 2010 Spam is declined, but malware is increasing. Spam is still high It continued its overall decline from January, both globally and nationally.
E N D
2010.11.22資安新聞簡報 報告者:劉旭哲、曾家雄
Spam down, but malware up 報告者:劉旭哲
Nov 17 McAfee Threats Report: Third Quarter 2010 Spam is declined, but malware is increasing.
Spam is still high • It continued its overall decline from January, both globally and nationally. • But identity theft, phishing attacks, and malicious links remain as serious as ever. • eg: US
Malware continues to be the biggest threat. This year they have identified more than 14 million unique pieces of malware. Over one million more malware than at the same time last year. Increase has slowed, but the growth continues.
A mix of many established standards. Mainly in the form of password-stealing Trojans, AutoRun malware, and fake AV software. For example: Zeus, Koobface
Conclusion Cybercriminals are becoming more smart Attacks are becoming increasingly more severe Focus on mobile devices and social-networking sites.
reference http://news.cnet.com/8301-1009_3-20023067-83.html?tag=mncol;title http://www.mcafee.com/us/local_content/reports/q32010_threats_report_en.pdf
Koobface: Inside a Crimeware Network November 12, 2010 By NART VILLENEUVE
A New Botnet From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobfacebotnet
Koobface • Koobface maintains a system that uses social networking platforms to send malicious linkssuch as: • Bebo, Facebook, Friendster, Fubar, • Hi5, MySpace, Netlog, Tagged, Twitter......etc. • Koobface also leverages connections to other malware groups associated with Bredolab, Gumblar, Meredrop, and Piptea
Koobface • The Koobface operators also employ counter-measures against security efforts to counter their operations • The “banlist” of Internet protocol • Koobface operators carefully monitor whether any of their URLs have been flagged as malicious one by Facebook, or Google
Propagation Koobface spreads by using credentials on compromised computers to login to the victim’s account It sends messages that contain links to malware to friends that are linked to the account
Propagation The malicious link is often concealed using the URL shortening service It redirects victim to a malicious Web page that encourages the user to run the accompanying executable These malicious pages purport to be YouTube pages that require a new codec or an Adobe Flash upgrade in order to view the video
Infrastructure • Koobface maintains an infrastructure that integrates command and control capabilities • Zombie proxies obscure the location of C&C
Command and Control • Koobface’s main command and control server is hosted on 85.13.206.115 (Coreix, GB) • It maintains a database that contains information on the infrastructure of the Koobfacebotnet • The compromised hosts that have been turned into relays • And used by the operators to proxy requests
Command and Control Koobface maintains a number of fraudulent accounts with third party services Koobface also appears to use compromised computers to host landing pages
Command and Control The Koobface malware has a modular structure that allows the botnet operators to install additional components on compromised computers based on specific criteria The compromised computer connects to one of Koobface’s relay Web servers, which act as proxies of C&C
Command and Control • The malware on the compromised host requests URLs that contain parameters • fbgen • ldgen • ppgen • CAPTCHA
fbgen This file determines the contents of the message and the Koobface URL to send to the Facebook friends associated with Facebook accounts found on the compromised computer
ldgen This file determines what further binaries the compromised host will download from the command and control server IP address in a range
ppgen • These URLs point to rogue security software affiliates on Google searches for keywords such as • Antivirus • best+spyware+remover • adware+spyware+removal • It triggers the search hijacker when the user clicks on any of the links returned by Google
CAPTCHA Koobface uses random samplings of real Facebook profile information stolen from compromised accounts to create fictitious accounts The popup window suggests that the computer will shutdown if the CAPTCHA is not solved
Monitoring & Countermeasures The operators of the Koobfacebotnet have a system in place to monitor the operations of the botnet and to ensure that the system continues to maintain the infrastructure that is required to operate it
Monitoring & Countermeasures Koobface carefully monitors its links through the Google Safe Browsing API and checks if any of their URLs have been flagged as malicious by bit.ly or Facebook
Monitoring Installations Koobface keeps count of successful installations and traffic generated by the botnet
Monitoring Installations • When an Internet user visits a Koobface landing page and installs the malware, the malware connects through a relay server to C&C and sends the • Compromised user’s IP address • Geographic location • Unique identifier • Koobface user identifier • Malware identifier • This allows Koobface to keep track of malware installations
Reference http://krebsonsecurity.com/2010/11/pursuing-koobface-and-partnerka/ http://www.infowar-monitor.net/reports/iwm-koobface.pdf