기술문서 : NCHOVY 인터넷 스톰 센터

ASP 웹쉘 상세 분석 및 탐지 방안 (KrCERT)

Sun, 17 Jan 2010 13:23:12 +0900

2008년 5월에 발간된 인터넷 침해사고 동향 및 분석 월보에 포함되어 있던 내용입니다.

악성문서 분석 요점 정리

Mon, 14 Dec 2009 02:07:30 +0900

원본은 zeltser.com의 Analyzing Malicious Documents Cheat Sheet 입니다.

NCHOVY 인터넷 스톰 센터에서 번역하고, 라이센스는 원본 그대로 CCL 저작자표시 3.0 하에 배포합니다.

재배포 가능하지만 이후에도 조금씩 번역 오류가 수정될 가능성이 있으므로, 가급적 이 게시물에 링크를 걸어주시길 부탁드립니다.

TLS/SSLv3 취약점 분석

Sun, 15 Nov 2009 23:42:25 +0900

TLS and SSLv3 vulnerabilities explained

Thierry ZOLLER
Principal Security Consultant
contact@g-sec.lu

Synopsis

Around the 09/11/2009 Marsh Ray, Steve Dispensa and Martin Rex published details1 about a vulnerability affecting the renegotiation phase of the TLS & SSLv3 protocol. The vulnerability is being tracked under CVE-2009-35552 | VU#1205413 and affects a multitude of platforms and protocols, the impact of this vulnerability varies from protocol to protocol and research into those is currently ongoing.

When speaking of a “Man in the Middle” attack, it is often assumed that data can be altered or changed. Indeed an attacker that sits in the middle of a connection (hence it’s name) is often able to do so. In this particular case however the attacker piggybacks an existing authenticated and encrypted TLS sessions in order to (prefix) inject arbitrary text of its choice. The attacker may not read/alter the other TLS session between the “client” and the “server”. See Chapter 3 - “Example of an attack scenario...” for more details

This paper explains the vulnerability for a broader audience and summarizes the information that is currently available. The document is prone to updates and is believed to be accurate by the time of writing.

HITB2009 발표 자료 모음

Mon, 09 Nov 2009 12:04:44 +0900

Day 1 Track 1

Day 1 Track 2

Day 1 Track 3

Andrea Barisani and Daniele Bianco - TEMPEST LAB

Day 2 Track 1

Day 2 Track 2

HMM을 이용한 스팸 분석

Tue, 03 Nov 2009 10:25:21 +0900

Spam Deobfuscation using a Hidden Markov Model

Abstract

To circumvent spam filters, many spammers attempt to obfuscate their emails by deliberately misspelling words or introducing other errors into the text. For example viagra may be written vigra, or mortgage written m0rt gage. Even though humans have little difficulty reading obfuscated emails, most content-based filters are unable to recognize these obfuscated spam words. In this paper, we present a hidden Markov model for deobfuscating spam emails. We empirically demonstrate that our model is robust to many types of obfuscation including misspellings, incorrect segmentations (adding/removing spaces), and substitutions/insertions of non-alphabetic characters.

개선된 DFA를 이용한 고속 정규표현식 매칭

Tue, 06 Oct 2009 03:13:26 +0900

An Improved DFA for Fast Regular Expression Matching

Domenico Ficara (domenico.ficara@iet.unipi.it)
Stefano Giordano (s.giordano@iet.unipi.it)
Gregorio Procissi (g.procissi@iet.unipi.it)
Fabio Vitucci (fabio.vitucci@iet.unipi.it)
Gianni Antichi (gianni.antichi@iet.unipi.it)
Andrea Di Pietro (andrea.dipietro@iet.unipi.it)

Department of Information Engineering, University of Pisa
via G.Caruso 16, Pisa, ITALY

ABSTRACT

Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Finite Automata (FAs) are used to implement regular expressions matching, but they require a large amount of memory. Many recent works have proposed improvements to address this issue.

This paper presents a new representation for deterministic nite automata (orthogonal to previous solutions), called Delta Finite Automata (dFA), which considerably reduces states and transitions and requires a transition per character only, thus allowing fast matching. Moreover, a new state encoding scheme is proposed and the comprehensive algorithm is tested for use in the packet classication area.

윈도우 커널모드 페이로드

Fri, 02 Oct 2009 12:34:07 +0900

Kernel-mode Payloads on Windows

bugcheck (chris@bugcheck.org)
skape (mmiller@hick.org)

1. Foreword

2. Introduction

3. General Techniques
3.1 Finding Ntoskrnl.exe Base Address
3.1.1 IDT Scandown
3.1.2 KPRCB IdleThread Scandown
3.1.3 SYSENTER EIP MSR Scandown
3.1.4 Known Portable Base Scandown
3.2 Resolving Symbols

4. Payload Components
4.1 Migration
4.1.1 Direct IRQL Adjustment
4.1.2 System Call MSR/IDT Hooking
4.1.3 Thread Notify Routine
4.1.4 Hooking Object Type Initializer Procedures
4.1.5 Hooking KfRaiseIrql
4.2 Stagers
4.2.1 System Call Return Address Overwrite
4.2.2 Thread APC
4.2.3 User-mode Function Pointer Hook
4.2.4 SharedUserData SystemCall Hook
4.3 Recovery
4.3.1 Thread Spinning
4.3.2 Throwing an Exception
4.3.3 Thread Restart
4.3.4 Lock Release
4.4 Stages

5. Conclusion

기업 VoIP 트래픽 모니터링

Sun, 27 Sep 2009 13:31:19 +0900

Current IP-based real-time communication services have put into trouble traditional network monitoring paradigms and have imposed some additional requirements to network monitoring applications. The aim of this thesis is to demonstrate that the increased complexity of network monitoring can be managed with relatively little effort if the appropriate software instruments
are used. In particular, by using a proper software framework it is possible to produce complex and efficient monitoring applications that are not affected by common problems such as having a monolithic architecture or being difficult to extend.

This chapter introduces the issues addressed in this thesis and explains why the VoIP service has been chosen as the reference monitoring field. Additionally the requirements and the scope of this thesis are identified.

멀티코어 시스템을 이용한 트래픽 분석

Sun, 27 Sep 2009 12:58:58 +0900

Exploiting Commodity Multicore Systems for Network Traffic Analysis

Luca Deri
ntop, Pisa, Italy, Email: deri@ntop.org
Francesco Fusco
IBM Zurich Research Laboratory, Rüschlikon, Switzerland, Email: ffu@zurich.ibm.com

Abstract—The current trend in computer processors is towards multicore systems. Although operating systems have been adapted long time ago to support multi-processing, kernel
network layers have not yet taken advantage of this new technology. The result is that packet capture, the cornerstone of every network monitoring application, is not efficient on modern
system and its performance gets worse with the number of cores.

This paper describes common pitfalls of network monitoring applications when used with multicore systems, and presents solutions to these problems. In addition, it covers the design and implementation of a new multicore-aware packet capture kernel module that enables monitoring applications to scale with the number of cores, contrary to what happens in most operating systems.

Keywords: Passive packet capture, multicore processors, traffic monitoring, Linux kernel.

방화벽 로그를 이용한 침입탐지기법 연구

Tue, 22 Sep 2009 13:40:40 +0900

2006년 논문 자료

방화벽 로그를 이용한 침입탐지기법 연구
윤 성 종*․김 정 호**

A Study on the Intrusion Detection Method using Firewall Log
Sung-Jong Yoon*․Jeong-Ho Kim**

Abstract
According to supply of super high way internet service, importance of security becomes more
emphasizing. Therefore, flawless security solution is needed for blocking information outflow when we send or receive data. Large enterprise and public organizations can react to this problem, however, small organization with limited work force and capital can't. Therefore they need to elevate their level of information security by improving their information security system without additional money. No hackings can be done without passing invasion blocking system which installed at the very front of network. Therefore, if we manage isolation log effective, we can recognize hacking trial at the step of pre-detection. In this paper, it supports information security manager to execute isolation log analysis very effectively. It also provides isolation log analysis module which notifies hacking attack by analyzing isolation log.

Keywords：Firewall, Intrusion Detection System, Hacking

개인정보의 기술적·관리적 보호조치 기준 해설서

Fri, 18 Sep 2009 02:03:16 +0900

개요 05
1. 제∙개정의 배경 06
2. 기준의 법적 성격 07

개인정보의 기술적∙관리적 보호조치 기준 11

조문별 기준 해설 19
1. 목적 20
2. 정의 25
3. 내부관리계획의 수립∙시행 31
4. 접근통제 44
5. 접속기록의 위∙변조 방지 56
6. 개인정보의 암호화 59
7. 악성프로그램 방지 65
8. 출력∙복사시 보호조치 68
9. 개인정보 표시제한 보호조치 76

OWASP Testing Guide 2008

Sun, 06 Sep 2009 02:46:17 +0900

OWASP TESTING GUIDE
2008 V3.0

A Practical Message Falsication Attack on WPA

Sun, 30 Aug 2009 01:32:53 +0900

A Practical Message Falsication Attack on WPA

Toshihiro Ohigashi and Masakatu Morii
ohigashi@hiroshima-u.ac.jp
mmorii@kobe-u.ac.jp

Abstract. In 2008, Beck and Tews have proposed a practical attack on WPA. Their attack (called the Beck-Tews attack) can recover plaintext from an encrypted short packet, and can falsify it. The execution time of the Beck-Tews attack is about 12-15 minutes. However, the attack has the limitation, namely, the targets are only WPA implementations those support IEEE802.11e QoS features. In this paper, we propose a practical message falsication attack on any WPA implementation. In order to ease targets of limitation of wireless LAN products, we apply the Beck-Tews attack to the man-in-the-middle attack. In the man-in-the-middle attack, the user's communication is intercepted by an attacker until the attack ends. It means that the users may detect our attack when the execution time of the attack is large. Therefore, we give methods for reducing the execution time of the attack. As a result, the execution time of our attack becomes about one minute in the best case.

Keywords WPA, TKIP, falsification attack, man-in-the-middle attack

힙 스프레이

Sat, 15 Aug 2009 17:56:36 +0900

Heap Spray

Hacking Group “OVERTIME”
force< forceteam01@gmail.com > 2007.05.13

Heap Cache Exploitation

Mon, 10 Aug 2009 11:14:47 +0900

Heap Cache Exploitation - White Paper by IBM Internet Security Systems

Written by John McDonald