15.
August 2013
First noticed at conrad.nl
Visitors are redirected to site serving
Blackhole exploit kit (PDF & Java)
Turns out conrad.nl is not the only one
15
16.
Hosting provider targeted by phishing email
PDF containing malware
One client got compromised
Credentials obtained for DNS registrar
DNS Nameserver entry changed
Legitimate action…
16
20.
Started as joint venture
CERT-Polska
Dutch National Cyber Security Centre (NCSC-NL)
Work on version 2 started in 2011
Code released under GPL license in january 2013
20
21.
Early warning system
Detects attacks on client applications
Webpages
Files
Supports variety of services & analyzers
Flexible configuration
Scalable
Open architecture
21
25.
HSN Workflow Language (HWL)
XML
Process
Each URL
Reporter
• File with URLs
• Service “A”
• Service “B”
• Aggregate results
from services
• Store in database
25
26. Input / Output
Feeder
(file / url)
Reporter
Scanners
Antivirus
Web Clients
HtmlUnit
Thug
Analyzers
Shellcode
JavaScript
PDF
MS Office
Flash
Honeypots
Capture HPC
Cuckoo
26
27.
High interaction honeypot
Vulnerable system visits website
Activity is recorded
Uses virtualization software
Analysis plugins
Reporting plugins
27
30. package nl.ncim.hsn2.service;
import ...;
public class DemoService implements org.apache.commons.daemon.Daemon {
private GenericService service = null;
@Override
public void init(DaemonContext context) throws DaemonInitException, Exception {
this.service = new GenericService(new DemoServiceTaskFactory(), ...);
}
@Override
public void start() throws Exception {
...
service.run();
...
}
}
30
31. package nl.ncim.hsn2.service;
import ...;
public class DemoService implements org.apache.commons.daemon.Daemon {
private GenericService service = null;
@Override
public void init(DaemonContext context) throws DaemonInitException, Exception {
this.service = new GenericService(new DemoServiceTaskFactory(), ...);
}
@Override
public void start() throws Exception {
...
service.run();
...
}
}
31
32. package nl.ncim.hsn2.service;
import ...;
public class DemoServiceTaskFactory implements TaskFactory {
@Override
public Task newTask(TaskContext jobContext, ParametersWrapper parameters,
ObjectDataWrapper data) throws ParameterException {
return new DemoServiceTask(jobContext, data);
}
}
32
33. package nl.ncim.hsn2.service;
import ...;
public class DemoServiceTaskFactory implements TaskFactory {
@Override
public Task newTask(TaskContext jobContext, ParametersWrapper parameters,
ObjectDataWrapper data) throws ParameterException {
return new DemoServiceTask(jobContext, data);
}
}
33
34. package nl.ncim.hsn2.service;
import ...;
public class DemoServiceTaskFactory implements TaskFactory {
@Override
public Task newTask(TaskContext jobContext, ParametersWrapper parameters,
ObjectDataWrapper data) throws ParameterException {
return new DemoServiceTask(jobContext, data);
}
}
34
35. package nl.ncim.hsn2.service;
import ...
/**
* The task class for the HSN2 Demo Service.
* This is the place where the actual work is being done.
*/
public class DemoServiceTask implements Task {
private TaskContext jobContext;
private String url;
public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {
this.jobContext = jobContext;
this.url = data.getString("url_original");
}
@Override
public void process() throws ParameterException, ResourceException,
StorageException {
jobContext.addAttribute("statement", "J-Fall Rocks!");
}
}
35
36. package nl.ncim.hsn2.service;
import ...
/**
* The task class for the HSN2 Demo Service.
* This is the place where the actual work is being done.
*/
public class DemoServiceTask implements Task {
private TaskContext jobContext;
private String url;
public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {
this.jobContext = jobContext;
this.url = data.getString("url_original");
}
@Override
public void process() throws ParameterException, ResourceException,
StorageException {
jobContext.addAttribute("statement", "J-Fall Rocks!");
}
}
36
37. package nl.ncim.hsn2.service;
import ...
/**
* The task class for the HSN2 Demo Service.
* This is the place where the actual work is being done.
*/
public class DemoServiceTask implements Task {
private TaskContext jobContext;
private String url;
public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {
this.jobContext = jobContext;
this.url = data.getString("url_original");
}
@Override
public void process() throws ParameterException, ResourceException,
StorageException {
jobContext.addAttribute("statement", "J-Fall Rocks!");
}
}
37
40.
Java SE 7 JRE Exploit (CVE-2012-4681)
Vulnerabilities in the JRE allow attackers to
escape from the sandbox environment
Fixed in Java SE 7 JRE update 7
currently at 7u45...
https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=3122
40
49.
HoneySpiderNetwork; a Java based system
to hunt down malicious websites
Visit www.honeyspider.net
Feel free to try it
Appliance (virtualbox)
Installation Guide
Github (https://github.com/CERT-Polska/hsn2-bundle)
Call for developers!
49
50. Thank you for your attention!
n.van.eijck@ncim.nl
@nvaneijck
50