Yilang's Blogger

Botnets and Trends of Advanced Persistent Threats

Published by Yi-Lang Tsai under , on 下午11:30

In the development of information security, cyber attacks have become much more organized and refined. Elaborately planned cyber attacks have taken the place of large-scale attacks, and using malicious software to infect victims' computers is the most common method of carrying out cyber attacks.

Botnets are currently the most severe information security threat, and advanced persistent threat (APT) is the most popular information security issue. During targeted attacks, hackers usually steal information or launch large-scale attacks using Botnets. Once the targets are chosen, hackers carry out long-term and persistent attacks using various methods. Many hacked computers unconsciously participate in attacks launched by hackers. Malicious software used by Botnets is often customized based on weaknesses in the targeted computers. These “special” purpose malicious programs are extremely hard to detect in their latent or infected phase. Unless the behavior and patterns of such malicious programs are known in advance, it is hard to detect them using signature comparisons. Also, once a system is infected, it is difficult for anti-virus software to detect and remove the malicious programs due to their rapid mutation.

(Fig. Botnet Infection Map)

In order to penetrate the firewall defenses, most Botnets use protocols and ports allowed by the firewalls. This approach has changed the conventional information security defense mechanism. In the past, the internal networks were seen as relatively high security networks and external networks were seen as relatively low security ones. Default settings of access control allow computers in higher security networks to link to lower security networks, so that infected computers have free access through information security defenses such as firewalls. This is one of the reasons that Botnets are able to spread on such a large scale.

Commonly used Botnet protocols include http, ftp, tftp, and irc; all of which are widely used by applications. When Botnets use these protocols to communicate, they often go undetected by the webmaster or Botnet-infected systems, especially when the Botnet is in its latent phase and only maintains minimum communication with the intermediate node or the hacker’s control platform(C&C, Command and Control). This communication behavior cannot be effectively controlled using conventional network activity statistics.

The main difference between Botnets and computer viruses, Trojan horses, and Internet worms, is that Botnets not only affect computer systems, but also achieve more effective management through intermediate nodes or central control stations. Infected bots (i.e. infected computers) actively link to these intermediate nodes or central control stations and wait for commands. Once they receive a command to attack, bots are able to launch malicious attacks very quickly. This is different from conventional attacks in which the attacker must send commands individually to the hacked computers located in different areas. Botnets can not only achieve more efficient management of infection, but also launch targeted attacks within a relatively short period of time.

Currently, most underground economic activities are conducted in coordination with Botnets (e.g. stealing personal information, stealing website accounts and passwords, capturing keyboard input using screen loggers, or participating in malicious attacks using Botnets). The malware’s mutation tools used to spread its source codes are very difficult to detect. Additionally, the development of information convergence and digital economics, and the increase of cloud technologies and mobile commerce, also brings with it additional information security protection considerations. In a new environment that utilizes new technologies, mobile and broadband terminals, networks, services, application platforms, data centers, crime investigation, and national security will also face attacks by highly experienced hackers using malicious software.

In 2011, APT was extremely active. The APT is not a new type of attack, rather, it is a combination of several different attack methods in direct response to the targets’ environments. The entire attack process is divided into several stages including data collection and analysis, system and application weakness scanning, Rootkit use, and exploitation of Web Application security weaknesses. Victims of APT include information security equipment and service providers such as RSA Inc. and HBGary, Sony Entertainment Network, Citibank, Google, and VISA Inc.

In addition to the information security equipment and services being hacked, the leaking of client information has also become a major issue. Observing the trend of such attacks, hackers are not only stealing data from typical users’ PCs, but also gaining interests in important and representative targets and planning to launch long-term attacks as well. Through social engineering and web mining and detection, hackers customize their attack methods based on certain targets and these attacks often last several months to a year until their goals have been achieved. The attackers usually use or send network services or documents that seem normal to launch zero-day attacks, but they actually contain malicious programs. The attackers also target unannounced system and application weaknesses, so that the victims are not able to detect the attacks. When Botnets combine with APT, attackers can effectively utilize an immense Botnet to carry out multiple types of attacks simultaneously and use multiple channels to implant malicious software.

We live in a continuously evolving computing and networking environment wherein new applications that have the potential to be hacked are constantly being introduced. New risks are often generated by these new applications. The only way to improve information security is to know the latest developments in information security, understand common attack methods and ways to protect our systems and applications against them, and avoid exposing our systems to unsafe environments in the first place.


Published by Yi-Lang Tsai under , on 上午12:41
資訊安全的發展歷程中,網路攻擊的手法目前已朝向組織化、精緻化發展,大規模的攻擊行為已不多見,取而代之的是經過精心設計的網路攻擊,其中利用各種惡意程式感染受害者為當下最常見的手法之一,殭屍網路是目前最嚴重的資訊安全威脅之一,而進階持續性滲透攻擊(APT, Advanced Persistent Threat)具是近來最熱門的資安議題,針對性的攻擊行動中,常常可以見到透過殭屍網路進行資訊的竊取或是大規模的攻擊活動,當攻擊者選定攻擊的對象或目標後,將會採用多種不同的攻擊手法,針對特定目標進行長期且持續性的攻擊活動,不擇手段以達成攻擊的目的,許多的受駭的電腦在不自覺的情況下,參與了駭客所發起的攻擊行動,而殭屍網路所使用的惡意程式,大多針對該目標被發掘的弱點進行客製化的開發,此「特殊」用途的惡意程式,在潛伏與感染的階段很難被發現,除非掌握其行為模式,否則也不容易由特徵比對的方式進行偵測,變種速度快,系統一旦感染,防毒軟體不易偵測與清除。

2011年可稱得上是進階持續性滲透攻擊(APT)相當活躍的一年,多起資訊安全事件都與此種攻擊的手法有關,APT不是一種新的攻擊,而是同時採用多種不同類型的攻擊手法,使用多種不同類型的攻擊方式以因應攻擊目標的環境,整個攻擊的流程能夠分成多個不同的階段,包括資料的收集與分析、系統與應用程式弱點的掃瞄、Rootkit的使用、針對Web Application的安全弱點運用等,除了知名的RSA、HBGary等以資安設備或服務為主的公司皆遭到此類型的攻擊,後續衍生出其客戶的資安風險,或是因為所使用的資安設備或服務遭到破解造成的資訊安全事件,皆造成了不小的影響,這類型的攻擊同樣也發生在Sony的遊戲社群平台、花旗銀行、Google、VISA信用卡國際組織等,這些針對特定目標與目的所進行的多起攻擊事件仍時有所聞,由此攻擊趨勢觀察,駭客的攻擊對象,除了由一般使用者的電腦竊取資料之外,也對於重要且有指標性的目標逐漸感到興趣,且有長時間準備發動攻擊行為的規劃,透過社交工程、網路探勘與偵測等細緻的攻擊手法,針對特定的目標與目的,客製成為獨特的攻擊手法,以達到目的為最終的目標,未達成目的前決不輕言放棄,經常此類型的攻擊行為,常常長達數個月或一年以上。攻擊者經常使用或發送一些看似正常的網路服務或是文件,透過其中夾帶惡意程式發動零時差的攻擊行為,針對尚未發佈的系統與應用程式弱點進行攻擊,對於遭受到攻擊的目標,往往受駭者並不會察覺,當殭屍網路與持續進階滲透攻擊相互結合時,攻擊者能夠有效的運用龐大的殭屍網路做為幫手,針對該目標進行多類型的攻擊,利用多種管道將惡意程式植入到特定目標的系統中,以達成攻擊者的目的。

本文同步發佈於國家高速網路與計算中心 電子報


Published by Yi-Lang Tsai under , , on 上午9:07














The Honeynet Project Annual Workshop 2012會議報導

Published by Yi-Lang Tsai under , , on 上午12:19
自從2008年11月加入The Honeynet Project這個國際資安組織至今,負責台灣分會的運作已經三年多的時間,這段時間來投入了許多時間與精神在這個領域的研究與系統的部署,當然也辦了好幾次的教育訓練課程,此次前往美國舊金山參加今年的年度會議,地點就在Facebook Inc.的總部,目前全球已有44個分會,主要由各國的資安專家組成,平時大家都在自己的崗位上努力工作,業餘時間則投入跟誘捕技術與相關的資安技術研究,單純的以技術導向的方式,進行相關的合作。
自從去年巴黎年會的經驗,辦理了第一次的公開研討會之後反應很好,今年就延續這樣的模式,將一天的公開會議,延長成兩天的公開會議,第一天以研討會的方式辦理,第二天則回歸到技術交流為主,辦理了多個場次的Hands-On課程,例如:Malware Reverse Engineering、Hands on with the Honeywall and virtual honeypots、Android reverse malware forensics、CTF: Hacking for fun and profit、Information Visualization-Bridging the Gap Between Tufte and Firewalls、Cuckoo Sandbox: how deep the bird's nest goes以及Network analysis & forensics等,講師多由組織內的專家擔任,也希望能夠透過這樣的方式,推廣組織的研發能量與相關的成果。

前兩天的會議,大約有150人參加,主要是歐美地區的資安研究人員,亞洲地區的少了些,可能因為在美國舉辦的關係,除了亞洲分會的成員外,來參加這個公開會議的人並不多見,另外有一些參加Google Summer Code 2012計畫的學生共同參與這次的會議。

組織的成員會議為不公開的行程,僅限分會成員或受到邀請的人員才能夠參加,討論最新的資安趨勢與工具的發展狀況,另外有一些與組織未來運作的相關議程,也會在Close Meeting的三天進行討論與報告,在此就不多做介紹了,有機會在國內辦理的研討會,再與大家分享。


參考資料:The Honeynet Project Website (www.honeynet.org)