Current counter-measures and responses by CERTs

Size: px

Start display at page:

Download "Current counter-measures and responses by CERTs"

Hope Clark
10 years ago
Views:

1 Current counter-measures and responses by CERTs Jeong, Hyun Cheol April. 2007

2 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure IV. KISC s HoneyNet / HoneyPot V. Epilogue -2-

3 I. Malware Trends in Korea Infrastructure & On-line services in Korea Good Network Infrastructure Mil 1st Domain - 14 Mil. Broadband Subscribers -27 Mil. PCs Used for attack route - Warm propagation - Host phishing sites for foreign sites Malware in Korea Good On-Line Services - On-Line Games ($630 Mil. 2005) - Internet Banking Service - On-Line Shopping mall Being attack target - Steal On-Line Game ID/PW - Phishing for Korean Internet Banking - ransom DDoS Threat Level Slammer CIH ( 99) ) Worm Explosion Virus Worm ) Mal. BOT Phishing ) ) Ad/Spyware

PCs Used for attack route - Warm propagation - Host phishing sites for foreign sites Malware in Korea Good On-Line Services - On-Line Games ($630 Mil.

4 II. Malware from compromised Websites <iframe src=" name="zhu" width="0" Iframe height="0" (0X0) frameborder="0"></iframe> <embed src="images/intro.swf" Injection quality="high" pluginspage=" o/getflashplayer" type="application/xshockwave-flash" width="780" height="188"></embed></object></td> Injected Using Escape Code Sequence Injected in HTTP 404 Error Message MC-Finder Mal. Code Download Internet Mal. Code Injection Injected in Advertising Flash File Re-direction to Mal. Code Site Mal. Code Detect and Wipeout KISA Injected to Data Base (Rem.) MC-Finder : Malicious Code Finder -4-

5 III. Case Study : Malware Countermeasure CASE 1 : 92,000 PCs are infected from 1,000 compromised websites (Feb. 2007) 2. Insert the illegal iframe <iframe src= height=0 width=0></iframe> 1. Websites hacking 1,000 Transit sites Foreign Attacker 8. Enjoy game or make money? 7. Online game ID/PW leaked 3. Visit the victim sites 4. Link to the distribution site 6. 92,000 PCs are infected 5. Try attack to 620,000 IPs against MS Vul. Malware Distribution site ( Internet Users -5-

Websites hacking 1,000 Transit sites Foreign Attacker 8. Enjoy game or make money? 7. Online game ID/PW leaked 3.

6 III. Case Study : Malware Countermeasure CASE 1 : 92,000 PCs are infected from 1,000 compromised websites (Feb. 2007) How To Detect Find a Transit site(win2k) from MCFinder Find the Distribution site(freebsd) from the Transit site <iframe src= height=0 width=0></iframe> Find the other Transit sites (about 1,000 sites) from Dist. Sites referer log [19/Dec/2006:17:24: ] "GET /img/jang/music.htm HTTP/1.1" " "Mozilla/4.0 How To React Press Release Notify and Fix the Transit / Distribution sites Block some Distribution site from outside of border - Based on The Act on Promotion of Information & Communication Network Utilization and Information Protection, etc Update MCFinder s detection pattern Collect & Supply the malwares related with this case to AV Vendors Learn from this Case Rapid reaction is very important Attacker is not one guy but organized group We need international cooperation and information sharing -6-

htm height=0 width=0></iframe> Find the other Transit sites (about 1,000 sites) from Dist. Sites referer log [19/Dec/2006:17:24:26 +0900] "GET /img/jang/music.htm HTTP/1.1" 200 2115 "http://www.yyy.

7 III. Case Study : Malware Countermeasure CASE 2 : Pharming with Web hacking (Jan. 2007) 6. Financial information leaked (Account num., account PW, certificate PW, ) Forgery site Origin site Foreign Attacker 4. Certificate file leaked 5. Change direction to forgery banking site & input the financial information 1. Visit Malicious code infected Website Internet Users 3. Install malware & Change hosts file 2. Attack Visito s PC (MS06-014) Malware Distribution site -7-

Certificate file leaked 5. Change direction to forgery banking site & input the financial information 1.

8 III. Case Study : Malware Countermeasure CASE 2 : Pharming with Web hacking (Jan. 2007) How To Detect Reported from one bank - There is a phishing site forging our bank. Request for remote assistance from one on-line banking user - My PC is something wrong - We can find the trojan for pharming How To React Announce this incident and supply the list of victim s certificate to the CAs (KISA is the Root CA) CA revoke the victim s Certificate Press Release Collect & Supply the malwares related with this case to AV Vendors Learn from this Case Now, Attackers are targeting not only Game info. But also Korean Financial info. We need more secure on-line banking system. - OTP, Removable Storage for certificate -8-

list of victim s certificate to the CAs (KISA is the Root CA) CA revoke the victim s Certificate Press Release Collect & Supply the malwares related with this case to AV Vendors

9 IV. KISC s HoneyNet / HoneyPot : Network Surv. Time Daily Based Network Survival Time Checking Detailed Survival Time Trends of Survival Time Risk of each malware -9-

10 IV. KISC s HoneyNet / HoneyPot : Network Surv. Time Network Survival Time 60Min 50Min 40Min '06 Windows XP SP1 '06 Windows 2000 SP4 '07 Windows XP SP1 '07 Windows 2000 SP4 Minute 30Min 20Min 10Min 0Min. Purpose : To check System s Survival Time without any Security Patch and No Login Password Testing Location : Internet Exchanges Neutral Point No ISP s Security Policy involved. Similar with SANS s Survival Time Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Month -10-

11 IV. KISC s HoneyNet / HoneyPot : BOTNet Sinkhole BOTNet Sinkhole Zombie C&C DNS RR Update Zombie C&C Resolution Internet Sinkhole IP notification Control System Sinkhole connection Zombie PCs ISP DNS -11-

12 V. Epilogue Cyber Attack becomes more and more criminal & organized We don t have a jurisdiction over cross-border attack Legal system is different among the economies Need stronger international Cyber Law & Cooperation Malware becomes more and more sophisticated & sneaky Sometimes Zero-day vulnerability is exploited for targeted attack Need information sharing of the attack method & pattern Need more Proactive monitoring and Response not depends on incident reporting Compromised web site is one of the major route for malware propagation 69% of vulnerabilities are related with web application (2006. Symantec) Need enhancing the web security and monitoring malware distribution web site (MCFinder is used in KrCERT/CC) -12-

of the attack method & pattern Need more Proactive monitoring and Response not depends on incident reporting Compromised web site is one of the major route for malware propagation

13 Thank you!!

Korea s experience of massive DDoS attacks from Botnet

Korea s experience of massive DDoS attacks from Botnet April 12, 2011 Heung Youl YOUM Ph.D. SoonChunHyang University, Korea President, KIISC, Korea Vice-chairman, ITU-T SG 17 1 Table of Contents Overview