This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
表八 Trojan.VanBot-366 來源相關資訊 程式下載時間 來源IP 國家 城市 作業系統 Google map2009/8/2 17:03 123.204.29.13 Taiwan Taoyuan Windows XP SP1+, 2000 SP3 http://mapof.it/24.9869003295898,121.3056030273442009/8/2 22:00 123.204.29.13 Taiwan Taoyuan Windows XP SP1+, 2000 SP3 http://mapof.it/24.9869003295898,121.3056030273442009/8/2 22:25 123.204.29.13 Taiwan Taoyuan Windows XP SP1+, 2000 SP3 http://mapof.it/24.9869003295898,121.305603027344
2009/8/16 19:50 123.204.29.247 Taiwan Taoyuan Windows XP SP1+, 2000 SP3 http://mapof.it/24.9869003295898,121.3056030273442009/8/16 20:07 123.204.29.247 Taiwan Taoyuan Windows XP SP1+, 2000 SP3 http://mapof.it/24.9869003295898,121.3056030273442009/8/22 15:20 123.165.159.100 China Harbin Windows 2000 SP2+, XP SP1+ (seldom 98) http://mapof.it/45.75,126.6500015258792009/8/23 01:11 123.204.38.104 Taiwan Taipei Windows 98 (9) http://mapof.it/25.0391998291016,121.5250015258792009/8/23 01:11 123.204.38.104 Taiwan Taipei Windows XP SP1+, 2000 SP3 http://mapof.it/25.0391998291016,121.5250015258792009/8/24 22:16 123.200.202.128 Australia Sydney Windows 2000 SP2+, XP SP1+ (seldom 98) http://mapof.it/-33.88330078125,151.216705322266
接著我們可以發現表八的 123.204.38.104,來自不同作業系統。我們使用「惡意程
式活動(請輸入 IP)」的功能輸入 IP:123.204.38.104 得到表九,可以知道該 IP 使用環境
為DSL (Digital Subscriber Line)網路並且使用PPPoE (Point-to-Point Protocol over Ethernet)上網,有經過 NAT,所以顯示出內部區域網路電腦已經變成殭屍網路的一員。經清查資
2009/8/23 01:11:04 Link Windows 98 (9) pppoe(DSL) Yes 2009/8/23 01:11:04 Link Windows 98 (9) pppoe(DSL) Yes 2009/8/23 01:11:04 Link Windows XP SP1+,2000 SP3 pppoe(DSL) Yes 2009/8/23 01:11:04 Link Windows XP SP1+,2000 SP3 pppoe(DSL) Yes 2009/8/23 01:11:12 Link Windows XP SP1+,2000 SP3 pppoe(DSL) Yes 2009/8/23 01:11:12 Link Windows 98 (9) pppoe(DSL) Yes 2009/8/23 01:11:12 Link Windows XP SP1+,2000 SP3 pppoe(DSL) Yes
圖 10 123.165.159.100 之 Google Maps 畫面連結 4.3.2 分析方法 2:未知程式檔名分析
收集到的惡意程式經 ClamAV 掃描後,若無法判斷出惡意程式的病毒名稱,也無法
確定這個是否為惡意程式,但是我們一樣可以利用圖 9 流程,找出這個未知程式散佈的
檔名與網路活動。 利用「系統現有惡意程式詳細資訊」功能選單,我們輸入表三之第二名的未知惡意
程式 MD5 檔名「 8ee03596d5b68caa9c069d6745902140 」,得到感染 IP 來源為
技政策與研究與資訊中心。 8. APWG:Phishing Active Trend report 2nd half 2008.
http://www.antiphishing.org/reports/apwg_report_H2_2008.pdf 9. Autoruns, http://www.sysinternals.com 10. Artaila, H., Safab, H., Sraja, M., Kuwatlya,I. and Al-Masria, Z. “A hybrid honeypot
framework for improving intrusion detection systems in protecting organizational networks, “ Computers & Security, Volume 25, Issue 4, June 2006, Pages 274-288. http://www.antiphishing.org/reports/apwg_report_H2_2008.pdf
11. Burns, B., Granick J.S., Manzuik, S., Guersch, P., Killion, D., Beachesne, N., Moret, E., Sobrier, J., Lynn, M., Markham, E., Iezzoni, C. and Biondi, P. “Security Power Tools.“ O’Reilly publishing, 2008, pp.52-53.
15. Inoue, D. Yoshioka, K. Eto, M. Hoshizawa,Y. and Nakao, K. ”Malware Behavior Analysis in Isolated Miniature Network for Revealing Malware's Network Activity,” Communications, 2008. ICC '08. IEEE International Conference on, May 2008, Bejing ,pp. 1715-1721.
16. Inoue, D. Yoshioka, K. Eto, M. Hoshizawa,Y. and Nakao, K. “Automated Malware Analysis System and its Sandbox for Revealing Malware's Internal and External Activities,“ IEICE Transactions on Information and Systems , 2009, Volume E92-D No.5 pp.945-954.
17. Nmap, http://insecure.org/nmap/ 18. P0f, http://freshmeat.net/projects/p0f 19. Taiwan Honeynet Project, ”Collecting Malewae with Honeypots Part I”, Mar. 2009. 20. Taiwan Honeynet Project, http://www.honeynet.org.tw/ 21. Websense Security Labs:stat of internet security, Q3-Q4 2008.
The Detection and Analysis of Malware Activities in Network Affect in Honeypot System
Chih-Hung Lin1 Chung-Huang Yang2
1Graduate Institute of Information & Computer Education, National Kaohsiung Normal University Kaohsiung, Taiwan, [email protected]
2Graduate Institute of Information & Computer Education National Kaohsiung Normal University Kaohsiung, Taiwan, [email protected]
Abstract
Today in this boundless Internet world, users are vulnerable to get threats from all over the world, such as Malware, Botnet, Virus and Worn ,etc. According to Websenses In 2008, the third and fourth quarters of the survey found (Websense, 2008), the first among the 100 sites, 77% of the legitimate sites contain malicious software, and the APWG (Anti - Phishing Working Group) (APWG, 2008) of the December 2008 survey said the global hidden malware sites the top ten were the United States (55.75%), China (12.32%), Sweden (9.30%), Germany (4.73%), Canada (4.03%), Rep. Korea (3.33%), France (2.94%), Russia (2.88%), UK (2.63%) and Netherlands (2.09%). Therefore, people can easily to find out the fact is, these threats that cause damages in users’ system come from the whole world.
In order to detects these threats through the internet from the whole world and to reduce the detection cost. In this study, the researcher uses the Open Source Software to collect and analyze malicious network behaviors from the internet. By using this program, Network Administrators can easily to analyze the internal situation in Network, and to help Network Administrators or IT staffs to control the current situation and manage to against the malicious programs effetely. This specific system combines the Nepenthes, p0f and ClamAV ,etc., and they are source from the Honeypot System, the Passive Detection, and the Antivirus Tool. Nepenthes and p0f will be used to collect the real-time log information about the Malware attacking. The Python is charge of classify and process these data that are collected, and Python also provides and analysis the data for the researcher to reorganize programs to analysis Malware attacks information. And exploit the information that is found in sources of Malware attacks to reconfirm perhaps the source client is invaded by Malware.