1 / 26

20101018 資安新聞簡報

20101018 資安新聞簡報. 報告者:曾家雄、劉旭哲、莊承恩. New Malware Murofet Following Conficker's Lead. October 15, 2010 Dennis Fisher. Conficker. A computer worm targeting the Microsoft Windows operating system Be detected in November 2008

cheng
Download Presentation

20101018 資安新聞簡報

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 20101018 資安新聞簡報 報告者:曾家雄、劉旭哲、莊承恩

  2. New Malware Murofet Following Conficker's Lead October 15, 2010 Dennis Fisher

  3. Conficker • A computer worm targeting the Microsoft Windows operating system • Be detected in November 2008 • Co-opt machines and link them into a virtual computer that can be commanded remotely

  4. Conficker Variant • Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E

  5. Conficker Variant

  6. Conficker Variant

  7. Payload Propagation • Variant A • Generates a list of 250 domain names every day across five TLDs • The domain names are generated from a pseudo-random number generator seeded with the current date

  8. Payload Propagation • Variant B increases the number of TLDs to eight, and produce domain names disjoint from those of the variant A • Variant D generates daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day • The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics

  9. Murofet • The main similarity between Conficker and Murofet is that both pieces of malware use a pre-determined algorithmto generate seemingly random domain • It generates pseudo-random domain names based on the year, month, day, and minute of execution • Upon executing, Murofet starts a thread that attempts to download malware updates

  10. Pseudo-Random Domain Algorithm • It generates two DWORD values • The first is composed of the month, day, and low byte of the year of the date of execution, plus 0x30 (48) • The second DWORD value is based on the minute of execution, multiplied by 0x11 (17)

  11. Pseudo-Random Domain Algorithm

  12. Pseudo-Random Domain Algorithm First Dword Day Month Year Second Dword + 0x30 Minute * 0x11 First Dword Second Dword 64 bits => 共16個nibles

  13. Reference • http://community.websense.com/blogs/securitylabs/archive/2010/10/14/murofet-domain-generation-ala-conficker.aspx • http://threatpost.com/en_us/blogs/new-malware-murofet-following-confickers-lead-101510 • http://www.symantec.com/connect/blogs/w32downadupc-pseudo-random-domain-name-generation

  14. Microsoft Wants to Cordon Off Botnet-Infected Computers 報告者:劉旭哲

  15. Botnets = Zombie Network • DDoS • Spread spam • "collective action" to combat cyberthreats -- particularly botnets.

  16. individual defense • firewalls, antivirus, and automatic updates • collective defense • Computer Emergency Response Teams (CERTs) • active defense • Offense

  17. new users, devices, and application. • Zeus botnet that captured users' banking sign-on information. • New thinking and expanded approaches need to be applied to combat cyber threats

  18. "If you were the person whose computer was infected, wouldn't you want to know?“ • Public Health Model • Computer = Human

  19. Public Health Model • Two complementary approaches: • bolstering efforts to identify infected devices • promoting efforts to better demonstrate device health • Identify infected devices • Restrict infected devices • at least one access provider is now attempting this approach: Comcast

  20. Comcast • Constant Guard • Damballa, a botnet research firm • Use toolbar • The first ISP to provide this type of in-browser notification

  21. Demonstrate device health: • a mechanism to produce a health certificate • trust • access providers request health certificates and take appropriate action • create supporting policies and rules

  22. Defect • If there are some emergency services, infected computers may still be permitted • For example, cell phone.

  23. At least two advantages: • Before online banking activities • More effective remediation • ISP could know specific device

  24. Conclusion • Not perfect • Balance security and privacy • Building a socially acceptable and financially sustainable model • Collective action

  25. Reference • http://www.technewsworld.com/story/70998.html • http://go.microsoft.com/?linkid=9746317 • http://www.comcast.com/default.cspx • http://www.damballa.com/ • http://news.cnet.com/8301-27080_3-20018168-245.html#ixzz1133KPVK8

  26. Webgoat 莊承恩

More Related