Internet Security Activities in Korea

Wan-keun Jeon 2005.11.17 Korea Internet Security Center

Contents

I. Internet Status in Korea II. Internet Threat Status III. Responding Malicious Codes IV. Responding Web Hacking Incidents V. Further Works

-2-

I. Internet Status in Korea (1/2)
Internet Infrastructure
1.4M Home Pages
Internet

70+ ISPs

87,000 Leased Line Subscribers (Enterprise/Orgs)
Source :NIDA (KrNIC)

28M PCs
-3-

12M Broadband Subscribers

I. Internet Status in Korea (2/2)
Evolution of Security Threats Areas
Transition of Internet Usage
Client/Server Type Server Pure Distributed Type Peer Peer Peer Client Client Client Peer Peer Peer Peer

 Evolving into Broadband convergence Network : Data(Internet) + Voice(Telecom) + Broadcasting (DMB)
Internet Attacks

Broadcasting Voice Secure Zone Mobile Internet+Mobile+Voice+Broadcasting

-4-

II. Internet Threat Status (1/3)
Malicious Code Threats
25,000 20,000 15,000 10,000 5,000
2,061 1,779 1,578 1,238 1,2651,271 798 949

Source :KISA KISC Monthly Report

Worm/Virus Incidents

2005 2004

25.0 20.0 15.0 10.0
Win XP SP1

PC Survival Time

5.0 0.0

Win 2K SP4

0 1 2 3 4 5 6 7 8 9 10 11 12

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Hacking Threats
200 180 160 140 120 100 80 60 40 20 0

8,000

Phishing cases
97 61 64 64 66 116 112 125 90 94

2005 2004

6,478

6,000

2005 2004

Web Page Defacements
4,000
1,912 1,445 1,366 1,424 801 696 1,005 554 492

2,000

1

2

3

4

5

6

7

8

9

10

11

12

0 1 2 3 4 5 6 7 8 9 10 11 12

-5-

II. Internet Threat Status (2/3)
Internet Security Threat Trend
Threat Severity
’03.1.25 Windows XP/SP2 Windows Vista Slammer (Longhorn)

CIH (’97) Virus Amazon, ebay DDoS Attack Root DNS DDoS Attack

Slammer Worm (1.25)

Blaster /Welchia Agobo t Peep

Game ID theft /Phishing

Financial

Windows Vista Mutants

DoS Attack Worms Trojans

Code-red

Bot bases Attackers

BOT AD/Spy-ware

Windows Vista

2000

2002 -6-

2004

2006

II. Internet Threat Status (3/3)
Focusing Areas
Responding Web Hacking Responding Malicious Codes

Vulnerabilit y
BOTNet (Zombies)
During June, spam sent through zombie PCs accounted for an average of 62 percent of all spam filtered by the MX Logic Threat Center. This compares with 55 percent in May and 44 percent in April. Ref.: technologynewsdaily.com (‘05.7.3) The attack that blacked out Google, Yahoo and other major Web sites earlier this week involved the use of a "bot net"--a large network of zombified home PCs--Internet infrastructure provider Akamai Technologies said Wednesday.(’04.6.16) Bot nets, collections of compromised computers controlled by a single person or group, have become more pervasive and increasingly focused on identity theft and installing spyware, according to a Honeynet Project report.(’05.3.15)

“Only 20% of Windows users are up-to-date with patches” : ’04.1.27
Vulnerabilit y Patch : ’04.4.13 Sasser Worm Outbreak : ’04.5.1

SPAM

DDoS

Phishing Adware Spyware KeyLog

-7-

III. Responding Malicious Codes
Mitigation of BOTnet  Botnet is one of the biggest threats for
Internet • Too many PCs in Korea get infected by BOT for Spamming, • AbusedBOT Infected PCs Phishing, etc.
350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 1일 4일 7일 10일 13일 16일 19일 22일 25일 28일 31일

Total IP Korean IP

Src: http://en.wikipedia.org/wiki/Botnet Source: KISC Monthly Report(July)

-8-

III. Responding Malicious Codes
 Working with ISP/NSP
• Nuking BOTNET C&C(Command & Control) Activity (Korea Only) Botnet C&C IP
350 300 250 200 150 100 50 0 J an Feb Mar Apr May J un J ul

 Cooperation with Dynamic DNS Providers to terminate BOTNET C&C DNS RR  Cooperation with Foreign CERT/ISP/NSP to block -9-

III. Responding Malicious Codes
 Filtering Botnet C&C IP  Terminating Botnet C&C DNS RR  Collecting Bot Samples and sharing with AV Vendors  Using ISP DNS for DNS Sinkhole
• So far 4,691 Botnet DNS RR entry • Apply major KR ISP DNS Server

 Forcing users to patch Windows vulnerability with 2005년 the help from major portal and on-line game sites
27% 25% 23% 21% 19% 17% 15% 13% 11% 9% 1 2 3 4 5 6 7 8 9 10 11 26.4% 25.8% 24.1% 24.6% 20.7% 18.1% 14.6% 19.4% 19.7%

13.6% 10.0% 12

<Botnet sinkhole activity> -10-

<BOT infected Korean PCs worldwide>

III. Responding Malicious Codes
Malicious Codes Analysis
MC Sample sources Honeynet
Worm Attack

Analysis Lab

We analyze Malicious codes which causing a high volume of garbage network traffic

Mgmt Server
W eekly Report
35 30 25 20 15 10 5 0 FRI 1J ul05 SAT 2J ul05 SUN MON 3J ul05 4J ul05 TUE 5J ul05 WED 6J ul05 THU 7J ul05 18 18 13 30 26 23 16 총 수집 웜

 Our analysis focuses on • Network Traffic • Protocol and Ports • Malicious behaviors

(Registry operations, file operations, etc) • Probability of information theft

-11-

How can we respond rapidly and effectively?

III. Responding Malicious Codes
Malicious Codes Analysis Tool
 On-line analysis  Combined analysis tool with honeypot for maximum New Analysis effects Tool After Process’s Before FileMon Internal  System Information

AT MC

System modifications

Behaviors RegMon • # of Processes, threads • Creation and deletion of Files • Termination of Processes (AV SW) • Creation, modification and deletion  System Modifications of Registry entries • Creation, deletion of files • Creation, modification, deletion Network impact of Registry • Traffic  Network impact Sniffer, • Payload contents • Traffic and characteristics etc • Detecting backdoors • Backdoors  Etc Netstat, etc 30 • Timers (coordinated attack time) Minut Less es than 5 Simple Minute behavior -12s report

III. Responding Malicious Codes
 The survival time is calculated as the average time between reports of an average target IP address(ISC, SANS)  SAS consist of

Survival Time - Measuring Degree of Internet Attack Status

• Survival time Analysis System (SAS) is a system to automate the measurement of survival time and a part of KISC Honeynet • SAS consists of analysis mechanism and collection of PCs Detection with unpatched WinXP/Sp1, Win2K/Sp4, and so on. Mechanism
Internet
Time Checking mechanism

Honey Net

Recovery mechanism

-13-

IV. Responding Web Hacking Incidents
Web Hacking incidents in Korea
t ili y g in ed ck as a H re c In

ul V

n

b ra e

 Hackers armed with search
domain BBS software has disclosed without patches engines and automated defacing tools

 Vulnerability in public

 More than 7,000 web pages have
been defaced during Dec 2004 and Jan 2005 • Mostly by Latin American Hackers • Unpatched BBS sites run by individuals were targeted • Multiple websites in one host(Virtual hosting sites)

 Vulnerabilities in some
security software

-14-

IV. Responding Web Hacking Incidents
Web Hacking Prevention Activities

 Finding and patching vulnerabilities in public
domain BBS software • Found more than 100 unpatched vulnerabilities among 20 software and supported them patched • Organized training courses for the Developers

 Etc.
• Vulnerability analysis support for more than 3,000 hosts resided in small web hosting companies
-15-

IV. Further Works
Responding New Threats

 Web hacking skills have been evolving
continuously and abused for information theft • From June 2005, attempts to steal game site ID and password have been increasing • These kinds of incidents are mostly related to web hacking

 New ways of responding against emerging
threats • KISC Honeynet is also evolving for the proper response. • Adware/Spyware problem • Phishing for Korean Banks is an emerging threat getting much attention from civil -16-

Cooperation with Neighbors

Cooperation , Information Sharing, Cooperated Drills

attack

Malicio us codes, DDoS

-17-

Q&A
For more information Please contact jschoi@kisa.or.kr

-18-