Transcript Internet Security Activities in Korea

Internet Security Activities
in Korea
Wan-keun Jeon
2005.11.17
Korea Internet Security Center
Contents
I. Internet Status in Korea
II. Internet Threat Status
III. Responding Malicious Codes
IV. Responding Web Hacking Incidents
V. Further Works
-2-
I. Internet Status in Korea (1/2)
Internet Infrastructure
1.4M Home Pages
Internet
70+ ISPs
87,000 Leased Line
Subscribers (Enterprise/Orgs)
Source :NIDA (KrNIC)
28M PCs
-3-
12M Broadband Subscribers
I. Internet Status in Korea (2/2)
Evolution of Security Threats Areas
Transition of Internet Usage
Client/Server Type
Pure Distributed Type
Peer
Server
Peer
Peer
Peer
Client
Client
Peer
Client
Peer
Peer
Evolving into Broadband convergence Network
: Data(Internet) + Voice(Telecom) + Broadcasting (DMB)
Internet
Attacks
Broadcasting
Voice
Secure Zone
Internet+Mobile+Voice+Broadcasting
Mobile
-4-
II. Internet Threat Status (1/3)
Malicious Code Threats
Source :KISA KISC Monthly Report
25,000
20,000
25.0
2005
2004
Worm/Virus Incidents
PC Survival Time
20.0
15,000
15.0
10,000
10.0
Win XP SP1
5,000
1,779
1,578
1,238
1,2651,271 798 949
2,061
0.0
0
1
2
3
4
5
6
7
8
9
Win 2K SP4
5.0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
10 11 12
Hacking Threats
200
180
160
140
120
100
80
60
40
20
0
8,000
2005
2004
Phishing cases
116 112
6,000
125
97
2005
2004
6,478
Web Page Defacements
90 94
4,000
61 64 64 66
1,912
1,445
1,366 1,424
801 696
1,005
554 492
2,000
0
1
2
3
4
5
6
7
8
9
10
11
12
-5-
1
2
3
4
5
6
7
8
9
10
11
12
II. Internet Threat Status (3/3)
Focusing Areas
Responding Web Hacking
Responding Malicious Codes
Vulnerability
BOTNet (Zombies)
“Only 20% of
Windows users are
up-to-date with
patches”
: ’04.1.27
Vulnerability
Patch :
’04.4.13
Sasser Worm
Outbreak :
’04.5.1
-7-
SPAM
During June, spam sent through zombie PCs
accounted for an average of 62 percent of all
spam filtered by the MX Logic Threat Center.
This compares with 55 percent in May and 44
percent in April.
Ref.: technologynewsdaily.com (‘05.7.3)
DDoS
The attack that blacked out Google, Yahoo and
other major Web sites earlier this week involved
the use of a "bot net"--a large network of
zombified home PCs--Internet infrastructure
provider Akamai Technologies said
Wednesday.(’04.6.16)
Phishing
Adware
Spyware
KeyLog
Bot nets, collections of compromised computers
controlled by a single person or group, have
become more pervasive and increasingly focused
on identity theft and installing spyware,
according to a Honeynet Project report.(’05.3.15)
III. Responding Malicious Codes
Mitigation of BOTnet
 Botnet is one of the biggest threats for Internet
• Too many PCs in Korea get infected by BOT
• Abused for Spamming, Phishing, etc.
BOT Infected PCs
350,000
Total IP
300,000
Korean IP
250,000
200,000
150,000
100,000
50,000
Src: http://en.wikipedia.org/wiki/Botnet
0
1일
4일
7일
10일
13일
16일
19일
22일
25일
Source: KISC Monthly Report(July)
-8-
28일
31일
III. Responding Malicious Codes
 Working with ISP/NSP
• Nuking BOTNET C&C(Command & Control) Activity (Korea Only)
Botnet C&C IP
350
300
250
200
150
100
50
0
Jan
Feb
Mar
Apr
May
Jun
Jul
 Cooperation with Dynamic DNS Providers to terminate
BOTNET C&C DNS RR
 Cooperation with Foreign CERT/ISP/NSP to block and take
down IP addresses, used as BOTNET C&C server
-9-
III. Responding Malicious Codes




Filtering Botnet C&C IP
Terminating Botnet C&C DNS RR
Collecting Bot Samples and sharing with AV Vendors
Using ISP DNS for DNS Sinkhole
• So far 4,691 Botnet DNS RR entry
• Apply major KR ISP DNS Server
 Forcing users to patch Windows vulnerability with the help
from major portal and on-line game sites
27%
26.4%
25%
25.8%
2005년
24.6%
24.1%
23%
21%
20.7%
19.4% 19.7%
19%
18.1%
17%
15%
14.6%
13.6%
13%
11%
10.0%
9%
1
<Botnet sinkhole activity>
2
3
4
5
6
7
8
9
10
11
12
<BOT infected Korean PCs worldwide>
-10-
III. Responding Malicious Codes
Malicious Codes Analysis
MC Sample sources
Honeynet
Analysis Lab
We analyze
Malicious codes which
causing a high volume of
garbage network traffic
Worm
Attack
Mgmt Server
Weekly Report
 Our analysis focuses on
• Network Traffic
• Protocol and Ports
• Malicious behaviors (Registry
35
30
30
26
25
20
23
18
18
16
15
총 수집 웜
13
10
5
•
0
FRI
SAT
SUN MO N
TUE
W ED
THU
1Jul05
2Jul05
3Jul05
5Jul05
6Jul05
7Jul05
4Jul05
-11-
operations, file operations, etc)
Probability of information theft
How can we respond rapidly and
effectively?
III. Responding Malicious Codes
Malicious Codes Analysis Tool
 On-line analysis
 Combined analysis tool with honeypot for maximum effects
New Analysis Tool
Before
System modifications
After
FileMon
RegMon
• Creation and deletion of Files
• Creation, modification and deletion
of Registry entries
Network impact
• Traffic
Sniffer, etc
• Payload contents
• Detecting backdoors
30
Minutes
Netstat, etc
-12-
Process’s Internal
Behaviors
 System Information
• # of Processes, threads
• Termination of Processes (AV SW)
 System Modifications
• Creation, deletion of files
• Creation, modification, deletion
of Registry
 Network impact
• Traffic and characteristics
• Backdoors
 Etc
• Timers (coordinated attack time)
Less
than 5
Minutes
Simple behavior
report
III. Responding Malicious Codes
Survival Time - Measuring Degree of Internet Attack Status
 The survival time is calculated as the average time between
reports of an average target IP address(ISC, SANS)
 SAS consist of
• Survival time Analysis System (SAS) is a system to automate the
measurement of survival time and a part of KISC Honeynet
• SAS consists of analysis mechanism and collection of PCs with unpatched
WinXP/Sp1, Win2K/Sp4, and so on.
Detection
Mechanism
Time Checking
mechanism
Internet
Honey Net
-13-
Recovery mechanism
IV. Responding Web Hacking Incidents
Web Hacking incidents in Korea
 Hackers armed with search engines and
 Vulnerability in public domain
automated defacing tools
BBS software has disclosed
without patches
 More than 7,000 web pages have been
defaced during Dec 2004 and Jan 2005
• Mostly by Latin American Hackers
• Unpatched BBS sites run by
individuals were targeted
• Multiple websites in one host(Virtual
hosting sites)
 Vulnerabilities in some
security software
-14-
IV. Responding Web Hacking Incidents
Web Hacking Prevention Activities
 Finding and patching vulnerabilities in public domain BBS
software
• Found more than 100 unpatched vulnerabilities among
20 software and supported them patched
• Organized training courses for the Developers
 Etc.
• Vulnerability analysis support for more than 3,000
hosts resided in small web hosting companies
-15-
IV. Further Works
Responding New Threats
 Web hacking skills have been evolving continuously and
abused for information theft
• From June 2005, attempts to steal game site ID and
password have been increasing
• These kinds of incidents are mostly related to web
hacking
 New ways of responding against emerging threats
• KISC Honeynet is also evolving for the proper response.
• Adware/Spyware problem
• Phishing for Korean Banks is an emerging threat getting
much attention from civil society and the press.
-16-
Cooperation with Neighbors
Cooperation,
Information
Sharing,
Cooperated
Drills
attack
-17-
Maliciou
s codes,
DDoS
Q&A
For more information
Please contact [email protected]
-18-