How to counter web-based attacks on the Internet in Korea

1
How to counter web-based attacks on the Internet
in Korea
Global Standards Collaboration (GSC) 14
DOCUMENT GSC14-GTSC-026
FOR Presentation
SOURCE TTA
AGENDA ITEM GTSC 4.2
CONTACT(S) hyyoum_at_sch.ac.kr

• Heung Youl YOUM
• Chairman of Korea ITU-T SG17 Committee, TTA

2
What is web-based attacks?

• It is very surprise if you realize that just
  visiting your favorite web site can either lead
  to malware to be silently installed on your
  computer without your knowledge or clicking
  anything, or being annoyed by misleading
  applications, such as fake antivirus software.
• What is web-based attacks?
• A type of attacks in which the attackers try to
  compromise the legitimate websites resulting in
  malicious code to be injected which in turn can
  be used to infect a users computer visiting
  those web sites.

3
Web-based attacks

• According to Google survey released in May 2007,
• one in 10 web sites contained malicious codes
  which were capable of launching so-called
  drive-by download type web-based attacks.
• In the web-based attacks
• The administrators are not aware that they are
  hacked, have resulted injecting the malicious
  codes and used to disseminate malicious codes
• Users also are not aware that their computers get
  infected by malicious codes from the sites they
  have visited
• Installing anti-virus S/W can prevent some
  incidents, but, they are not providing ultimate
  solutions.

4
Top Web Threats for 2008

• In the Symantic threats Report-2008
• Drive-by downloads from mainstream Web site are
  increasing
• Attacks are heavily obfuscated and dynamically
  changing making traditional antivirus solutions
  ineffective
• Attacks are targeting browser plug-ins
• SQL injection attacks are being used to infect
  mainstream Web sites
• Mal advertisements are redirecting users to
  malicious Web sites
• Explosive growth in unique and targeted malware
  samples

5
Typical scenarios for web-based attack in Korea
1,000 legitimate web sites
1. Compromise the legitimate web sites.
ltiframegt lt/iframegt
attacker
6. Personal information such as ID/Password is
transferred to attacker.
3. Redirect users to the malicious web site.
2. Visit their favorite web sites.
5. 92,000 PCs with MS06-014 Vul. infected by
malicious code.
Malicious code injected web site

1. Attempts to attack the PCs using 620,000 IPs.

Users
6
Korea use case MC-finder scheme(1/2)

• MC-finder scheme
• Developed by KISA (Korea Information Security
  Agency) and put in place since 2006.
• A scheme to search for the malicious
  code-injected web sites, malicious web site, and
  the web sites which redirect users to the
  malicious injected code, the transit web site.
• More than 140,000 sites in Korea are being
  monitored by MC-finder scheme, as of June 30,
  2009.
• During 2008, in Korea,
• 1,324 web sites founded as malicious code
  injected web sites, 7,654 web sites turned up as
  the transit web sites redirecting users to the
  malicious injected web sites.

7
Korea use case MC-finder scheme(2/2)

• Web sites to be monitored
• Major web sites for enterprise/orgs, etc. sites,
  Top 20,000 sites according to number of visiting
  users
• Sites which have already experienced the web
  pages defacement.
• Inspect web documents to check whether an
  malicious code is injected.
• List up the infected URLs.
• It has provided the following services
• Inform the administrators by SMS, e-mail, or
  phone to take necessary actions
• Maintain and track the history of the MC-infected
  sites

8
Challenges

• Nearly impossible to search for all global web
  sites therefore, it needs to develop a global
  collaboration framework. However,
• Lack of framework for sharing security
  information
• Lack of globally interoperable framework or
  technologies
• No standardization activity on how to counter
  this web-based attacks. Therefore, it needs to
• Identify various web-based attack scenarios, the
  requirements and generic framework
• Identify the relevant information exchange
  format

9
Next Steps/Actions

• Korea continue to upgrade the MC-finder scheme to
  reflect the fast changing attack environments.
• Need for a globally interoperable framework and
  technologies which can combat the web-based
  attacks effectively
• ITU-T and global SDOs are required to develop
  standards or guideline for a globally
  interoperable scheme against the web-based
  attacks on the Internet.
• TTA plans to contribute to launching the
  standardization activities on the countering
  scheme against the web-based attacks in the near
  future.

10
Proposed Resolution

• Generally needs to reaffirm the existing
  Resolution GSC11/13.
• However, update is required as follows
• In recognizing clause, item i)
• that new cyber attacks such as phishing,
  pharming, web-based attacks and Botnets are
  emerging and spreading rapidly
• In Resolves clause, item 4)
• work with the ITU and others to develop standards
  or guidelines to protect against Botnet attacks
  and web-based attacks and facilitate tracing
  the source of an attack