Front Line Report Fighting Against Malware in China ZhaoWei KnownSec Who am I? Who are we?
Download ReportTranscript Front Line Report Fighting Against Malware in China ZhaoWei KnownSec Who am I? Who are we?
Front Line Report Fighting Against Malware in China ZhaoWei KnownSec Who am I? Who are we? About This Presentation 1.Part One: China hacker culture 2.Part Two: Underground industry 3.Part Three: How we fight back? Where are they from? Where are they head to? Blackhats and Whitehats Where we start? Where we learned? • Coolfire 1996 • Isbase 1997 • Xfocus 1999 • Hack.co.ca • Packetstorm • Core Security • w00w00 • Bugtraq • Phrack • EFNET • TESO • The hack’s choice • Daily Dave • FD • …… Time line: •Unix Hacking •Stack overflow •Format string •Heap overflow •Int overflow •Sql injection •Backdoor •Kenerl Rootkit •Worm(Redcode…) •Mass Injection •XSS and worm •Web2.0 Blackhats and Whitehats 4 waves 1. Server Side Wave 1998-2003 1) IIS, Serv-U, Apache, Samba, Jabberd etc 2. Client Side Trend 2002-2007 1) Image format: ANI, JPG, BMP etc 2) Windows Office doc, ppt etc 3) IE: ActiveX, HTML parser, XML parser 3. 3rd party applications attacking 2006-NOW, this one only for profit Blackhats and Whitehats What are they doing now • What are they doing now? o WhiteHat:MOST of them are working for security companies(M,K,S,V,N,T). Security research Anti-(virus,rootkit,exploit) Developing Scanner and IDS etc. Find 0days Windows, Linux, Unix Developing exploits Boring? So some time they get leaked ZDI Underground market Blackhats and Whitehats What are they doing now BlackHat: They have their own industry! Developing Worms, rootkit, 0days DDoS websites for profit and fun China has best anti-DDOS device Stealing all of cool things they like All kinds of Game,WOW! They control the virtual economy QQ, 支付宝(Taobao), all thing related to money Even some private porn. Competition on developing exps? No, who can give more money. Blackhats and Whitehats Famous Cases Blackhats and Whitehats Trend 1.Age: Younger!(maybe not) , Talent and Rich 2.Area: Most are not from the big cities o Why? Economic related? o More fired engineers more hackers? 3.Blackhat Culture: Baidu zhidao forum, QQ 4.Underground Industry: Every one has a role. 5.Where: More public forum or QQ not use irc anymore 6.International? Not yet! Underground Malware Industry Underground Malware Industry Now China is not only the world’s factory, but also world’s malware factory They totally changed our life 1. My parents computer! 2. Changed how people are using the network/internet 3. Users are pushed to learn security Underground Malware Industry Terms 挂马(GuaMa), Hooking Horse: Inject malcode into websites 网马(WangMa), Net Horse: Exploits for IE 木马(MuMa), Wood Horse: Backdoor, Rootkit, Downloader etc 箱子(XiangZi), Box: Some web service store stole information 信封(XinFeng), Envelop: some data contains stolen information 免杀(MianSha), Bypass the Anti-virus … Underground Malware Industry Map O rg o r In d ivid u al U n d erg ro u n d M alw are In d u stry P lu g in V en d o r V iru s D evelo p er PA Y Latest h ackin g tech Sellin g all kin d o f in fo rm atio n Tech n ical A rea Secu rity R esearch er PA Y Latest viru s an d m alw ares C racker A rea PA Y M al H o stin g G am in g Team W eb site C racker SA LES O w n ed W eb site /Traffic PA Y C rack/Steal B o x Traffic V en d o r re-sellers In ject M al-C o d e C o n tro lled Traffic re-sellers Su b -d ealer Va G -D ealer E-D ealer lu e In f or m a tio n fic af Tr E-P ro p erty Trad in g E-P ro p erty Trad in g Su rf In tern et In tern et $ $ E-P ro p erty B u yer In tern et U sers V ictim co n tro lled /P rivacy leak W eb site/P ag es Underground Malware Industry Trend 1. From 06-07 they starting using 3rd party vulns,Why? 1) Very big local market and huge mount of users 2) Users know more about security now(patch system, using anti-virus etc.) 3) Some local security vendors supply patch service to pirate Windows user (They all love it) 4) Windows 0day really expensive now 5) Local application vendors are totally lame (sell them Fortify!) 2. They use 0day in massive attack, I never saw this before 2006,This definitely a phenomenon 3. More 0days? 1) RealPlayer 2) Flash 3) XunLei* 4) UUSee 5) Sina Underground Malware Industry Technique Trend 1. They like exploiting logic bugs 1) Baidu Toolbar 2) Snapshot 2. Anti Anti-Virus Detect if Anti-virus exist 3. Bypass anti-virus, they charge money to make your malware bypass: 1) Kaspersky 2) Nod32 3) Rising 4) Kingsoft Underground Malware Industry 0day Market Underground 1. They love client-side vulnerabilities. 1) Maybe they are more easy to find 2) They love local application bugs, cheaper and useful 2. The price is more exciting than ZDI 1) Researchers like ZDI 2) Black don’t they just use it 3. Sometimes 0day are leaked to market 1) Security researchers 2) Professional whitehat. Underground Malware Industry Real Case It’s the most powerful malware hosting box at China Massive injection Worm! Underground Malware Industry Real Case Underground Malware Industry Real Case Underground Malware Industry Real Case Underground Malware Industry Next? •Web 2.0? SNS worm •Interactive web malware •Interact with user to make anti anti-virus •Authentication •Flash AS •Silverlight? How we fight BACK! How We Fight BACK! • Law: sue them! • Tech: China web reputation system MenShen: Client Side IE protect Web Reputation ScanV: AntiPhishing ScanW: Antimalware How We Fight BACK! Rogue Software • We started China Anti-Malware Alliance in 2006 • We collect evidence and we sued them • Yahoo China • Ebay China • Win only 1 of 9 cases, we won the Shanghai case • Some of them are really powerful at the local area How We Fight BACK! Rogue Software • Definition of Rogue software now, We win! A call for input from the general public was made on November 8, when the ISC published its draft proposal and wanted to find out how Chinese web surfers felt about the problem. Spyware/Adware must also follow at least one of the following additional criteria as set out in Chinese sources: • Be installed without notification or approval • Not offer an uninstall service or remain after removal • Make changes to the user’s browser or any other settings without permission, disabling access to the Internet or forcing to visit certain websites • Trigger pop-ups • Collect user data without notification or permission • Mislead users to uninstall non-malicious software • Be bundled with other known malware • Have any other issues that infringe the user's "right to know" and "right to choose." How We Fight BACK! Malware • The true problem: • 80-90% victims got infected from the web • Vulnerabilities in Internet Explorer and 3rd party vulnerabilities • 0day world! Using 0day attacking people • What we can do for users? • Make a safer IE? • Make a clean/trustworthy web? How We Fight BACK! Malware • An IE security enhancement: • Security plugin our company made: 365menshen (365门神) • Anti Phishing,HIPS • Mark out malware URLs • Supply some web services for customers • There are other services: • SiteAdvisor, Finjan, MyWOT • Also IE8 is much better than previous versions How We Fight BACK! 365menshen How We Fight BACK! Web • Make a cleaner web • We need find all bad web site in China • We need signatures, sandbox and crawler • Make more trustworthy web • We need anti phishing • May be Phishtank • Need a trusted source How We Fight BACK! Crawler and Sandbox • We are not Google • Lacking enough bandwidth • Not enough servers (just mist/water vapor rather than a cloud ) • So these make our sandbox different • • • • The main idea is not get infected Lightweight, faster Behavior basis (APIs) Suitable for China How We Fight BACK! Crawler and Sandbox ScanW •We start at 2006 •We learned from: •Google safe browsing •Microsoft HoneyMonkey •McAfee SiteAdvisor •We based on: •Vmware Server 2.0 •Python 2.5 •Django 1.0 •C •We try to move these things to: •Google APP engine(GFW?) •Or using Hadoop(java)? Demo China Marketing 1. Ecosystem plus Free Anti-virus softeware 2. Pushing SDL to software vendors 3. Web server side ecosystem? Q/A Thank You! [email protected]