Internet Security Activities

in Korea

Wan-keun Jeon

2005.11.17

Korea Internet Security Center

Contents

I. Internet Status in Korea

II. Internet Threat Status

III. Responding Malicious Codes

IV. Responding Web Hacking Incidents

V. Further Works

-2-
I. Internet Status in Korea (1/2)
Internet Infrastructure
1.4M Home Pages
Internet

70+ ISPs

87,000 Leased Line 28M PCs 12M Broadband Subscribers

Subscribers (Enterprise/Orgs)
Source :NIDA (KrNIC) -3-
I. Internet Status in Korea (2/2)
Evolution of Security Threats Areas
Transition of Internet Usage
Client/Server Type Pure Distributed Type

Peer
Server
Peer
Peer
Peer
Client Client Client Peer Peer
Peer
 Evolving into Broadband convergence Network
: Data(Internet) + Voice(Telecom) + Broadcasting
(DMB)
Internet
Attacks

Broadcasting
Voice Internet+Mobile+Voice+Broadcasting

Secure Zone Mobile

-4-
II. Internet Threat Status (1/3)
Malicious Code Threats Source :KISA KISC Monthly Report

25,000
25.0
2005
20,000 2004 20.0 PC Survival Time
Worm/Virus Incidents
15,000 15.0

10,000 10.0
Win XP SP1
5.0 Win 2K SP4
5,000 1,779
2,061 1,578
1,238 1,2651,271 798 949 0.0
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
1 2 3 4 5 6 7 8 9 10 11 12

Hacking Threats
200 8,000
180 2005 2005
160
Phishing cases 6,478
2004 6,000 2004
140 125
120
116 112 Web Page Defacements
97 90 94
100 4,000
80
61 64 64 66
60 1,445 1,912
40 2,000 1,366 1,424
1,005 801 696 554 492
20
0 0
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12

-5-
 II. Internet Threat Status (2/3)
Internet Security Threat Trend

Threat ’03.1.25 Windows XP/SP2Windows Vista

Slammer (Longhorn)
Severity

Blaster
Slammer
CIH (’97) /Welchia Game ID
Worm Financial
theft
(1.25)
/Phishing
Root DNS Agobo
Virus
DDoS t
Attack
Amazon, Windows Vista
ebay Peep
DDoS Mutants
Attack
Bot bases
Code-red
Attackers
DoS Attack
BOT AD/Spy-ware
Worms Windows Vista

Trojans 2000 2002 2004 2006

-6-
II. Internet Threat Status (3/3)
Focusing Areas

Responding Web Hacking Responding Malicious Codes

Vulnerabilit
y
BOTNet (Zombies)
During June, spam sent through zombie PCs
accounted for an average of 62 percent of all
spam filtered by the MX Logic Threat Center.
SPAM This compares with 55 percent in May and 44
“Only 20% of
percent in April.
Windows users are
up-to-date with Ref.: technologynewsdaily.com (‘05.7.3)
patches” The attack that blacked out Google, Yahoo and
: ’04.1.27 other major Web sites earlier this week involved
the use of a "bot net"--a large network of
Vulnerabilit Sasser DDoS zombified home PCs--Internet infrastructure
y Patch : Worm
’04.4.13 Outbreak : provider Akamai Technologies said
’04.5.1 Wednesday.(’04.6.16)
Phishing Bot nets, collections of compromised computers
Adware controlled by a single person or group, have
become more pervasive and increasingly focused
Spyware on identity theft and installing spyware,
KeyLog according to a Honeynet Project report.(’05.3.15)

-7-
III. Responding Malicious Codes
Mitigation of BOTnet

 Botnet is one of the biggest threats for

Internet
• Too many PCs in Korea get infected
by BOT
• AbusedBOT
for Infected
Spamming,
PCs Phishing, etc.
350,000
Total IP
300,000
Korean IP
250,000

200,000

150,000

100,000

50,000

0
Src: http://en.wikipedia.org/wiki/Botnet
1일 4일 7일 10일 13일 16일 19일 22일 25일 28일 31일

Source: KISC Monthly Report(July)

-8-
III. Responding Malicious Codes
 Working with ISP/NSP
• Nuking BOTNET C&C(Command & Control) Activity (Korea
Only) Botnet C&C IP

350
300
250
200
150
100
50
0
J an Feb Mar Apr May J un J ul

 Cooperation with Dynamic DNS Providers to

terminate
BOTNET C&C DNS RR
 Cooperation with Foreign
-9-
CERT/ISP/NSP to block
III. Responding Malicious Codes
 Filtering Botnet C&C IP
 Terminating Botnet C&C DNS RR
 Collecting Bot Samples and sharing with AV
Vendors
 Using ISP DNS for DNS Sinkhole
• So far 4,691 Botnet DNS RR entry
• Apply major KR ISP DNS Server
 Forcing users to patch Windows vulnerability with
27%
26.4%

the help from major portal and on-line game sites

25.8%
25% 2005년 24.6%
24.1%
23%

21% 20.7%
19% 19.4% 19.7%
18.1%
17%
15% 14.6%
13.6%
13%
11%
10.0%
9%
1 2 3 4 5 6 7 8 9 10 11 12

<Botnet sinkhole activity>

<BOT infected Korean PCs worldwide>
-10-
 III. Responding Malicious Codes
Malicious Codes Analysis

MC Sample sources We analyze

Malicious codes
Honeynet Analysis Lab which causing a high
volume of garbage
Worm network traffic
Attack

Mgmt Server
Weekly Report
 Our analysis focuses on
• Network Traffic
35

30 30

25 26
23 • Protocol and Ports
20

15
18
16
18
총 수집 웜 • Malicious behaviors
(Registry operations, file
13
10

5
operations, etc)
• Probability of information
0
FRI SAT SUN MON TUE WED THU
1- 2- 3- 4- 5- 6- 7-
J ul-
05
J ul-
05
J ul-
05
J ul-
05
J ul-
05
J ul-
05
J ul-
05 theft

How can we respond rapidly

and effectively?
-11-
III. Responding Malicious Codes
Malicious Codes Analysis Tool T
A
 On-line analysis
MC
 Combined analysis tool with honeypot for maximum
New Analysis
effects Tool
Before After Process’s
FileMon
 System Information Internal
System modifications RegMon Behaviors
• # of Processes, threads
• Creation and deletion of Files • Termination of Processes (AV SW)
• Creation, modification and deletion  System Modifications
of Registry entries • Creation, deletion of files
• Creation, modification, deletion
Network impact of Registry
• Traffic  Network impact
Sniffer,
• Payload contents • Traffic and characteristics
etc
• Detecting backdoors • Backdoors
Netstat, etc  Etc
30 • Timers (coordinated attack time)
Minut Less
es than 5 Simple
Minute behavior
-12- s report
 III. Responding Malicious Codes
Survival Time - Measuring Degree of Internet Attack Status
 The survival time is calculated as the average time
between reports of an average target IP address(ISC,
SANS)
 SAS consist of
• Survival time Analysis System (SAS) is a system to automate
the measurement of survival time and a part of KISC
Honeynet
• SAS consists of analysis mechanism and collection of PCs
with unpatched WinXP/Sp1, Win2K/Sp4,
Detection
Mechanism
and so on.

Time Checking
Internet mechanism

Honey Net
Recovery mechanism

-13-
IV. Responding Web Hacking Incidents
Web Hacking incidents in Korea

i ng d
c k se
a
ili
t y H rea
c
r ab In
n e
u l
V
 Hackers armed with search
 Vulnerability in public engines and automated defacing
domain BBS software tools
has disclosed without  More than 7,000 web pages have
patches
been defaced during Dec 2004
 Vulnerabilities in some and Jan 2005
security software • Mostly by Latin American
Hackers
• Unpatched BBS sites run by
individuals were targeted
• Multiple websites in one
host(Virtual hosting sites)

-14-
IV. Responding Web Hacking Incidents
Web Hacking Prevention Activities

 Finding and patching vulnerabilities in public

domain BBS software
• Found more than 100 unpatched
vulnerabilities among 20 software and
supported them patched
• Organized training courses for the
Developers
 Etc.
• Vulnerability analysis support for more than
3,000 hosts resided in small web hosting
companies

-15-
IV. Further Works
Responding New Threats

 Web hacking skills have been evolving

continuously and abused for information theft
• From June 2005, attempts to steal game site
ID and password have been increasing
• These kinds of incidents are mostly related to
web hacking

 New ways of responding against emerging

threats
• KISC Honeynet is also evolving for the proper
response.
• Adware/Spyware problem
• Phishing for Korean Banks is an emerging
threat getting much
-16- attention from civil
Cooperation with Neighbors

Cooperation
, Malicio
Information attack us
Sharing, codes,
Cooperated DDoS
Drills

-17-
Q&A

For more information

Please contact jschoi@kisa.or.kr

-18-