mis 510 c yber a nalytic p roject aditya agrawal hang liu meiqi yang yinchen li 2.26.2014
TRANSCRIPT
MIS 510 CYBER ANALYTIC PROJECT
Aditya AgrawalHang LiuMeiqi YangYinchen Li
2.26.2014
2
Slides Overview
• Research Questions• Our Research Design– Sample code– RAW Data screenshots– Extra Tables / Figures
• Findings and Discussions
3
Research Questions-RQ 1 MAC OS X System-RQ 2 IoT Attack-RQ 3 Fake Anti-virus-RQ 4 Mobile Security
4
Our Research Design
5
Hacker Web/MYSQL
Select FlatContent, PostDate, PostRank
From cnhonkerarmyposts
Where FlatContent LIKE "%RFID%" OR FlatContent LIKE "%Sensor%" OR FlatContent LIKE "%Node%“
Order by PostDate DESC;
This example MYSQL code is used to collect all discussion on Hacker Web that related to IoT attacks (Based on 3 major methods, RFID, Sensor, and Node.)
6
Shodan/Python
from shodan import WebAPI
SHODAN_API_KEY = "72WhTJ2fOPIhtepGEdaF5Qvevlv8znxB"
api = WebAPI(SHODAN_API_KEY)
try: results = api.search('MAC OS X')
print 'Results found: %s' % results['total'] for result in results['matches']: print 'IP: %s' % result['ip'] print 'Country: %s' % result['country_name'] print result['data']
except Exception, e: print 'Error: %s' % e
This example Python code is used to collect all open OS X devices in Shodan Database and show the IP address and location of the device (By Country)
7
RQ 1 MAC OS XRank Name % of all attacks
1 Trojan.OSX.FakeCo.a 52%
2 Trojan-Downloader.OSX.Jahlav.d 8%
3 Trojan-Downloader.OSX.Flashfake.ai 7%
4 Trojan-Downloader.OSX.FavDonw.c 5%
5 Trojan-Downloader.OSX.FavDonw.a 2%
6 Trojan-Downloader.OSX.Flashfake.ab 2%
7 Trojan-FakeAV.OSX.Defma.gen 2%
8 Trojan-FakeAV.OSX.Defma.f 1%
9 Exploit.OSX.Smid.b 1%
10 Trojan-Downloader.OSX.Flashfake.af 1%
TOP 10 malicious programs for Mac OS X, H2 2012
http://www.securelist.com/en/analysis/204792255/
8
RQ 1 MAC OS X
This is the search result by Hacker Web, shows the topics that are related to Mac OS X system attacks. We searched all 4 language because OS X is a general terms even used by Russian and Arabic.
We do the analytics based on data from 2009 because that is the year when major discussion about OS X system merges.
9
RQ 1 MAC OS X
North America Europe Asia0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
45.0%
42.7%
32.8%
8.8%
Mac Device by Region
Percentage
-To the left is sample search output using python of all open OS X device.-To the right is the regional analytic of OS X distribution amount 3 major regions
10
RQ 2 IoT
Medical:2257Country %United States 63.0%China 1.0%Russian 0.0%
Building:1948Country %United States 47.8%China 23.3%Russian 2.2%
Government:15214Country %United States 64.3%China 2.9%Russian 1.4%
United States China Russian0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
45.0%
41.9%
6.1%0.6%
Percentage of IoT by Country
%
Country
%
-To the left is result from Shodan of IoT and distribution by categories
-To the right is overall aggregated result of IoT distribution (All 3 categories)
11
RQ 2 IoT
This is the search result by Shodan, shows the distribution of IoT in 3 major categories: Medical devices, Buildings, And Government related host.
The results shows the IP address and host country
12
RQ 3 Fake Anti-virus--UIIt shows the main screen of W32/FakeAV.KL!tr, a professional looking Antivirus software complete with menu and scanning window. In a normal clean computer, it will show that you are infected by at least 14 threats.
https://blog.fortinet.com/how-to-spot-fake-antivirus-software/
13
RQ 4 Mobile Security
http://mediaserver.dwpub.com/press-release/22575/malware_goes_mobile.jpg
14
RQ 4 Mobile Security
https://www.iscanonline.com/assets/iScan%20Mobile%20Security%20Analysis%202013.pdf
15
Findings and Discussions
16
RQ 1 MAC OS XNumber of Malware that can detect OS X system
https://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012
17
RQ 2 IoT
57.8%
7.9%
34.3%
Distribution of IoT attack discussion in HackerWeb
United States
China
Russia
% Posts
United States 57.8% 194
China 7.9% 381
Russia 34.3% 264
True % All Post
United States 0.00105 185237
China 0.00014 2648393
Russia 0.00062 424721
0.00181
18
RQ 3 Fake Anti-virus
Hacker Web discussion about Fake Anti Virus Software
2006 2007 2008 2009 2010 2011 2012 20130
20
40
60
80
100
120
22 26 32
52
99 10495
114
No. of Fake AV Software Discussion
Post Count
Year
No.
of P
ost
Aggregated result for all Fake AV discussion from 2006 to 2013
19
RQ 4 Mobile Security
2009 2010 2011 2012 20130
50
100
150
200
250
300
Hacker Web Post
Hacker Web Post
Year
# of
Dis
cuss
ion
Number of Hacker Web discussions about mobile Security Issues from 2009 ~ 2013
20
RQ 4 Mobile Security--Mobile Malware
2008
Infojack Feb. 2008
http://mediaserver.dwpub.com/press-release/22575/malware_goes_mobile.jpg