2011 Ver. 1.2.0
2
3 P2P Tunnel BotNet Zero-Day
4 port port HTTP (TCP/80), HTTPS(TCP/443) SSL SSH IPSec Ex:TOR Protocol Obfuscation( ) P2P Protocol Obfuscation
P2P 5
P2P 6 P2P P2P P2P 6
7 P2P Tunnel BotNet Zero-Day
亞洲翻牆軟體的演進 曾經我們是祖國的花朵 茁壯成長 如今我們是祖國的紅杏 集體翻牆 8
9 (Wujie) (Freegate) Tor = = = Tunnel =
1 1. well-known port, VPN server VPN Server VPN Client Computer ehind firewall VPN Client VPN Client VPN Client Computer on the Internet Computer behind firewall Computer on the Internet
1 2. tunneling LAN VPN Server VPN Client Computer ehind firewall VPN Client VPN Client VPN Client Computer on the Internet Computer behind firewall Computer on the Internet
1 3. VPN VPN Server Critical server behind firewall VPN Client Computer ehind firewall VPN Client VPN Client VPN Client Computer on the Internet Computer behind firewall Computer on the Internet
1 Step 3. IM Client connects to local VPN server in plain text IM Client 3 Step 1. Install VPN Server locally VPN Server 1 Step 4. VPN Server connects through Firewall encrypte and undetected 4 VPN Tunnel VPN Server Step 2. Configure IM client to connect via local SOCKS or HTTP proxy server 2 Step 5. External VPN Server connects to IM server in Plain text 5
1 Step 3. Step 1. IE VPN VPN Server Server 3 VPN Server 1 Step 4. VPN Server VPN Server 4 VPN Tunnel VPN Server Step 2. IE VPN Server 2 Step 5. VPN Server 5
Tunnel 1 Tunnel? web(port 80 or 443) L3~4
Tunnel (cont.) Tunnel 1
1 P2P Tunnel BotNet Zero-Day
BotNet 1 SPAM Mariposa 12,000,000? Conficker 10,000,000 10,000,000,000/day Zeus 3,600,000 (US Only) N/A Cutwail 1,500,000 74,000,000,000/day Storm 160,000 3,000,000,000/day Waledac 80,000 1,500,000,000/day Wikipedia http://en.wikipedia.org/wiki/botnet
BotNet 1 Gartner 2013 BotNet 19
BotNet (cont.) 2 Gartner BotNet 20
2 P2P Tunnel BotNet Zero-Day
2 Internet Worm Blaster Sasser Zotob Mocbot IRC Bot 0-day 0-day rc: http://www.sans.org/top-cyber-security-risks/trends.php
2 1. 2. rc: http://www.sans.org/top-cyber-security-risks/trends.php
OS 2 Server side Client side Client side c: http://www.sans.org/top-cyber-security-risks/patching.php
2 client side server side client side Web Src: http://www.sans.org/top-cyber-security-risks/
PDF 2 PDF 2008 PDF client side bot
2 P2P Tunnel BotNet Zero-Day
Zero-day 2 zeroday frame work zero-day Adobe PDF Flash Player Microsoft Office Suite (PowerPoint, Excel and Word) software c: http://www.sans.org/top-cyber-security-risks/zero-day.php
2 P2P WMF 0-day
FTC P2P 3 2010-02-23
P2P 3 2009-5-15
P2P 3 2011-02-05 P2P
Foxy P2P 3 2010-9-7
3 P2P WMF 0-day
3 2010-7-20
(cont.) 3 (Robin Sage) Facebook 25 PO (Twitter) 28 300 PO
盖 13 Twitter 3 2009-6-24
盖 13 Twitter (cont.) 3 3 Twitter 2 4 Twitter 1 Twitter 5 CODEC 6 8 Twitter 7 CODEC
3 P2P WMF 0-day Bot IM
MS06-001 WMF 0-day 4 2005.12.28 IE 0-day Win XP SP2 WMF Crackz [dot] ws unionseek [dot] com www.tfcco [dot] com Iframeurl [dot] biz beehappyy [dot] biz more...
WMF 0-day 4
WMF 0-day 4
WMF 0-day 4
WMF 0-day 4 IE 0-day!!
4 P2P WMF 0-day
4
IM 4
IM 4
4
IM 5
5
5
MSN 5
5
5
5
5
-- NetKeeper 5 IPS NSS ICSALabs / DDoS / /
5 BroadWeb IPS 0-day MS WMF 0-day 0 exploits 28 Dec, 2005 29 Dec, 2005 10 Jan, 2006 Attack MS WMF exploit publicly released BroadWeb released pattern update Microsoft released patch 0-day Vulnerability D day D+1 day D+N day Attack Vulnerability was publicly unveiled BroadWeb released pattern update Vender released patch
-- NetKeeper 6 BotNet BotNet BotNet
-- NetKeeper 6 300 IM P2P
-- FlowManager 6 IM P2P
-- FlowManager 6
BroadWeb 6 State Machine
BroadWeb 6 1800 Web P2P IM Streaming Media VoIP 16
BroadWeb 6 AP State Machine Tunnel IM/P2P
Bots Botnets 6 IPS/ Bot 0-day IPS IRC IM/P2P Email ( pdf office ) Email IM URL Bot
6