Blackhats and Whitehats Where we start? Where we learned? Coolfire 1996 Isbase 1997 Xfocus 1999 Hack.co.ca Packetstorm Core Security w00w00 Bugtraq Phrack EFNET TESO The hack’s choice Daily Dave FD …… Time line: Unix Hacking Stack overflow Format string Heap overflow Int overflow Sql injection Backdoor Kenerl Rootkit Worm(Redcode…) Mass Injection XSS and worm Web2.0
Blackhats and Whitehats 4 waves 1.Server Side Wave 1998-2003 1)IIS, Serv-U, Apache, Samba, Jabberd etc 2.Client Side Trend 2002-2007 1) Image format: ANI, JPG, BMP etc 2) Windows Office doc, ppt etc 3) IE: ActiveX, HTML parser, XML parser 3.3 rd party applications attacking 2006-NOW, this one only for profit
Blackhats and Whitehats What are they doing now What are they doing now? o WhiteHat:MOST of them are working for security companies(M,K,S,V,N,T). Security research Anti-(virus,rootkit,exploit) Developing Scanner and IDS etc. Find 0days Windows, Linux, Unix Developing exploits Boring? So some time they get leaked ZDI Underground market
Blackhats and Whitehats What are they doing now BlackHat: They have their own industry! Developing Worms, rootkit, 0days DDoS websites for profit and fun China has best anti-DDOS device Stealing all of cool things they like All kinds of Game,WOW! They control the virtual economy QQ, 支付宝（ Taobao ）, all thing related to money Even some private porn. Competition on developing exps? No, who can give more money.
Blackhats and Whitehats Trend 1.Age: Younger!(maybe not), Talent and Rich 2.Area: Most are not from the big cities o Why? Economic related? o More fired engineers more hackers? 3.Blackhat Culture: Baidu zhidao forum, QQ 4.Underground Industry: Every one has a role. 5.Where: More public forum or QQ not use irc anymore 6.International? Not yet!
Underground Malware Industry Now China is not only the world’s factory, but also world’s malware factory They totally changed our life 1.My parents computer! 2.Changed how people are using the network/internet 3.Users are pushed to learn security
Underground Malware Industry Terms 挂马 (GuaMa), Hooking Horse: Inject malcode into websites 网马 (WangMa), Net Horse: Exploits for IE 木马 (MuMa), Wood Horse: Backdoor, Rootkit, Downloader etc 箱子 (XiangZi), Box: Some web service store stole information 信封 (XinFeng), Envelop: some data contains stolen information 免杀 (MianSha), Bypass the Anti-virus …
Underground Malware Industry Trend 1.From 06-07 they starting using 3 rd party vulns ， Why? 1) Very big local market and huge mount of users 2) Users know more about security now(patch system, using anti-virus etc.) 3) Some local security vendors supply patch service to pirate Windows user (They all love it ) 4) Windows 0day really expensive now 5) Local application vendors are totally lame (sell them Fortify!) 2.They use 0day in massive attack, I never saw this before 2006,This definitely a phenomenon 3.More 0days? 1) RealPlayer 2) Flash 3) XunLei* 4) UUSee 5) Sina
Underground Malware Industry Technique Trend 1.They like exploiting logic bugs 1) Baidu Toolbar 2) Snapshot 2.Anti Anti-Virus Detect if Anti-virus exist 3.Bypass anti-virus, they charge money to make your malware bypass: 1) Kaspersky 2) Nod32 3) Rising 4) Kingsoft
Underground Malware Industry 0day Market Underground 1.They love client-side vulnerabilities. 1) Maybe they are more easy to find 2) They love local application bugs, cheaper and useful 2.The price is more exciting than ZDI 1) Researchers like ZDI 2) Black don’t they just use it 3.Sometimes 0day are leaked to market 1) Security researchers 2) Professional whitehat.
Underground Malware Industry Real Case It’s the most powerful malware hosting box at China Massive injection Worm!
How We Fight BACK! Law: sue them! Tech: China web reputation system Web Reputation MenShen: Client Side IE protect ScanW: Anti- malware ScanV: Anti- Phishing
How We Fight BACK! Rogue Software We started China Anti-Malware Alliance in 2006 We collect evidence and we sued them Yahoo China Ebay China Win only 1 of 9 cases, we won the Shanghai case Some of them are really powerful at the local area
How We Fight BACK! Rogue Software Definition of Rogue software now, We win! A call for input from the general public was made on November 8, when the ISC published its draft proposal and wanted to find out how Chinese web surfers felt about the problem. Spyware/Adware must also follow at least one of the following additional criteria as set out in Chinese sources: Be installed without notification or approval Not offer an uninstall service or remain after removal Make changes to the user’s browser or any other settings without permission, disabling access to the Internet or forcing to visit certain websites Trigger pop-ups Collect user data without notification or permission Mislead users to uninstall non-malicious software Be bundled with other known malware Have any other issues that infringe the user's "right to know" and "right to choose."
How We Fight BACK! Malware The true problem: 80-90% victims got infected from the web Vulnerabilities in Internet Explorer and 3 rd party vulnerabilities 0day world! Using 0day attacking people What we can do for users? Make a safer IE? Make a clean/trustworthy web?
How We Fight BACK! Malware An IE security enhancement: Security plugin our company made : 365menshen (365门神） Anti Phishing，HIPS Mark out malware URLs Supply some web services for customers There are other services: SiteAdvisor, Finjan, MyWOT Also IE8 is much better than previous versions
How We Fight BACK! Web Make a cleaner web We need find all bad web site in China We need signatures, sandbox and crawler Make more trustworthy web We need anti phishing May be Phishtank Need a trusted source
How We Fight BACK! Crawler and Sandbox We are not Google Lacking enough bandwidth Not enough servers (just mist/water vapor rather than a cloud ) So these make our sandbox different The main idea is not get infected Lightweight, faster Behavior basis (APIs) Suitable for China
How We Fight BACK! Crawler and Sandbox ScanW We start at 2006 We learned from: Google safe browsing Microsoft HoneyMonkey McAfee SiteAdvisor We based on: Vmware Server 2.0 Python 2.5 Django 1.0 C We try to move these things to: Google APP engine(GFW?) Or using Hadoop(java)?