기술문서 : NCHOVY 인터넷 스톰 센터NCHOVY 인터넷 스톰 센터xeraph@nchovy.krKraken PCAPxeraphhttp://nchovy.kr/forum/3/article/6082010-11-05T16:41:04+09:002010-11-05T16:41:04+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>Kraken PCAP 소개 자료입니다.</p></div>
Smartbit 사용법lsehoonhttp://nchovy.kr/forum/3/article/5942010-09-07T16:51:13+09:002010-09-07T16:51:13+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>개요 3<br />1. Smartbit 개요 4<br />1.1 Smartbit 개요 5<br />1.2 Smartbit 하드웨어 6<br />2. Smartbit 설치방법 7<br />2.1 Smartbit 구성 8<br />2.2 Smartbit Software 설치 9<br />3. Smartbit 사용방법 11<br />3.1 Throughput 측정 12<br />3.2 Latency 측정 16<br />4. 맺음말 17<br />부록: smartwindow 사용법 18<br />부록.1 탐지테스트 구성 19<br />부록.2 smart window 사용법 20</p>
<p> </p></div>
2010년 OWASP Top 10 한국어 버전xeraphhttp://nchovy.kr/forum/3/article/5652010-06-29T13:55:28+09:002010-06-29T13:55:28+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>SecurityPlus에서 한국어 번역하여 공개했습니다. 번역에 참여하신 분들께 박수를..</p>
<p><a href="http://www.securityplus.or.kr/xe/?document_srl=25853">http://www.securityplus.or.kr/xe/?document_srl=25853</a></p></div>
2009 국가정보보호백서8conhttp://nchovy.kr/forum/3/article/5592010-06-08T14:38:15+09:002010-06-08T14:38:15+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p><strong>[목    차]<br /><br /></strong>[제1편]  총론<br /><br /> 제1장   국가정보보호백서의 주요내용<br /> 제2장   국가 정보보호 개요<br /> 제3장   국가 정보보호 추진체계<br /> 제4장   사이버 침해사고 동향<br /><br />[제2편]  국가 정보보호 활동<br /><br /> 제1장  국가 정보보안 활동<br /> 제2장  국가 사이버 안전 활동<br /> 제3장  전자정부 정보보호 활동<br /> 제4장  주요정보통신기반시설 보호 활동<br /> 제5장  개인정보보호 활동<br /> 제6장  정보통신서비스 제공자 등의 정보보호<br /> 제7장  국민생활 정보보호 활동<br /><br />[제3편]  국가 정보보호 기반조성 현황<br /><br /> 제1장  정보보호 법제도 분야<br /> 제2장  정보보호 교육 및 인력 분야<br /> 제3장  정보보호 산업분야<br /><br />[제4편]  통계로 보는 정보보호<br /><br /> 제1장  국가 · 공공부문<br /> 제2장  민간부문<br /><br />[제5편]  특집1 - 주요국의 정보보호 예산<br /><br /> 제1장  미국<br /> 제2장  일본<br /> 제3장  유럽연합<br /><br />[제6편]  특집2 - 국외 정보보호 주요정책 동향<br /><br /> 제1장  주요 국가 정보보호 추진체계 및 정책 동향<br /> 제2장  주요 국가 CIIP 동향과 대응방향<br /> 제3장  미 행정부의 국가 사이버보안 종합전략<br /><br />[제7편]  부록<br /><br /> 제1장  정보보호 인증 및 검증필 제품 목록<br /> 제2장  2008년 주요 정보보호 학술행사<br /> 제3장  국내 정보보호 관련 업체 목록 </p></div>
악성 코드 유포 사이트 탐지에 관한 연구xeraphhttp://nchovy.kr/forum/3/article/5502010-05-01T01:17:21+09:002010-05-01T01:17:21+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>서동원*, Arindam Khan**, 이희조*<br />*고려대학교 정보통신대학 컴퓨터∙전파통신학과<br />**Dept. of Computer Science and Engineering, Indian Institute of Technology<br />e-mail : {aerosmiz, heejo}@korea.ac.kr</p>
<p><strong>초록</strong></p>
<p>최근 웹사이트를 통해 악성 코드의 유포가 성행하면서 많은 웹 서비스 사용자들이 위험에 노출<br />되어 있다. 특히, 특정 웹페이지에 접속하는 것만으로도 사용자가 알지 못하는 사이에 악성 코드를<br />자동으로 다운로드 받도록 함으로써 그 위협은 더욱 커지고 있다. 본 논문에서는 이러한 악성 코드<br />유포 사이트를 탐지하기 위해 사용하였던 Website relationship graph, Parallel coordination, Amazon WebService system 을 차례로 소개하고, 각 기법의 장단점과 결과적으로 도출해낸 악성 코드 유포 사이트들의 특징과 그것을 이용한 알려지지 않은 악성 코드 유포 사이트 탐지 기법을 제안한다.</p></div>
OWASP 웹 애플리케이션 10대 보안 취약점 (2010년 판)xeraphhttp://nchovy.kr/forum/3/article/5492010-04-21T17:15:51+09:002010-04-21T17:15:51+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>OWASP 웹 애플리케이션 10대 보안 취약점의 2010년 버전이 발표됐습니다.</p>
<ul><li>A1: 인젝션</li>
<li>A2: XSS (Cross-Site Scripting)</li>
<li>A3: 허술한 인증 및 세션 관리</li>
<li>A4: 안전하지 않은 직접적인 개체 참조</li>
<li>A5: CSRF (Cross-Site Request Forgery)</li>
<li>A6: 설정 실수</li>
<li>A7: 안전하지 않은 암호화 저장 장치</li>
<li>A8: URL 접근 제한의 실패</li>
<li>A9: 불충분한 전송 계층 보호</li>
<li>A10: 검증되지 않은 리다이렉션 및 포워딩</li>
</ul></div>
2009 국내 지식정보보안산업 시장 및 동향 조사xeraphhttp://nchovy.kr/forum/3/article/5412010-03-21T19:06:57+09:002010-03-21T19:06:57+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>2009 국내 지식정보보안산업 시장 및 동향 조사</p>
<p>2009년 12월 24일</p>
<p>수탁기관: 코리아데이타네트워크, 지식정보보안산업협회<br />연구책임자: 책임연구원 이정열 (코리아데이타네트워크), 책임연구원 정길원 (지식정보보안산업협회)</p></div>
VB2008 Proceedingsxeraphhttp://nchovy.kr/forum/3/article/5332010-03-18T13:38:05+09:002010-03-18T13:38:05+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>Andy Kim 님께서 보내주셨습니다.</p></div>
ASP 웹쉘 상세 분석 및 탐지 방안 (KrCERT)xeraphhttp://nchovy.kr/forum/3/article/5172010-01-17T13:23:12+09:002010-01-17T13:23:12+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>2008년 5월에 발간된 인터넷 침해사고 동향 및 분석 월보에 포함되어 있던 내용입니다.</p></div>
악성문서 분석 요점 정리xeraphhttp://nchovy.kr/forum/3/article/5132009-12-14T02:07:30+09:002009-12-14T02:07:30+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>원본은 zeltser.com의 <a title="Analyzing Malicious Documents Cheat Sheet" href="http://zeltser.com/reverse-malware/analyzing-malicious-documents.html">Analyzing Malicious Documents Cheat Sheet</a> 입니다.</p>
<p>NCHOVY 인터넷 스톰 센터에서 번역하고, 라이센스는 원본 그대로 CCL 저작자표시 3.0 하에 배포합니다.</p>
<p>재배포 가능하지만 이후에도 조금씩 번역 오류가 수정될 가능성이 있으므로, 가급적 이 게시물에 링크를 걸어주시길 부탁드립니다.</p></div>
TLS/SSLv3 취약점 분석xeraphhttp://nchovy.kr/forum/3/article/5102009-11-15T23:42:25+09:002009-11-15T23:42:25+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>TLS and SSLv3 vulnerabilities explained</p>
<p>Thierry ZOLLER<br />Principal Security Consultant<br />contact@g-sec.lu</p>
<p><strong>Synopsis</strong></p>
<p>Around the 09/11/2009 Marsh Ray, Steve Dispensa and Martin Rex published details1 about a vulnerability affecting the renegotiation phase of the TLS & SSLv3 protocol. The vulnerability is being tracked under <a title="CVE-2009-35552" href="http://nchovy.kr/security/cve/CVE-2009-35552">CVE-2009-35552</a> | VU#1205413 and affects a multitude of platforms and protocols, the impact of this vulnerability varies from protocol to protocol and research into those is currently ongoing.</p>
<p>When speaking of a “Man in the Middle” attack, it is often assumed that data can be altered or changed. Indeed an attacker that sits in the middle of a connection (hence it’s name) is often able to do so. In this particular case however the attacker piggybacks an existing authenticated and encrypted TLS sessions in order to (prefix) inject arbitrary text of its choice. The attacker may not read/alter the other TLS session between the “client” and the “server”. See Chapter 3 - “Example of an attack scenario...” for more details</p>
<p>This paper explains the vulnerability for a broader audience and summarizes the information that is currently available. The document is prone to updates and is believed to be accurate by the time of writing.</p></div>
HITB2009 발표 자료 모음xeraphhttp://nchovy.kr/forum/3/article/5062009-11-09T12:04:44+09:002009-11-09T12:04:44+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p><strong>Day 1 Track 1</strong></p>
<ul><li><a title="Nishad Herath - How Low Will Malware Go" href="http://nchovy.kr/uploads/3/506/D1T1%20-%20Nishad%20Herath%20-%20How%20Low%20Will%20Malware%20Go.pdf">Nishad Herath - How Low Will Malware Go</a></li>
<li><a title="Paul Thierault - Browser Ghosting Attacks" href="http://nchovy.kr/uploads/3/506/D1T1%20-%20Paul%20Thierault%20-%20Browser%20Ghosting%20Attacks.pdf">Paul Thierault - Browser Ghosting Attacks</a></li>
<li><a title="Tavis Ormandy - Making Software Dumber" href="http://nchovy.kr/uploads/3/506/D1T1%20-%20Tavis%20Ormandy%20-%20Making%20Software%20Dumber.pdf">Tavis Ormandy - Making Software Dumber</a></li>
</ul><p><strong>Day 1 Track 2</strong></p>
<ul><li><a title="Alex Kuza55 K - Implementing and Improving Blind TCP" href="http://nchovy.kr/uploads/3/506/D1T2%20-%20Alex%20Kuza55%20K%20-%20Implementing%20and%20Improving%20Blind%20TCP.pdf">Alex Kuza55 K - Implementing and Improving Blind TCP</a></li>
<li><a title="Alexander Gazet and Yoann Guillot - Defeating Software Protection with Metasm" href="http://nchovy.kr/uploads/3/506/D1T2%20-%20Alexander%20Gazet%20and%20Yoann%20Guillot%20-%20Defeating%20Software%20Protection%20with%20Metasm.pdf">Alexander Gazet and Yoann Guillot - Defeating Software Protection with Metasm</a></li>
<li><a title="Mark Dowd - Attacking Interoperability" href="http://nchovy.kr/uploads/3/506/D1T2%20-%20Mark%20Dowd%20-%20Attacking%20Interoperability.pdf">Mark Dowd - Attacking Interoperability</a></li>
<li><a title="Nguyen Anh Quynh - eKimono" href="http://nchovy.kr/uploads/3/506/D1T2%20-%20Nguyen%20Anh%20Quynh%20-%20eKimono%20.pdf">Nguyen Anh Quynh - eKimono</a></li>
<li><a title="Sheran Gunasekera - Bugs and Kisses - Spying on Blackberry Users" href="http://nchovy.kr/uploads/3/506/D1T2%20-%20Sheran%20Gunasekera%20-%20Bugs%20and%20Kisses%20-%20Spying%20on%20Blackberry%20Users.pdf">Sheran Gunasekera - Bugs and Kisses - Spying on Blackberry Users</a></li>
</ul><p><strong>Day 1 Track 3</strong></p>
<ul><li><a title="Andrea Barisani and Daniele Bianco - TEMPEST LAB" href="http://nchovy.kr/uploads/3/506/D1T3%20-%20Andrea%20Barisani%20and%20Daniele%20Bianco%20-%20TEMPEST%20LAB.pdf">Andrea Barisani and Daniele Bianco - TEMPEST LAB</a></li>
</ul><p><strong>Day 2 Track 1</strong></p>
<ul><li><a title="Bruno Goncalves - Hacking from the Restroom" href="http://nchovy.kr/uploads/3/506/D2T1%20-%20Bruno%20Goncalves%20-%20Hacking%20from%20the%20Restroom.pdf">Bruno Goncalves - Hacking from the Restroom</a></li>
<li><a title="Chris Evans and Julien Tinnes - Security Indepth for Linux Software" href="http://nchovy.kr/uploads/3/506/D2T1%20-%20Chris%20Evans%20and%20Julien%20Tinnes%20-%20Security%20Indepth%20for%20Linux%20Software.pdf">Chris Evans and Julien Tinnes - Security Indepth for Linux Software</a></li>
<li><a title="Frederic Raynal - PDF Origami Strikes Back" href="http://nchovy.kr/uploads/3/506/D2T1%20-%20Frederic%20Raynal%20-%20PDF%20Origami%20Strikes%20Back.pdf">Frederic Raynal - PDF Origami Strikes Back</a></li>
<li><a title="Job De Haas - Side Channel Analysis" href="http://nchovy.kr/uploads/3/506/D2T1%20-%20Job%20De%20Haas%20-%20Side%20Channel%20Analysis.pdf">Job De Haas - Side Channel Analysis</a></li>
<li><a title="Saumil Shah - How to Own the World - One Desktop at a Time" href="http://nchovy.kr/uploads/3/506/D2T1%20-%20Saumil%20Shah%20-%20How%20to%20Own%20the%20World%20-%20One%20Desktop%20at%20a%20Time.pdf">Saumil Shah - How to Own the World - One Desktop at a Time</a></li>
</ul><p><strong>Day 2 Track 2</strong></p>
<ul><li><a title="Dimitri Petropoulos - Having Fun with ATMs & HSMs" href="http://nchovy.kr/uploads/3/506/D2T2%20-%20Dimitri%20Petropoulos%20-%20Having%20Fun%20with%20ATMs%20&%20HSMs.pdf">Dimitri Petropoulos - Having Fun with ATMs & HSMs</a></li>
<li><a title="Lucas Adamski - Freeing Sisyphus" href="http://nchovy.kr/uploads/3/506/D2T2%20-%20Lucas%20Adamski%20-%20Freeing%20Sisyphus.pdf">Lucas Adamski - Freeing Sisyphus</a></li>
<li><a title="MARES - APRS - HAM Radio" href="http://nchovy.kr/uploads/3/506/D2T2%20-%20MARES%20-%20APRS%20-%20HAM%20Radio.pdf">MARES - APRS - HAM Radio</a></li>
</ul></div>
HMM을 이용한 스팸 분석xeraphhttp://nchovy.kr/forum/3/article/5032009-11-03T10:25:21+09:002009-11-03T10:25:21+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p><strong>Spam Deobfuscation using a Hidden Markov Model</strong></p>
<p>Abstract</p>
<p>To circumvent spam filters, many spammers attempt to obfuscate their emails by deliberately misspelling words or introducing other errors into the text. For example viagra may be written vigra, or mortgage written m0rt gage. Even though humans have little difficulty reading obfuscated emails, most content-based filters are unable to recognize these obfuscated spam words. In this paper, we present a hidden Markov model for deobfuscating spam emails. We empirically demonstrate that our model is robust to many types of obfuscation including misspellings, incorrect segmentations (adding/removing spaces), and substitutions/insertions of non-alphabetic characters.</p></div>
개선된 DFA를 이용한 고속 정규표현식 매칭xeraphhttp://nchovy.kr/forum/3/article/4972009-10-06T03:13:26+09:002009-10-06T03:13:26+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p><strong>An Improved DFA for Fast Regular Expression Matching</strong></p>
<p>Domenico Ficara (domenico.ficara@iet.unipi.it)<br />Stefano Giordano (s.giordano@iet.unipi.it)<br />Gregorio Procissi (g.procissi@iet.unipi.it)<br />Fabio Vitucci (fabio.vitucci@iet.unipi.it)<br />Gianni Antichi (gianni.antichi@iet.unipi.it)<br />Andrea Di Pietro (andrea.dipietro@iet.unipi.it)</p>
<p>Department of Information Engineering, University of Pisa<br />via G.Caruso 16, Pisa, ITALY</p>
<p><strong>ABSTRACT</strong></p>
<p>Modern network devices need to perform deep packet inspection at high speed for security and application-specific services. Finite Automata (FAs) are used to implement regular expressions matching, but they require a large amount of memory. Many recent works have proposed improvements to address this issue.</p>
<p>This paper presents a new representation for deterministic nite automata (orthogonal to previous solutions), called Delta Finite Automata (dFA), which considerably reduces states and transitions and requires a transition per character only, thus allowing fast matching. Moreover, a new state encoding scheme is proposed and the comprehensive algorithm is tested for use in the packet classi cation area.</p></div>
윈도우 커널모드 페이로드xeraphhttp://nchovy.kr/forum/3/article/4962009-10-02T12:34:07+09:002009-10-02T12:34:07+09:00
<div xmlns="http://www.w3.org/1999/xhtml"><p>Kernel-mode Payloads on Windows</p>
<p>bugcheck (chris@bugcheck.org)<br />skape (mmiller@hick.org)</p>
<p>1. Foreword<br /><br />2. Introduction <br /><br />3. General Techniques <br />3.1 Finding Ntoskrnl.exe Base Address<br />3.1.1 IDT Scandown<br />3.1.2 KPRCB IdleThread Scandown<br />3.1.3 SYSENTER EIP MSR Scandown<br />3.1.4 Known Portable Base Scandown<br />3.2 Resolving Symbols<br /><br />4. Payload Components<br />4.1 Migration<br />4.1.1 Direct IRQL Adjustment<br />4.1.2 System Call MSR/IDT Hooking<br />4.1.3 Thread Notify Routine<br />4.1.4 Hooking Object Type Initializer Procedures<br />4.1.5 Hooking KfRaiseIrql<br />4.2 Stagers<br />4.2.1 System Call Return Address Overwrite<br />4.2.2 Thread APC<br />4.2.3 User-mode Function Pointer Hook<br />4.2.4 SharedUserData SystemCall Hook<br />4.3 Recovery<br />4.3.1 Thread Spinning<br />4.3.2 Throwing an Exception<br />4.3.3 Thread Restart<br />4.3.4 Lock Release<br />4.4 Stages<br /><br />5. Conclusion</p></div>