Î Æ p ðÔ - hkcert
TRANSCRIPT
![Page 1: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/1.jpg)
!
!
!
!
!
!
!!!!!!!!
!
!! !
!2015( !
!!
! !
![Page 2: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/2.jpg)
1!
!! !
4 1 ! oh
uj
oh uj R
n BC . :(C&C)
.hk . !
!
HKCERT H 4
M oh 6 oh IP
BC uj n t
— uj uj !
HKCERT- Information!Feed!Analysis!System!(IFAS)! m uj
v uj ! ( 1)! s S
!
I uj T uj
!
oh ! T !
n
BC . !
!
N 6 u !
:
(C&C)!
!
N 6 IP u !
!
!
N 6 IP
u !
!
!
![Page 3: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/3.jpg)
2!
!
I uj S n I
ujn I [email protected] I
C !
!
!
uj Z m y m y.
uj
!
!
: w uj
, j Z :
uj G d :
!
!
X !
Z ! CC! ! 4.0! !X HKCERT
!
http://creativecommons.org/licenses/by/4.0/!
!
! !
![Page 4: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/4.jpg)
3!
! !!
� !..................................................................................................................................!4!
!
uj!................................................................................................................................!11!
1.! n!..........................................................................................................!11!
1.1! uj !....................................................................................................!11!
2.! !..........................................................................................................!13!
2.1! uj !....................................................................................................!13!
3.! BC . !..................................................................................................!15!
3.1! uj !....................................................................................................!15!
4.! !..........................................................................................................!17!
4.1! :(C&C)!...........................................................................!17!
4.2! !....................................................................................................!18!
!
!........................................................................................................................................!20!
1!– v !..........................................................................................................!20!
2!– y !..........................................................................................!20!
3!– !..................................................................................................!21!
!
![Page 5: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/5.jpg)
4!
� !
(
!
( ohuj uj
m Nm p
!
1!–3
!
99% 10,851 2013( w
!
!
:!BC . n
:!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
! IFAS!S!Information!Feed!Analysis!System(IFAS)! HKCERT!- m
uj !
2
! 1!S v !
3
!u t n !
16,589!
18,087!
12,437!
10,936!
21,787!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Unique!security!events
������
![Page 6: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/6.jpg)
5!
!
2!–4
!
u 2015( 7 5,867 16,338
BC . w !
noh u 9 5% A oh BC . oh
168% 412% !
) oh oh
L oh
N oh H oh
u
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4
!u t n !
4,522!
2,926!
1,644! 1,604! 1,692!
2,557!
3,048!
1,883!2,934!
7,836!
1,561!
5,760!
2,735!1,329!
6,810!
S
2,000!
4,000!
6,000!
8,000!
10,000!
12,000!
14,000!
16,000!
18,000!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Malware!
hosting!
����
�
Phishing!
�"��
Defacement!!!
�!�
![Page 7: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/7.jpg)
6!
BC . 41% 2828 HTML/Drop.Agent.ABBC .
BC . Ramnit !
!
3SHTML/Drop.Agent.AB !
7 3 HTML/Drop.Agent.AB Ramnit
Ramnit 5 Ramnit BC .
BC . 5 8 I
!
!
G .
!! w . w
!! w G . a w
!! U M
!! M G .
!! 0
!! ?
!
!
!
:(C&C)! ! ! ug 0 ─
T 2 ! !
! ! m :(C&C)! T
2 !
0
200
400
600
800
1000
1200
1400
1600
2015S01 2015S02 2015S03 2015S04 2015S05 2015S06
HTML/Drop.Agent.AB ��
![Page 8: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/8.jpg)
7!
!
: !
:(C&C) :!
!
4!– :(C&C) !
!
: u S !
!
4! : Zeus :
IRC : !
!
!
:!
2!
5!
3!
4! 4!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
:(C&C)
Botnet!(C&Cs)
��������(C&C)
![Page 9: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/9.jpg)
8!
!
!
5!S !
!
9 2014( !
!
2015( D u 8% Virut 87%
ZeusH ! ( 14)! !
H
( 13)!
Ramnit!
Ramnit rD v R Fj FTP
Fj cookies oh i
BC . !
Ramnit 2010( cs D5
R 9 i Ramnit g
Ramnit H !
Ramnit D oh FTP
sf !
!
Tinba!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!5
! http://www.symantec.com/connect/blogs/ramnitScybercrimeSgroupShitSmajorSlawSenforcementSoperation!
7947
63486172
5065
5445
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Trend!of!Botnet!(Bots)!security!events
( )
Botnet!(Bots)
�� �
![Page 10: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/10.jpg)
9!
. oh Fj
( M 5 V 6
P 7
M n
.
4
oh sf
. (H u 8
M
M M T
P 5 M
M 33 H 5 s.
x oh M d
P 9 P
:u g : .
k : g : P
q H BC
.
sf
!! w . w
!! q W_
!! 0
!!
!! w
2013( 6 : m G
)
R
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6
! https://blog.avast.com/2014/09/15/tinySbankerStrojanStargetsScustomersSofSmajorSbanksSworldwide/!
7
! https://www.fSsecure.com/weblog/archives/00002810.html!
8
! http://securityintelligence.com/dyreSwolf/!
9
! http://www.seculert.com/blog/2015/04/newSdyreSversionSevadesSsandboxes.html!
![Page 11: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/11.jpg)
10!
: BC .D
S
!
T/
!! T/
! !
![Page 12: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/12.jpg)
11!
uj!
1.! n!
1.1! uj !
!
6!–! n10
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!10
u t n !
4522
2926
1644 16041692
683 654478 441
569
Q2 Q3 Q4 Q1 Q2
n
Unique!URL!
���
Unique!IP
��IP
n
!! n X ohy n
2
!! t
!!
!! g d
!! oh
![Page 13: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/13.jpg)
12!
!
!
7!–! n /IP !
!
!
v :! !
!! ZoneSH! !
! !
6.62!
4.47!
3.44!3.64!
2.97!
Q2 Q3 Q4 Q1 Q2
n /IP
URL/IP!ratio
���/IP�
! ! /IP !
!! u IP
u !
!
!! u u
4 !
!! IP u u !
!! !
![Page 14: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/14.jpg)
13!
2.! !
2.1!uj !
! ! !
8!–! !
2557
3048
1883
2934
7836
443 354 280 208373
Q2 Q3 Q4 Q1 Q2
Unique!URL
���
Unique!IP
��IP
!!
2
!! v d
!!
!! g d
!! oh
![Page 15: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/15.jpg)
14!
!
!
9!–! /IP !
!
!
v :! !
!! ArborNetwork!–!Atlas!SRF! !
!! CleanMX!–!phishing! !
!! Millersmiles! !
!! Phishtank! !
! !
5.77!
8.61!
6.73!
14.11!
21.01!
Q2 Q3 Q4 Q1 Q2
/IP
URL/IP!ratio
���/IP�
! ! /IP !
!! u IP
u !
!
!! u u
4 !
!! IP u u !
!! !
![Page 16: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/16.jpg)
15!
3.! BC . !
3.1!uj !
!
! !
10!–!BC . !
!
1561
5760
2735
1329
6810
351 408603
391664
Q2 Q3 Q4 Q1 Q2
BC .
Unique!URL
���
Unique!IP
��IP
BC .
!! BC . sfBC .
2
!! BC . BC .
!!
!! g d
!! oh
![Page 17: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/17.jpg)
16!
!
11!–!BC . /IP !
!
!
!
!
v :!
!! Abuse.ch:!Zeus!Tracker!–!Binary!URL! !
!! Abuse.ch:!SpyEye!Tracker!–!Binary!URL!
!! CleanMX!–!Malware! !
!! Malc0de! !
!! MalwareDomainList! !
!! Sacour.cn!
! !
4.45!
14.12!
4.54!
3.40!
10.26!
Q2 Q3 Q4 Q1 Q2
BC . /IP
URL/IP!ratio
���/IP�
! ! /IP !
!! u IP
u !
!
!! u u
4 !
!! IP u u !
!! !
![Page 18: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/18.jpg)
17!
4.! !
4.1! :(C&C)!
! !
!
12!–! ( :) !
!
!
v :!
!! Zeus!Tracker! !
!! SpyEye!Tracker! !
!! Palevo!Tracker! !
!! Shadowserver!–!C&Cs! !
1
2 2
3 31
3
1
1 1
0
1
2
3
4
5
6
Q2 Q3 Q4 Q1 Q2
:
HTTP
IRC
:
!! : ─
BC ? ? s.
x oh
2
!! 4
!! m uj
![Page 19: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/19.jpg)
18!
4.2! !
4.2.1! 11!
IP u
b N
G N u !
!
!
!
! "#! !
IP !
( u )!
!
1! S! Conficker! ! 2,083! ! S5%!
2! "! Virut! ! 1,101! ! 87%!
3! # Zeus! ! 765! ! S25%!
4! S ZeroAccess! ! 523! ! S8%!
5! S! Pushdo! ! 352! ! S4%!
6! NEW! Ramnit! ! 146! ! NA!
7! NEW! Tinba! ! 94! ! NA!
8! # Citadel! ! 91! ! S13%!
9! NEW! Dyre! ! 55! ! NA!
10! " Wapomi! ! 25! ! S22%!
13!–! u !
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11
T S uj !
2,083!
1,101!
765!523!
352!
146!
94!
91!
55!
54!
Conficker
Virut
Zeus
ZeroAccess
Pushdo
Ramnit
Tinba
Citadel
Dyre
![Page 20: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/20.jpg)
19!
!
14!–12!
!
v :!
!! ArborNetwork!–!Atlas!SRF!–!conficker! !
!! ShadowServer!–!botnet_drone!
!! ShadowServer!–!sinkhole_http_drone!
!! ShadowServer!–!Microsoft_sinkhole!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!12
! Virut u t!
Q2!2014 Q3!2014 Q4!2014 Q1!2015 Q2!2015
Conficker 2945 2597 2419 2185 2083
Virut 277 263 559 588 1101
Zeus 2512 1897 1472 1020 765
ZeroAccess 1407 1062 838 569 523
Pushdo 211 63 406 367 352
0
500
1000
1500
2000
2500
3000
3500
!! H u –
BC .D H D 5 BC . y
6 T oh
2
!!
!! v d
!! T BC sfBC . s.
x oh
![Page 21: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/21.jpg)
20!
��!
1!– v !
v :!
oh v
n
BC .
BC .
BC .
BC .
BC .
BC .
:
:
:
:
!
!
!!
2!– y !
I Z y y !
!
y w
!!!
![Page 22: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/22.jpg)
21!
3!–
!
D y oh2
BankPatch! !!MultiBanker!
!!Patcher!
!!BankPatcher!.
!! H !
!!
!
!! !
!! !
!!
M
v rD uj!
BlackEnergy!
.
!! rootkitP S !
!! P !
!!g 0 P
!
!! s. x o
h(DDoS)!
Citadel!
.
!!
!
!
!! v
rD v!
!!U !
!!K l !
!! l !
!! oe!
!! !
Conficker! !!Downadup!
!!Kido!
!! E !
(DGA)! !
!! P2P !
!! !
!! Window
MS08S067 !
!!
f!
!! Window
(autoSrun)
f!
Dyre! !
.
!! ! !!
v!
!! ─ !
Gamarue! !!Andromeda! !! oh !
!! !
!!9 Word !
!! !
!! rD !
!! X !
!! BC .!
![Page 23: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/23.jpg)
22!
Glupteba! ! . !! .
(driveSbySdownload)D
!
!! ─ !
!! h S!
IRC!Botnet! . !! IRC ! !!5 . X
!
!! s. x o
h(DDoS)!
!! ─ !
Palevo! !!Rimecud!
!!Butterfly!
bot!
!!Pilleuz!
!!Mariposa!
!!Vaklik!
!! ,!
!
!!5 . X
!
!! v r
D v!
!! O
!
Pushdo! !!Cutwail!
!!Pandex!
!! BC !
!! E !
(DGA)! !
!! .
(driveSbySdownload)D
!
!! a !
!!
BC .( :!Zeus!
! Spyeye)!
!! s. x o
h(DDoS)!
!! ─ !
Ramnit! ! !!D !
!! oh !
!! FTP !
!!5 . X
!
!! v r
D v!
Sality! . !! rootkitP S !
!! P2P !
!!
f!
!! !
!! E
Entry!Point!
Obscuring P D
!
!! ─ !
!! !
!! rD v!
!!D /
!
!! BC .!
![Page 24: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/24.jpg)
23!
Slenfbot! !!
f!
!
!!5 . X
!
!!
BC .!
!! s. x o
h(DDoS)!
!! ─ !
Tinba! !!TinyBanker!
!!Zusy!
! .
!! oh !
!! !
!! v r
D v!
Torpig! !!Sinowal!
!!Anserin
. !! rootkitP S !
(Mebroot!rootkit)!
!! E !
(DGA)! !
!! .
(driveSbySdownload)D
!
!! rD v!
!! oe!
Virut! ! . !!
f!
!
!! ─ !
!! s. x o
h(DDoS)!
!! !
!! v!
!!!
Wapomi! !!
f!
!!D !
!!5 . X
!
!! BC .!
!!n
!
!!m uj
v
q !
![Page 25: Î Æ P ðÔ - HKCERT](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4233110a58125ac27d91a/html5/thumbnails/25.jpg)
24!
ZeroAccess! !!max++!
!!Sirefef
. !! rootkitP S !
!! P2P !
!! .
(driveSbySdownload)D
!
!! H q ( :
keygen)!
!! BC .!
!!Z & h!
Zeus! !!Gameover
.
!! P !
!! .
(driveSbySdownload)D
!
!! P2P !
!
!! v
rD v!
!! oe!
!!U !
!! BC .( :!
Cryptolocker)!
!! s. x o
h(DDoS)!
!