internet security activities in korea
DESCRIPTION
Internet Security Activities in Korea. Wan-keun Jeon 2005.11.17 Korea Internet Security Center. Contents. I. Internet Status in Korea. II. Internet Threat Status. III. Responding Malicious Codes. IV. Responding Web Hacking Incidents. V. Further Works. I. Internet Status in Korea (1/2). - PowerPoint PPT PresentationTRANSCRIPT
Internet Security Activitiesin Korea
Wan-keun Jeon
2005.11.17
Korea Internet Security Center
-2-
ContentsContents
I. Internet Status in Korea
II. Internet Threat Status
IV. Responding Web Hacking Incidents
V. Further Works
III. Responding Malicious Codes
-3-
I. Internet Status in Korea (1/2)I. Internet Status in Korea (1/2)
1.4M Home Pages
Internet InfrastructureInternet Infrastructure
Internet
12M Broadband Subscribers87,000 Leased LineSubscribers (Enterprise/Orgs)
70+ ISPs
28M PCs
Source :NIDA (KrNIC)
-4-
I. Internet Status in Korea (2/2)I. Internet Status in Korea (2/2)
Evolution of Security Threats AreasEvolution of Security Threats Areas
Transition of Internet Usage
Evolving into Broadband convergence Network : Data(Internet) + Voice(Telecom) + Broadcasting (DMB)
Attacks Attacks Attacks Attacks
Internet
VoiceBroadcasting
Internet+Mobile+Voice+Broadcasting
MobileSecure Zone
Client/Server TypeClient/Server Type
Server
Client Client Client
Pure Distributed TypePure Distributed Type
Peer
Peer
Peer Peer
PeerPeer
Peer
-5-
0.0
5.0
10.0
15.0
20.0
25.0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Win XP SP1
Win 2K SP4
97116 112
125
90 94
66646461
0
20
40
60
80
100
120
140
160
180
200
1 2 3 4 5 6 7 8 9 10 11 12
20052004
II. Internet Threat Status (1/3)II. Internet Threat Status (1/3)
1,271 798 9491,2651,578
1,7792,061
1,238
0
5,000
10,000
15,000
20,000
25,000
1 2 3 4 5 6 7 8 9 10 11 12
20052004
801 696 554 4921,424
1,4451,366
1,005
6,478
1,912
0
2,000
4,000
6,000
8,000
1 2 3 4 5 6 7 8 9 10 11 12
20052004
Worm/Virus Incidents
Web Page Defacements
Phishing cases
PC Survival Time
Hacking ThreatsHacking Threats
Malicious Code ThreatsMalicious Code Threats Source :KISA KISC Monthly Report
-7-
II. Internet Threat Status (3/3)II. Internet Threat Status (3/3)Focusing Areas
SPAM
During June, spam sent through zombie PCs accounted for an average of 62 percent of all spam filtered by the MX Logic Threat Center. This compares with 55 percent in May and 44 percent in April.Ref.: technologynewsdaily.com (‘05.7.3)
DDoS
The attack that blacked out Google, Yahoo and other major Web sites earlier this week involved the use of a "bot net"--a large network of zombified home PCs--Internet infrastructure provider Akamai Technologies said Wednesday.(’04.6.16)
Phishing
Adware
Spyware
KeyLog
Bot nets, collections of compromised computers controlled by a single person or group, have become more pervasive and increasingly focused on identity theft and installing spyware, according to a Honeynet Project report.(’05.3.15)
BOTNet (Zombies)
Responding Malicious Codes
Sasser Worm Outbreak :’04.5.1
Vulnerability Patch :’04.4.13
“Only 20% of Windows users are up-to-date with patches”: ’04.1.27
Responding Web Hacking
Vulnerability
-8-
III. Responding Malicious CodesIII. Responding Malicious Codes
Mitigation of BOTnetMitigation of BOTnet
Src: http://en.wikipedia.org/wiki/Botnet
Botnet is one of the biggest threats for Internet• Too many PCs in Korea get infected by BOT• Abused for Spamming, Phishing, etc.
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
1일 4일 7일 10일 13일 16일 19일 22일 25일 28일 31일
Source: KISC Monthly Report(July)
Total IP
Korean IP
BOT Infected PCs
-9-
Working with ISP/NSP • Nuking BOTNET C&C(Command & Control) Activity (Korea Only)
Cooperation with Dynamic DNS Providers to terminate BOTNET C&C DNS RR
Cooperation with Foreign CERT/ISP/NSP to block and take down IP addresses, used as BOTNET C&C server
Botnet C&C IP
0
50
100
150
200
250
300
350
Jan Feb Mar Apr May Jun Jul
III. Responding Malicious CodesIII. Responding Malicious Codes
-10-
Filtering Botnet C&C IP Terminating Botnet C&C DNS RR Collecting Bot Samples and sharing with AV Vendors Using ISP DNS for DNS Sinkhole
• So far 4,691 Botnet DNS RR entry• Apply major KR ISP DNS Server
Forcing users to patch Windows vulnerability with the help from major portal and on-line game sites
III. Responding Malicious CodesIII. Responding Malicious Codes
24.1%
26.4%25.8%
24.6%
20.7%
18.1%19.4% 19.7%
14.6%13.6%
10.0%9%
11%
13%
15%
17%
19%
21%
23%
25%
27%
1 2 3 4 5 6 7 8 9 10 11 12
2005년
<Botnet sinkhole activity><BOT infected Korean PCs worldwide>
-11-
III. Responding Malicious CodesIII. Responding Malicious Codes
Mgmt Server
Honeynet Analysis Lab
Malicious codes which causing a high volume of garbage network traffic
We analyze
Weekly Report
18
30
1613
18
2623
0
5
10
15
20
25
30
35
FRI SAT SUN MON TUE WED THU
1-Jul-05
2-Jul-05
3-Jul-05
4-Jul-05
5-Jul-05
6-Jul-05
7-Jul-05
총 수집 웜
Our analysis focuses on•Network Traffic•Protocol and Ports•Malicious behaviors
(Registry operations, file operations, etc)
•Probability of information theft
MC Sample sources
How can we respond rapidly and effectively?
WormAttack
Malicious Codes AnalysisMalicious Codes Analysis
-12-
III. Responding Malicious CodesIII. Responding Malicious Codes
On-line analysis Combined analysis tool with honeypot for maximum effects
System modifications• Creation and deletion of Files• Creation, modification and deletion of Registry entries
Network impact• Traffic • Payload contents• Detecting backdoors
Before After System Information
• # of Processes, threads• Termination of Processes (AV SW)
System Modifications• Creation, deletion of files• Creation, modification, deletion of Registry
Network impact• Traffic and characteristics• Backdoors
Etc• Timers (coordinated attack time)
FileMon
RegMon
Sniffer, etc
Netstat, etc
New Analysis ToolProcess’s Internal
Behaviors
Simple behavior
report
MCATMCAT
30 Minut
esLess
than 5 Minute
s
Malicious Codes Analysis ToolMalicious Codes Analysis Tool
-13-
The survival time is calculated as the average time between reports of an average target IP address(ISC, SANS)
SAS consist of•Survival time Analysis System (SAS) is a system to automate the mea
surement of survival time and a part of KISC Honeynet•SAS consists of analysis mechanism and collection of PCs with unpatc
hed WinXP/Sp1, Win2K/Sp4, and so on.
III. Responding Malicious CodesIII. Responding Malicious Codes
Internet
Detection Mechanism
Time Checkingmechanism
Recovery mechanismHoney Net
Survival Time - Measuring Degree of Internet Attack StatusSurvival Time - Measuring Degree of Internet Attack Status
-14-
IV. Responding Web Hacking IncidentsIV. Responding Web Hacking Incidents
Web Hacking incidents in Korea
Vulnerability in public domain BBS software has disclosed without patches
Vulnerabilities in some security software
Hackers armed with search engines and automated defacing tools
More than 7,000 web pages have been defaced during Dec 2004 and Jan 2005
• Mostly by Latin American Hackers• Unpatched BBS sites run by individ
uals were targeted• Multiple websites in one host(Virtu
al hosting sites)
Hacking
Increase
d
Vulnerabilit
y
-15-
IV. Responding Web Hacking Incidents IV. Responding Web Hacking Incidents
Web Hacking Prevention Activities
Finding and patching vulnerabilities in public domain BBS software• Found more than 100 unpatched vulnerabilities a
mong 20 software and supported them patched• Organized training courses for the Developers
Etc.• Vulnerability analysis support for more than 3,000
hosts resided in small web hosting companies
-16-
IV. Further WorksIV. Further Works
Web hacking skills have been evolving continuously and abused for information theft• From June 2005, attempts to steal game site
ID and password have been increasing• These kinds of incidents are mostly related to
web hacking
Responding New Threats
New ways of responding against emerging threats• KISC Honeynet is also evolving for the proper respon
se.• Adware/Spyware problem• Phishing for Korean Banks is an emerging threat getti
ng much attention from civil society and the press.
-17-
Malicious codes,
DDoS
Cooperation with Neighbors
Cooperation,
Information Sharing,
Cooperated Drills
attack
