Professional Documents
Culture Documents
in Korea
Wan-keun Jeon
2005.11.17
V. Further Works
-2-
I. Internet Status in Korea (1/2)
Internet Infrastructure
1.4M Home Pages
Internet
70+ ISPs
Peer
Server
Peer
Peer
Peer
Client Client Client Peer Peer
Peer
Evolving into Broadband convergence Network
: Data(Internet) + Voice(Telecom) + Broadcasting
(DMB)
Internet
Attacks
Broadcasting
Voice Internet+Mobile+Voice+Broadcasting
25,000
25.0
2005
20,000 2004 20.0 PC Survival Time
Worm/Virus Incidents
15,000 15.0
10,000 10.0
Win XP SP1
5.0 Win 2K SP4
5,000 1,779
2,061 1,578
1,238 1,2651,271 798 949 0.0
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
1 2 3 4 5 6 7 8 9 10 11 12
Hacking Threats
200 8,000
180 2005 2005
160
Phishing cases 6,478
2004 6,000 2004
140 125
120
116 112 Web Page Defacements
97 90 94
100 4,000
80
61 64 64 66
60 1,445 1,912
40 2,000 1,366 1,424
1,005 801 696 554 492
20
0 0
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12
-5-
II. Internet Threat Status (2/3)
Internet Security Threat Trend
Blaster
Slammer
CIH (’97) /Welchia Game ID
Worm Financial
theft
(1.25)
/Phishing
Root DNS Agobo
Virus
DDoS t
Attack
Amazon, Windows Vista
ebay Peep
DDoS Mutants
Attack
Bot bases
Code-red
Attackers
DoS Attack
BOT AD/Spy-ware
Worms Windows Vista
-6-
II. Internet Threat Status (3/3)
Focusing Areas
Vulnerabilit
y
BOTNet (Zombies)
During June, spam sent through zombie PCs
accounted for an average of 62 percent of all
spam filtered by the MX Logic Threat Center.
SPAM This compares with 55 percent in May and 44
“Only 20% of
percent in April.
Windows users are
up-to-date with Ref.: technologynewsdaily.com (‘05.7.3)
patches” The attack that blacked out Google, Yahoo and
: ’04.1.27 other major Web sites earlier this week involved
the use of a "bot net"--a large network of
Vulnerabilit Sasser DDoS zombified home PCs--Internet infrastructure
y Patch : Worm
’04.4.13 Outbreak : provider Akamai Technologies said
’04.5.1 Wednesday.(’04.6.16)
Phishing Bot nets, collections of compromised computers
Adware controlled by a single person or group, have
become more pervasive and increasingly focused
Spyware on identity theft and installing spyware,
KeyLog according to a Honeynet Project report.(’05.3.15)
-7-
III. Responding Malicious Codes
Mitigation of BOTnet
200,000
150,000
100,000
50,000
0
Src: http://en.wikipedia.org/wiki/Botnet
1일 4일 7일 10일 13일 16일 19일 22일 25일 28일 31일
-8-
III. Responding Malicious Codes
Working with ISP/NSP
• Nuking BOTNET C&C(Command & Control) Activity (Korea
Only) Botnet C&C IP
350
300
250
200
150
100
50
0
J an Feb Mar Apr May J un J ul
21% 20.7%
19% 19.4% 19.7%
18.1%
17%
15% 14.6%
13.6%
13%
11%
10.0%
9%
1 2 3 4 5 6 7 8 9 10 11 12
Mgmt Server
Weekly Report
Our analysis focuses on
• Network Traffic
35
30 30
25 26
23 • Protocol and Ports
20
15
18
16
18
총 수집 웜 • Malicious behaviors
(Registry operations, file
13
10
5
operations, etc)
• Probability of information
0
FRI SAT SUN MON TUE WED THU
1- 2- 3- 4- 5- 6- 7-
J ul-
05
J ul-
05
J ul-
05
J ul-
05
J ul-
05
J ul-
05
J ul-
05 theft
Time Checking
Internet mechanism
Honey Net
Recovery mechanism
-13-
IV. Responding Web Hacking Incidents
Web Hacking incidents in Korea
i ng d
c k se
a
ili
t y H rea
c
r ab In
n e
u l
V
Hackers armed with search
Vulnerability in public engines and automated defacing
domain BBS software tools
has disclosed without More than 7,000 web pages have
patches
been defaced during Dec 2004
Vulnerabilities in some and Jan 2005
security software • Mostly by Latin American
Hackers
• Unpatched BBS sites run by
individuals were targeted
• Multiple websites in one
host(Virtual hosting sites)
-14-
IV. Responding Web Hacking Incidents
Web Hacking Prevention Activities
-15-
IV. Further Works
Responding New Threats
Cooperation
, Malicio
Information attack us
Sharing, codes,
Cooperated DDoS
Drills
-17-
Q&A
-18-