170 likes | 311 Views
Internet Security Activities in Korea. Wan-keun Jeon 2005.11.17 Korea Internet Security Center. Contents. I. Internet Status in Korea. II. Internet Threat Status. III. Responding Malicious Codes. IV. Responding Web Hacking Incidents. V. Further Works. I. Internet Status in Korea (1/2).
E N D
Internet Security Activitiesin Korea Wan-keunJeon 2005.11.17 Korea Internet Security Center
Contents I. Internet Status in Korea II. Internet Threat Status III. Responding Malicious Codes IV. Responding Web Hacking Incidents V. Further Works
I. Internet Status in Korea (1/2) Internet Infrastructure 1.4M Home Pages Internet 70+ ISPs 87,000 Leased Line Subscribers (Enterprise/Orgs) 28M PCs 12M Broadband Subscribers Source :NIDA (KrNIC)
I. Internet Status in Korea (2/2) Evolution of Security Threats Areas Client/Server Type Pure Distributed Type Peer Server Peer Peer Peer Peer Client Client Client Peer Peer Transition of Internet Usage Evolving into Broadband convergence Network : Data(Internet) + Voice(Telecom) + Broadcasting (DMB) Internet Attacks Broadcasting Voice Internet+Mobile+Voice+Broadcasting Secure Zone Mobile
II. Internet Threat Status (1/3) Hacking Threats Malicious Code Threats Source :KISA KISC Monthly Report PC Survival Time Worm/Virus Incidents Phishing cases Web Page Defacements
II. Internet Threat Status (3/3) Focusing Areas Responding Web Hacking Responding Malicious Codes Vulnerability BOTNet (Zombies) “Only 20% of Windows users are up-to-date with patches” : ’04.1.27 Vulnerability Patch : ’04.4.13 Sasser Worm Outbreak : ’04.5.1
III. Responding Malicious Codes Mitigation of BOTnet BOT Infected PCs Source: KISC Monthly Report(July) Total IP Korean IP • Botnet is one of the biggest threats for Internet • Too many PCs in Korea get infected by BOT • Abused for Spamming, Phishing, etc. Src: http://en.wikipedia.org/wiki/Botnet
III. Responding Malicious Codes • Working with ISP/NSP • Nuking BOTNET C&C(Command & Control) Activity (Korea Only) • Cooperation with Dynamic DNS Providers to terminate BOTNET C&C DNS RR • Cooperation with Foreign CERT/ISP/NSP to block and take down IP addresses, used as BOTNET C&C server
III. Responding Malicious Codes • Filtering Botnet C&C IP • Terminating Botnet C&C DNS RR • Collecting Bot Samples and sharing with AV Vendors • Using ISP DNS for DNS Sinkhole • So far 4,691 Botnet DNS RR entry • Apply major KR ISP DNS Server • Forcing users to patch Windows vulnerability with the help from major portal and on-line game sites <Botnet sinkhole activity> <BOT infected Korean PCs worldwide>
III. Responding Malicious Codes Malicious Codes Analysis MC Sample sources We analyze Malicious codes which causing a high volume of garbage network traffic Honeynet Analysis Lab Worm Attack Mgmt Server • Our analysis focuses on • Network Traffic • Protocol and Ports • Malicious behaviors (Registry operations, file operations, etc) • Probability of information theft How can we respond rapidly and effectively?
III. Responding Malicious Codes Malicious Codes Analysis Tool MCAT • On-line analysis • Combined analysis tool with honeypot for maximum effects New Analysis Tool After Before Process’s Internal Behaviors FileMon • System Information • # of Processes, threads • Termination of Processes (AV SW) • System Modifications • Creation, deletion of files • Creation, modification, deletion • of Registry • Network impact • Traffic and characteristics • Backdoors • Etc • Timers (coordinated attack time) • System modifications • Creation and deletion of Files • Creation, modification and deletion • of Registry entries • Network impact • Traffic • Payload contents • Detecting backdoors RegMon Sniffer, etc 30 Minutes Netstat, etc Less than 5 Minutes Simple behavior report
III. Responding Malicious Codes Detection Mechanism Time Checking mechanism Internet Recovery mechanism Honey Net Survival Time - Measuring Degree of Internet Attack Status • The survival time is calculated as the average time between reports of an average target IP address(ISC, SANS) • SAS consist of • Survival time Analysis System (SAS) is a system to automate the measurement of survival time and a part of KISC Honeynet • SAS consists of analysis mechanism and collection of PCs with unpatched WinXP/Sp1, Win2K/Sp4, and so on.
IV. Responding Web Hacking Incidents Web Hacking incidents in Korea Hacking Increased Vulnerability • Hackers armed with search engines and automated defacing tools • More than 7,000 web pages have been defaced during Dec 2004 and Jan 2005 • Mostly by Latin American Hackers • Unpatched BBS sites run by individuals were targeted • Multiple websites in one host(Virtual hosting sites) • Vulnerability in public domain BBS software has disclosed without patches • Vulnerabilities in some security software
IV. Responding Web Hacking Incidents Web Hacking Prevention Activities • Finding and patching vulnerabilities in public domain BBS software • Found more than 100 unpatched vulnerabilities among 20 software and supported them patched • Organized training courses for the Developers • Etc. • Vulnerability analysis support for more than 3,000 hosts resided in small web hosting companies
IV. Further Works Responding New Threats • Web hacking skills have been evolving continuously and abused for information theft • From June 2005, attempts to steal game site ID and password have been increasing • These kinds of incidents are mostly related to web hacking • New ways of responding against emerging threats • KISC Honeynet is also evolving for the proper response. • Adware/Spyware problem • Phishing for Korean Banks is an emerging threat getting much attention from civil society and the press.
Cooperation with Neighbors Cooperation, Information Sharing, Cooperated Drills attack Malicious codes, DDoS
Q&A For more information Please contact firstname.lastname@example.org