CZ.NIC - prezentace CZ · 2018. 11. 20. · 9 u k t v n o h o s t i n g f i a i w s b i z a t n l u...

Hledání malware na 10 000 doménách

Edvard Rejthar • [email protected] • 15. 11. 2018

MDMaug interface

Whitelists

● Add-on hard coded URL– Internal redirect http://localhost/redirect/– http://www.google.com/adsense/ , http://clients1.google.com/ocsp , https://safebrowsing.google.com/safebrowsing/ ,

https://safebrowsing-cache.google.com/safebrowsing/– https://fbstatic-a.akamaihd.net/rsrc.php– https://tiles.services.mozilla.com/

● SQL 2nd domain

15 domén– ocsp.pki.goog (3972 záznamů), google.com, gstatic.com, googlesyndication.com, google-analytics.com, google.cz,

googleapis.com, googleadservices.com– cloudfront.net, doubleclick.net, mozilla.com, w3.org, digicert.com– mozilla.net, mozilla.org

● prefs.js

detectportal.firefox.com (10942 záznamů)

Stats – 10 997 domains

● origins (7 522) × 3rd parties (8 206) × ip combinations: 43 996

● incl. origins × 3rd parties: 36 931




● redirects to ‚www‘: 2 577

● another 3rd redirects: 95





● another 3rd redirects: 95– www3, w1, w17– img, static, cdn, media– admin– api, files, geo, legacy– jmeno.prijmeni.cz, public.relations.cz– 4th domains: www.fotbal





● another 3rd redirects: 95

– www3, w1, w17– img, static, cdn, media– admin– api, files, geo, legacy– jmeno.prijmeni.cz, public.relations.cz– 4th domains: www.fotbal

● timeouts: à 1400, without redirects: à 2000, redirect to self only: 593

Group by TLD chartsTLD count origi

ns3rds

cz 11945 5443 5270

com 22406 4731 1849

org 2951 2391 70

net 3820 1784 274

pl 464 154 50

eu 282 151 122

io 349 138 63

sk 225 116 83

de 188 83 59

me 61 55 7

co 133 52 18

it 69 45 20

st 51 44 2

ru 151 42 39

info 40 28 21

to 291 26 25

dev 51 26 3

IP ...129 13 13 1

uk 18 11 14

tv 65 8 30

no 12 7 3

hosting 7 7 1

cz com org net0

5000

10000

15000

20000

25000

30000

35000

11945

22406

2951 3820

5443

4731

2391 1784

5270

1849

70 274

3rds

origins

count

Group by TLD charts

pl eu io sk de me co it st ru info to dev IP ...129 uk tv0

100

200

300

400

500

600

700

800

464

282349

225 188

61133

69 51151

40

291

51 13 1865

154

151

138

11683

55

52

45 44

42

28

26

2613 11

8

50

12263

83

59

7

18

202

39

21

25

31 14

30

count origins 3rds

Group by TLD charts (percent)

czco

m org

net pl eu io sk de m

e co it st ru info to de

v

IP ..

.129 uk tv no

host

ing fi ai ws biz at nl us fr as beclo

ud

IP ..

.1 ch ly se

med

iate

ch in js

IP ..

.192 m

yon

e hu is

stre

am

serv

ices ca m

s0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

origins 3rds

Group by TLD charts (percent)

czco

m org

net pl eu io sk de m

e co it st ru info to de

v

IP ..

.129 uk tv no

host

ing fi ai ws biz at nl us fr as beclo

ud

IP ..

.1 ch ly se

med

iate

ch in js

IP ..

.192 m

yon

e hu is

stre

am

serv

ices ca m

s0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

count origins 3rds

Group by 2nd LD (order by origins count)

face

book

.com

scan

andc

leanlo

cal.c

om

letse

ncry

pt.o

rgw.o

rg

face

book

.net

goog

letag

man

ager

.com

cloud

flare

.com

thaw

te.c

om

imed

ia.cz

com

odoc

a.co

m

wedos

.com

fbcd

n.ne

t

activ

e24.

cz

yout

ube.

com

topli

st.c

z

ocsp

-cer

tum

.com

rapid

ssl.c

om

ytim

g.co

m

boot

stra

pcdn

.com

goda

ddy.

com

jquer

y.co

m

hotja

r.com

twitt

er.c

om

type

kit.n

et

heur

eka.

cz

amaz

ontru

st.c

om

smar

tsup

pcha

t.com

fb.c

om

gem

ius.p

l

rubic

onpr

oject

.com

adob

edtm

.com

adfo

rm.n

et

globa

lsign

.com

cpex

.cz

web4u

.cz

dom

ena.

cz

withgo

ogle.

com

goog

leuse

rcon

tent

.com

ignum

.cz

addt

his.c

om

0

200

400

600

800

1000

1200

1400

1600

1313 11

1122 22

11

3322 66

11 111818 99 77 33 33 11

66 3344 22

99 1111 33 33 11 11 22 1010 1212 11 66 11 33 11 22 11 1010 44 66

origins 3rds

Group by 2nd LD (order by 3rd parties count)

webno

de.c

z

xvide

os.c

om

affilb

ox.c

z

pscp

.tv

tawk.

to

fbcd

n.ne

t

goog

levide

o.co

m

wix.co

m

wordp

ress

.com

disqu

s.co

m

akam

aihd.

net

amaz

onaw

s.co

mco

.uk

idnes

.cz

szn.

cz

face

book

.com

rubic

onpr

oject

.com

invia.

cz

sym

cd.c

om

estra

nky.

cz

twitt

er.c

om

wixsite

.com

wbs.c

z

map

y.cz

goog

leuse

rcon

tent

.com

gem

ius.p

l

apps

pot.c

om

0

50

100

150

200

250

77

6424

22

22 18

18

16 15 15

14

14 14

13

12

12

11

11

11

11 11

11

10

10

10

origins 3rds

TLD .org, .net (order by origins count)

letse

ncry

pt.o

rgw.o

rg

face

book

.net

fbcd

n.ne

t0

200

400

600

800

1000

1200

1400

12 2

18

origins 3rds

type

kit.n

et

adfo

rm.n

et

jsdeli

vr.n

et

crwdc

ntrl.

net

nr-d

ata.

net

grm

tech

.net

drup

al.or

g

cons

ensu

.org

2mdn

.net

char

tbea

t.net

bidsw

itch.

net

adsr

vr.o

rg

wixapp

s.ne

t

park

ingcr

ew.n

et

ever

estte

ch.n

et

window

s.ne

t

open

stre

etm

ap.o

rg

mse

cnd.

net

crite

o.ne

t

font

s.ne

t

gand

i.net

yolac

dn.n

et

go2s

peed

.org

dem

dex.

net

ycem

l.net

myf

onts

.net

open

x.ne

t

cdn7

7.or

g

eyeo

ta.n

et

akam

aihd.

net

omtrd

c.ne

t0

20

40

60

80

100

120

140

160

180

200

3

6

12 1 1 2 7

11 2

3 73 3 3 4 3 1 1 2 2 1 6 1 1 3 8 1

15 8

origins 3rds

TLD .org, .net (order by 3rd parties count)

fbcd

n.ne

t

akam

aihd.

net

omtrd

c.ne

t

cdn7

7.or

g

cons

ensu

.org

wixapp

s.ne

t

dem

dex.

net

adfo

rm.n

et

livep

erso

n.ne

t

open

stre

etm

ap.o

rg

2o7.

net

park

ingcr

ew.n

et

ever

estte

ch.n

et

cede

xis-ra

dar.n

et

ztat

.net

window

s.ne

t

azur

eedg

e.ne

t

mse

cnd.

net

open

topo

map

.org

adsr

vr.o

rg

open

x.ne

t

type

kit.n

et

osm

.org

0

10

20

30

40

50

60

70

80

90

100

158 8

7

7

6

6

4

4

3 3

3 3

3

3

3

3

3

3

3

origins 3rds

TLDs count

1 2 3 4 5 6 8 7 9 10 190

500

1000

1500

2000

2500

3000

3500

3063

2276

1296

638

14942 21 16 15 3 1

TLDs counttlds_count tlds

19 com,net,be,dk,uk,pl,cz,it,au,sk,de,ca,fr,in,hk,sg,nl,ie,my

10 net,com,co,org,fi,eu,de,cz,pl,io

10 io,com,eu,de,cz,net,co,st,org,pl

10 com,co,uk,nl,ro,net,de,cz,hu,it

9 net,org,com,eu,ai,de,cz,st,pl

9 net,com,eu,cz,de,co,st,org,pl

9 com,net,cz,sk,org,eu,ru,de,io

9 net,com,eu,de,cz,co,st,org,pl

9 com,co,net,eu,de,cz,it,org,pl

9 cz,com,tv,io,net,pl,us,me,org

9 com,co,org,net,eu,cz,de,st,pl

9 com,org,eu,cz,de,net,co,st,pl

9 com,net,eu,de,cz,co,st,org,pl

9 eu,com,cz,ai,net,co,org,de,pl

9 ai,net,com,org,co,eu,de,sk,cz

9 net,org,cz,st,com,ai,fi,io,co

9 ru,com,net,cz,me,my,org,io,info

9 com,pl,org,net,cz,co,eu,de,st

9 com,ru,eu,de,net,io,org,sk,cz

8 com,io,net,org,cz,eu,pl,de

8 com,eu,cz,de,net,co,st,pl

8 com,eu,de,cz,net,st,org,pl

8 com,de,cz,net,co,st,pl,eu

8 org,com,eu,cz,de,net,st,pl

8 tech,net,com,org,cz,eu,pl,de

8 pl,com,cz,net,eu,de,st,org

8 co,net,com,eu,cz,de,st,pl

8 eu,com,cz,de,net,st,org,pl

8 com,cz,net,pl,io,org,eu,de

8 cz,pl,com,net,eu,de,st,org

8 co,net,com,eu,de,cz,st,pl

8 com,org,net,st,pl,cz,fi,io

8 cz,com,co,org,net,eu,de,pl

8 com,cz,org,st,eu,de,pl,net

8 net,com,ru,eu,de,io,cz,org

8 com,net,org,pl,it,io,me,cz

8 eu,com,cz,de,net,st,pl,org

8 net,eu,com,de,co,cz,pl,io

8 com,net,fi,io,org,100,ai,st

8 org,com,eu,de,cz,net,st,pl

19× TLD champion× host ip

10 hello.staticstuff.net 2400:cb00:2048:1::6810:7888

4 static-cdn.responsetap.com 13.32.99.132

4 cdn.siteimprove.net 143.204.101.11

4 s.trustpilot.com 143.204.101.7

4 siteimproveanalytics.com 2606:4700:20::6819:8976

4 static-ssl.responsetap.com 13.32.99.240

4 insights.hotjar.com 13.32.99.26

3 ocsp.affirmtrust.com 2a02:26f0:dc:2ac::1b01

3 try.abtasty.com 2a02:26f0:40:29f::1eae

3 win.staticstuff.net 198.145.13.11

2 accdn.lpsnmedia.net 2a03:6400:16:0:178:249:101:99

2 dcinfos.abtasty.com 52.215.65.63

19× TLD champion2 www.google.co.uk 2a00:1450:400e:806::2003

2 www.google.com.my 2a00:1450:400e:806::2003

2 www.google.fr 2a00:1450:400e:806::2003

2 ssl.comodo.com 2a02:1788:4fd:cd::c742:cdf2

2 www.google.de 2a00:1450:400e:806::2003

2 www.google.nl 2a00:1450:400e:806::2003

2 www.google.com.hk 2a00:1450:400e:806::2003

2 www.google.ca 2a00:1450:400e:806::2003

2 lpcdn.lpsnmedia.net 2a03:6400:10:0:178:249:97:98

2 www.google.sk 2a00:1450:400e:806::2003

2 www.google.com.sg 2a00:1450:400e:806::2003

2 www.google.dk 2a00:1450:400e:806::2003

2 www.google.co.in 2a00:1450:400e:806::2003

2 eu2.siteimprove.com 52.58.236.177

2 static.hotjar.com 147.75.205.155

2 www.google.pl 2a00:1450:400e:806::2003

2 www.google.ie 2a00:1450:400e:806::2003

19× TLD championu.heatmap.it

m.addthisedge.com

report-uri.cloudflare.com

www.facebook.com

widget.trustpilot.com

app2.salesmanago.pl

lptag.liveperson.net

connect.facebook.net

vxml4.delacon.com.au

www.youtube.com

bfs.bibbyfs.net

m.addthis.com

dev.visualwebsiteoptimizer.com

lo.v.liveperson.net

tags.liveperson.net

ict.infinity-tracking.net

app.everyonesocial.com

youtube.com

vars.hotjar.com

use.typekit.net

services.postcodeanywhere.co.uk

script.hotjar.com

s7.addthis.com

fb.scanandcleanlocal.com

t.leady.com

my2.siteimprove.com

chatcon5.liveperson.net

track.leady.cz

cdnjs.cloudflare.com

script.crazyegg.com

go.pardot.com

www.dynamicnumbers.mediahawk.co.uk

40691190.lo.cobrowse.liveperson.net

graylog.hotjar.com

gtrk.s3.amazonaws.com

pixel.powerlinks.com

cdn.mouseflow.com

eu3.heatmap.it

cdn.daddyanalytics.com

status.thawte.com

youtu.be

pi.pardot.com

t.leady.cz

i.ctnsnet.com

www.googletagmanager.com

id.siteimprove.com

maxcdn.bootstrapcdn.com

t.wowanalytics.co.uk

metrics.responsetap.com

server.lon.liveperson.net

c.imedia.cz

s3.amazonaws.com

player.vimeo.com

p.typekit.net

img.youtube.com

tags.spider-mails.com

3rd parties count (1988 origins ~ 1× 3rd party)

3rds_count origins

87 1

86 3

85 2

84 1

81 1

78 2

74 3

73 1

72 1

71 2

70 1

69 2

68 2

67 1

66 1

65 3

64 1

63 3

62 5

61 3

60 2

59 7

1 2 3 4 5 6 7 8 9 11 100

500

1000

1500

2000

2500

1988 1945

775

562

424323

247 218147 128 122

origins


12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 34 35 36 37 38 39 40 41 42 43 44 45 46 470

10

20

30

40

50

60

70

80

origins


13 14 12 16 15 18 19 20 17 24 23 21 22 28 25 26 27 53 59 30 36 62 51 29 34 42 45 49 55 61 63 65 74 860

10

20

30

40

50

60

70

80

origins

0

20

40

60

80

100

120

140

160

ipv6 ipv4

Sort by IPv4 / by IPv6

0

20

40

60

80

100

120

140

160

ipv6 ipv4

IPv4 vs IPv6

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

ipv6 ipv4

Spy module

Interface

Demopage

Demopage

Demopage

Installation

## Installation

1. Download ```git clone [email protected]:csirt/mdmaug.git /tmp/mdmaug```2. Edit mdmaug/lib/config.py3. You should generate a certificate to `mdmaug/cert-mdmaug.pem`, at least a self-signed one (non recommended): `openssl req -x509 -newkey rsa:4096 -nodes -out cert-mdmaug.pem -keyout key-mdmaug.pem`4. Perform installation: ```/tmp/mdmaug/INSTALL```5. Everything should be located in `/opt/mdmaug`.6. For testing purposes, launch it under newly created `mdmaug` user:

`su - mdmaug -c 'python3 -m mdmaug'`7. Connect in the browser at: https://127.0.0.1:50008. Try analysing `https://127.0.0.1:5000/static/demopage.html` on local server9. For deployment, configure nginx properly to be used with flask

Děkuji za pozornost

Edvard Rejthar • [email protected]

Date post:	16-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

CZ.NIC - prezentace CZ · 2018. 11. 20. · 9 u k t v n o h o s t i n g f i a i w s b i z a t n l u...

Documents