2

2011 Ver. 1.2.0

2

3 P2P Tunnel BotNet Zero-Day

4 port port HTTP (TCP/80), HTTPS(TCP/443) SSL SSH IPSec Ex:TOR Protocol Obfuscation( ) P2P Protocol Obfuscation

P2P 5

P2P 6 P2P P2P P2P 6

7 P2P Tunnel BotNet Zero-Day

亞洲翻牆軟體的演進 曾經我們是祖國的花朵 茁壯成長 如今我們是祖國的紅杏 集體翻牆 8

9 (Wujie) (Freegate) Tor = = = Tunnel =

1 1. well-known port, VPN server VPN Server VPN Client Computer ehind firewall VPN Client VPN Client VPN Client Computer on the Internet Computer behind firewall Computer on the Internet

1 2. tunneling LAN VPN Server VPN Client Computer ehind firewall VPN Client VPN Client VPN Client Computer on the Internet Computer behind firewall Computer on the Internet

1 3. VPN VPN Server Critical server behind firewall VPN Client Computer ehind firewall VPN Client VPN Client VPN Client Computer on the Internet Computer behind firewall Computer on the Internet

1 Step 3. IM Client connects to local VPN server in plain text IM Client 3 Step 1. Install VPN Server locally VPN Server 1 Step 4. VPN Server connects through Firewall encrypte and undetected 4 VPN Tunnel VPN Server Step 2. Configure IM client to connect via local SOCKS or HTTP proxy server 2 Step 5. External VPN Server connects to IM server in Plain text 5

1 Step 3. Step 1. IE VPN VPN Server Server 3 VPN Server 1 Step 4. VPN Server VPN Server 4 VPN Tunnel VPN Server Step 2. IE VPN Server 2 Step 5. VPN Server 5

Tunnel 1 Tunnel? web(port 80 or 443) L3~4

Tunnel (cont.) Tunnel 1

1 P2P Tunnel BotNet Zero-Day

BotNet 1 SPAM Mariposa 12,000,000? Conficker 10,000,000 10,000,000,000/day Zeus 3,600,000 (US Only) N/A Cutwail 1,500,000 74,000,000,000/day Storm 160,000 3,000,000,000/day Waledac 80,000 1,500,000,000/day Wikipedia http://en.wikipedia.org/wiki/botnet

BotNet 1 Gartner 2013 BotNet 19

BotNet (cont.) 2 Gartner BotNet 20

2 P2P Tunnel BotNet Zero-Day

2 Internet Worm Blaster Sasser Zotob Mocbot IRC Bot 0-day 0-day rc: http://www.sans.org/top-cyber-security-risks/trends.php

2 1. 2. rc: http://www.sans.org/top-cyber-security-risks/trends.php

OS 2 Server side Client side Client side c: http://www.sans.org/top-cyber-security-risks/patching.php

2 client side server side client side Web Src: http://www.sans.org/top-cyber-security-risks/

PDF 2 PDF 2008 PDF client side bot

2 P2P Tunnel BotNet Zero-Day

Zero-day 2 zeroday frame work zero-day Adobe PDF Flash Player Microsoft Office Suite (PowerPoint, Excel and Word) software c: http://www.sans.org/top-cyber-security-risks/zero-day.php

2 P2P WMF 0-day

FTC P2P 3 2010-02-23

P2P 3 2009-5-15

P2P 3 2011-02-05 P2P

Foxy P2P 3 2010-9-7

3 P2P WMF 0-day

3 2010-7-20

(cont.) 3 (Robin Sage) Facebook 25 PO (Twitter) 28 300 PO

盖 13 Twitter 3 2009-6-24

盖 13 Twitter (cont.) 3 3 Twitter 2 4 Twitter 1 Twitter 5 CODEC 6 8 Twitter 7 CODEC

3 P2P WMF 0-day Bot IM

MS06-001 WMF 0-day 4 2005.12.28 IE 0-day Win XP SP2 WMF Crackz [dot] ws unionseek [dot] com www.tfcco [dot] com Iframeurl [dot] biz beehappyy [dot] biz more...

WMF 0-day 4

WMF 0-day 4

WMF 0-day 4

WMF 0-day 4 IE 0-day!!

4 P2P WMF 0-day

4

IM 4

IM 4

4

IM 5

5

5

MSN 5

5

5

5

5

-- NetKeeper 5 IPS NSS ICSALabs / DDoS / /

5 BroadWeb IPS 0-day MS WMF 0-day 0 exploits 28 Dec, 2005 29 Dec, 2005 10 Jan, 2006 Attack MS WMF exploit publicly released BroadWeb released pattern update Microsoft released patch 0-day Vulnerability D day D+1 day D+N day Attack Vulnerability was publicly unveiled BroadWeb released pattern update Vender released patch

-- NetKeeper 6 BotNet BotNet BotNet

-- NetKeeper 6 300 IM P2P

-- FlowManager 6 IM P2P

-- FlowManager 6

BroadWeb 6 State Machine

BroadWeb 6 1800 Web P2P IM Streaming Media VoIP 16

BroadWeb 6 AP State Machine Tunnel IM/P2P

Bots Botnets 6 IPS/ Bot 0-day IPS IRC IM/P2P Email ( pdf office ) Email IM URL Bot

6