worm hoihoi - PDF 無料ダウンロード

true@sfc.wide.ad.jp

/ (IDS, Honeypot), Web

: Darknet AS65531 10.0.0.0/8 Prefix longest match next hop AS Internet Customer A 10.1.0.0/16 AS 65531 10.0.0.0/8 Customer B 10.2.0.0/16

( ) The Team Cymru Darknet Project http://www.cymru.com/darknet/ Network telescope http://www.caida.org/analysis/security/telescope/ Internet Motion Sensor http://ims.eecs.umich.edu/index.html Backscatter,

dumnet (LAC) TCP SYN SYN+ACK ICMP ECHO Request ECHO Reply Bind() TCP

( ) : Windows RPC Windows 135~139, 443 / IP Address Spoofing TCP 3way handshake

kbps (/16)

202.X.X.0/24 * 3 133.X.0.0/16 Management Network Dumnet IGP Default Route Management Network 133.X.0.0/16 Dumnet mwcollect 133.X.Y.0/24 * DIX-IE/NSPIXP3 peer only

C Routable on the Global Internet 5/16 19:16 ~ 6/26 16:46 90 0620 2.3 / 261 / 5.5 / W DIX-IE/NSPIXP-3 Peer only Mostly from Japan 6/13 18:37~ 6/25 17:59 1 2396 4200 1466.2 / 157 / 9 /

MaxMind GeoIP http://www.maxmind.com/ RIR Whois (?) IP API IP

C: Source IP (Routable on the global Internet) 100% 80% 60% 40% 20% 0% 5/16 5/18 5/20 5/22 5/24 5/26 5/28 5/30 6/1 6/3 6/5 6/7 6/9 6/11 6/13 6/15 6/17 6/19 6/21 6/23 6/25 TCP UDP ICMP

W: Source IP (Mostly from Japan) Source IP Address Count 100% 80% 60% 40% 20% 0% 2005/6/13 2005/6/14 2005/6/15 2005/6/16 2005/6/17 2005/6/18 2005/6/19 2005/6/20 TCP UDP ICMP 2005/6/21 2005/6/22 2005/6/23 2005/6/24 2005/6/25

Source IP / (TCP) C: 776,318 : 64,813 W: 203,611 : 112,604 > 11

( C) average pps/bps pps 140 120 100 80 60 40 20 0 5/16 5/19 5/22 5/25 5/28 5/31 6/3 6/6 6/9 pps 6/12 bps 6/15 6/18 6/21 6/24 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 bps

( C) Packet Count 11,000,000 10,000,000 9,000,000 8,000,000 pkts/day 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0 5/17 5/18 5/19 5/20 5/21 5/22 5/23 5/24 5/25 5/26 5/275/28 5/29 5/30 5/316/1 6/2 6/36/4 6/5 6/66/7 6/8 6/96/10 6/11 6/126/13 tcp udp icmp 6/14 6/156/16 6/17 6/186/19 6/20 6/216/22 6/23 6/246/25

OS OS p0f Passive OS Fingerprinting TCP Window, TTL, TCP OS http://lcamtuf.coredump.cx/p0f.shtml

OS ( C) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5/16 5/17 5/18 5/19 5/20 5/21 5/22 5/23 5/24 5/25 5/26 5/27 5/28 5/29 5/30 5/31 6/1 6/2 6/3 6/4 6/5 6/6 6/7 6/8 6/9 6/10 6/11 6/12 6/13 6/14 6/15 6/16 6/17 6/18 6/19 6/20 6/21 6/22 6/23 6/24 6/25 6/26 Windows Detection Failed Others

OS by Source IP Address OS Count OS Count Windows 22,178,824 Cisco 67 Detection Failed 4,252,537 NetCache 19 Linux 333,671 SymbianOS 12 Solaris 9,799 Eagle 3 NMAP 3,699 PocketPC 3 FreeBSD 994 Redline 3 OpenBSD 993 BSD/OS 2 CacheFlow 213 HP-UX 1 Novell 189

OS Default TTL: 32, 64, 128, 256 TTL TTL : TTL 52 64-52=12 12 hop

900000 800000 700000 600000 500000 400000 300000 200000 100000 0 5/16 5/18 5/20 5/22 5/24 5/26 5/28 5/30 6/1 6/3 6/5 6/7 6/9 6/11 6/13 6/15 6/17 6/19 6/21 6/23 6/25 ~15 ~20 ~25 ~30 ~35 36~ ~10 ~5 ~5 ~10 ~15 ~20 ~25 ~30 ~35 36~

3127/tcp Worm Mydoom, DoomJuice, Novarg, Solame : http://www.nai.com/japan/security/virm2004.asp?v=w32/mydoom.b@mm Mydoom.B 3127/tcp

? 1. TCP 2. 512byte 0 5 6 3. 5 ( ) 4. file(1)

C United Kingdom 5% : 5/16 19:16 ~ 6/26 16:46 50 2718 MS-DOS executable Source IP Address Count Others 24% Japan 40% 96% 4% Taiwan 6% China 8% US 17% MS-DOS executable (EXE) MS-DOS executable (EXE), OS/2 or MS Windows

2005/7/8 2718

W32.HLLW. Doomjuice 11% W32.HLLW. Doomjuice.B 9% Not Detected 78% W32.HLLW.Gaobot.gen 2%

ClamAV Anti-Virus http://www.clamav.net/ Worm. Vesser.A-1 25% Virus Name Trojan.Downloader.Delf-35 Worm.Gaobot.HK Trojan.Gobot.A Trojan.Gobot.T Count 51 40 30 28 Not Detected 47% Trojan.Ghostbot.A Worm.Mytob.BP Worm.Mytob.GE 25 16 15 Others 8% Worm. Doomjuice.A 11% Worm. Doomjuice.B 9% Worm.Gaobot.336 Trojan.Gobot.R Worm.Winur.D Worm.W32.Welchia.E 11 4 2 1

IP IP

Software dumnet Mwcollect KFSensor OS *UNIX *UNIX Windows Supported Protocols Overhead TCP Very Low Bagle Backdoor, Windows RPC, CIFS, WINS Low HTTP, SMTP, CIFS, SOCKS, MS SQL, FTP, POP3, Telnet, RDP(Terminal Server), VNC, Relay Low Network Interface Not Required Required Required URL http://tf.happyha cking.net/ http://www.mwc ollect.org/ http://www.keyfocus. net/kfsensor/

dumnet mwcollect KFSensor Static Policy Router Tunnel (TBD) Tunnel (TBD)

Q&A

(and ) IP (true@sfc.wide.ad.jp)