1 / 35

Front Line Report F ighting A gainst M alware in C hina

Front Line Report F ighting A gainst M alware in C hina. ZhaoWei KnownSec. Who am I? Who are we?. About This Presentation. Part One : China hacker  culture  Part Two : Underground industry Part Three : How we fight back?. Where are they from? Where are they head to?.

quynh
Download Presentation

Front Line Report F ighting A gainst M alware in C hina

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Front Line ReportFighting Against Malware in China ZhaoWei KnownSec

  2. Who am I?Who are we?

  3. About This Presentation • Part One: China hacker culture  • Part Two: Underground industry • Part Three: How we fight back?

  4. Where are they from? Where are they head to?

  5. Blackhats and WhitehatsWhere we start? • Time line: • Unix Hacking • Stack overflow • Format string • Heap overflow • Int overflow • Sql injection • Backdoor • Kenerl Rootkit • Worm(Redcode…) • Mass Injection • XSS and worm • Web2.0 Where we learned? • Coolfire 1996 • Isbase1997 • Xfocus 1999 • Hack.co.ca • Packetstorm • Core Security • w00w00 • Bugtraq • Phrack • EFNET • TESO • The hack’s choice • Daily Dave • FD • ……

  6. Blackhats and Whitehats4 waves • Server Side Wave 1998-2003 • IIS, Serv-U, Apache, Samba, Jabberd etc • Client Side Trend 2002-2007 1) Image format: ANI, JPG, BMP etc 2) Windows Office doc, ppt etc 3) IE: ActiveX, HTML parser, XML parser • 3rd party applications attacking 2006-NOW, this one only for profit

  7. Blackhats and WhitehatsWhat are they doing now • What are they doing now? • WhiteHat:MOST of them are working for security companies(M,K,S,V,N,T). • Security research • Anti-(virus,rootkit,exploit) • Developing Scanner and IDS etc. • Find 0days • Windows, Linux, Unix • Developing exploits • Boring? • So some time they get leaked • ZDI • Underground market

  8. Blackhats and WhitehatsWhat are they doing now BlackHat: They have their own industry! • Developing Worms, rootkit, 0days • DDoS websites for profit and fun • China has best anti-DDOS device • Stealing all of cool things they like • All kinds of Game,WOW! They control the virtual economy • QQ, 支付宝(Taobao), all thing related to money • Even some private porn. • Competition on developing exps? No, who can give more money.

  9. Blackhats and WhitehatsFamous Cases

  10. Blackhats and WhitehatsTrend • Age: Younger!(maybe not) , Talent and Rich • Area: Most are not from the big cities • Why? Economic related? • More fired engineers more hackers? • Blackhat Culture: Baiduzhidao forum, QQ • Underground Industry: Every one has a role. • Where: More public forum or QQ not use irc anymore • International? Not yet!

  11. Underground Malware Industry

  12. Underground MalwareIndustry Now China is not only the world’s factory, but also world’s malware factory They totally changedour life • My parents computer! • Changed how people are using the network/internet • Users are pushed to learn security

  13. Underground Malware Industry Terms 挂马(GuaMa), Hooking Horse: Inject malcode into websites 网马(WangMa), Net Horse: Exploits for IE 木马(MuMa), Wood Horse: Backdoor, Rootkit, Downloader etc 箱子(XiangZi), Box: Some web service store stole information 信封(XinFeng), Envelop: some data contains stolen information 免杀(MianSha), Bypass the Anti-virus …

  14. Underground Malware IndustryMap

  15. Underground Malware Industry Trend • From 06-07 they starting using 3rd party vulns,Why? • 1) Very big local market and huge mount of users • 2) Users know more about security now(patch system, using anti-virus etc.) • 3) Some local security vendors supply patch service to pirate Windows user (They all love it) • 4) Windows 0day really expensive now • 5) Local application vendors are totally lame (sell them Fortify!) • They use 0day in massive attack, I never saw this before 2006,This definitely a phenomenon • More 0days? • 1) RealPlayer • 2) Flash • 3) XunLei* • 4) UUSee • 5) Sina

  16. Underground Malware Industry Technique Trend • They like exploiting logic bugs • 1) BaiduToolbar • 2) Snapshot • Anti Anti-Virus • Detect if Anti-virus exist • Bypass anti-virus, they charge money to make your malware bypass: • 1) Kaspersky • 2) Nod32 • 3) Rising • 4) Kingsoft

  17. Underground MalwareIndustry 0day Market Underground • They love client-side vulnerabilities. • 1) Maybe they are more easy to find • 2) They love local applicationbugs, cheaper and useful • The price is more exciting than ZDI • 1) Researchers like ZDI • 2) Black don’t they just use it • Sometimes 0day are leaked to market • 1) Security researchers • 2) Professional whitehat.

  18. Underground MalwareIndustry Real Case It’s the most powerful malware hosting box at China Massive injection Worm!

  19. Underground MalwareIndustry Real Case

  20. Underground MalwareIndustry Real Case

  21. Underground MalwareIndustry Real Case

  22. Underground Malware Industry Next? • Web 2.0? SNSworm • Interactive web malware • Interact with user to make anti anti-virus • Authentication • Flash AS • Silverlight?

  23. How we fight BACK!

  24. How We Fight BACK! • Law: sue them! • Tech: China web reputation system

  25. How We Fight BACK!Rogue Software • We started China Anti-Malware Alliance in 2006 • We collect evidence and we sued them • Yahoo China • Ebay China • Win only 1 of 9 cases, we won the Shanghai case • Some of them are really powerful at the local area

  26. How We Fight BACK!Rogue Software • Definition of Rogue software now, We win! • A call for input from the general public was made on November 8, when the ISC published its draft proposal and wanted to find out how Chinese web surfers felt about the problem. • Spyware/Adware must also follow at least one of the following additional criteria as set out in Chinese sources: • Be installed without notification or approval • Not offer an uninstall service or remain after removal • Make changes to the user’s browser or any other settings without permission, disabling access to the Internet or forcing to visit certain websites • Trigger pop-ups • Collect user data without notification or permission • Mislead users to uninstall non-malicious software • Be bundled with other known malware • Have any other issues that infringe the user's "right to know" and "right to choose."

  27. How We Fight BACK!Malware • The true problem: • 80-90% victims got infected from the web • Vulnerabilities in Internet Explorer and 3rd party vulnerabilities • 0day world! Using 0day attacking people • What we can do for users? • Make a safer IE? • Make a clean/trustworthy web?

  28. How We Fight BACK!Malware • An IE security enhancement: • Security plugin our company made: 365menshen (365门神) • Anti Phishing,HIPS • Mark out malwareURLs • Supply some web services for customers • There are other services: • SiteAdvisor, Finjan, MyWOT • Also IE8 is much better than previous versions

  29. How We Fight BACK!365menshen

  30. How We Fight BACK!Web • Make a cleaner web • We need find all bad web site in China • We need signatures, sandbox and crawler • Make more trustworthy web • We need anti phishing • May be Phishtank • Need a trusted source

  31. How We Fight BACK!Crawler and Sandbox • We are not Google • Lacking enough bandwidth • Not enough servers (just mist/water vapor rather than a cloud ) • So these make our sandbox different • The main idea is not get infected • Lightweight, faster • Behavior basis (APIs) • Suitable for China

  32. How We Fight BACK! Crawler and Sandbox ScanW • We start at 2006 • We learned from: • Google safe browsing • Microsoft HoneyMonkey • McAfee SiteAdvisor • We based on: • Vmware Server 2.0 • Python 2.5 • Django 1.0 • C • We try to move these things to: • Google APP engine(GFW?) • Or using Hadoop(java)?

  33. Demo

  34. China Marketing • Ecosystem plus Free Anti-virus softeware • Pushing SDL to software vendors • Web server side ecosystem?

  35. Q/AThank You!ic@scanw.com

More Related