Monitoring and Preventing Malicious Codes in Broadband Network Infrastructure

1
Monitoring and Preventing Malicious Codesin
Broadband Network Infrastructure

• Dr. Charles Ahn
• CEO / AhnLab, Inc.

2
Agenda

• Company Profile
• CEO Career Activities
• Attack Trend in Korea
• Malicious Codes in the Age of Broadband
• Case study SQL Slammer Worm
• How to Prevent Malicious Codes in the Age of
  Broadband
• AhnLabs Response System

3
Company Profile

• History
• Foundation 1995
• IPO (KOSDAQ) Sept., 2001
• Number of Employees
• About 300 employees
• Business
• Anti-Virus and Secure Contents Management
• Integrated Security Software
• Security Management
• Security Consulting Services
• Financial Status
• 2002 Fiscal Revenues USD 25 million
• Market Share
• 65 of AV market in Korea (1st in Korea)
• Location
• Corporate Headquarter Seoul, Korea
• International Offices China, Japan

4
CEO Career Activities

• Charles Ahn, MD / Ph.D / EMTM
• Feb.1986Medical Doctors degree from College of
  Medicine, Seoul National University
• Mar. 1986 Sep. 1989 Research assistant at
  College of Medicine, Seoul National University
• Sep. 1989 Feb. 1991 Full-time lecturer at
  College of Medicine Head of the pre-medical
  course, Dankook University
• Feb. 1991 Ph.D. from College of Medicine, SNU
• May 1997 E.M.T.M.(Executive Master of Technology
  Management) from Penn Engineering Wharton
  School, University of Pennsylvania.
• Oct. 2000 Completed venture business course,
  Stanford University

5
Attack Trend in Korea
6
Reported Incidents
Source KISA (Korea Information Security Agency)
7
Attack-Type Distribution in Korea

• Port scanning attacks are increasing drastically.
• Miss-configuration of IT systems are being
  exploited actively.
• Infection through E-mail is continuously
  increasing.

Source KISA (Korea Information Security Agency)
8
Malicious Codes in the Age of Broadband
9
The Evolution of Virus and Worm

• Utilization of vulnerabilities in IT
  infrastructure
• Increased sophistication of attacking techniques
• Integration of various technologies that poses
  bigger threat

10
Examples Internet Worm

• CodeRed
• More than 350,000 servers were infected.
• Approximately 2.6 billion were spent for
  recovery.
• Nimda
• More than 8.3 million servers were infected.
• The amount of financial loss reached 590
  million.
• .
• SQL Slammer
• Major ISP services in Korea were disrupted for
  more than 9 hours.

Victim Attacker
11
The Faster Appearance Cycle Internet Worms
12
Future of Internet Worm

• Emergence of multiple spread paths
• Peer-to-Peer (P2P)
• Instant Messaging
• Mobile device
• Technical advancement of attacking methods
• Vulnerability attacks and blended attacks
• Intelligent technique to avoid detection
• Faster worm writing by automated tools

13
CASE STUDY SQL Slammer Worm
14
SQL Slammer Worm in Korea

• Nationwide Internet disruption for 9 hours from
  1430 January 25, 2003. (GMT0900)
• Shutdown of online trading, banking services,
  business transactions, communications, etc.
• Global impact 90 of vulnerable/un-patched
  servers were infected within 10 minutes.

Infection status by SQL Slammer at 1500 January
25, 2003 (CAIDA report)
15
The Influence of SQL Slammer Worm

• Direct Effect
• Overload of infected servers
• Network congestion due to the increased traffic
• Breakdown of international link (because 93 of
  randomly chosen IP addresses are oversea traffic
  in Korea)

• Side Effect
• DNS troubles
• In a DNS server, retry-query increased about 8
  times more than the normal situation (ex. 472
  queries per second, while 55 was normal).
• The more traffic, the less communication speed
  (circular effect).

16
Country Statistics
Graph above shows 74,856 IP addresses that
generated malicious packets. (CAIDA report)
17
Why Serious Damage in Korea?

• Well-established IT infrastructure
• Densely connected network and high broadband
  usage rate
• Large number of high performance servers
  connected to the network
• Lack of security awareness
• Open ports for unused services
• More infected servers
• Particularly high number of Infected SQL servers
  in Korea (7 times more than Japan and twice more
  than China)

18
How to Prevent Malicious Codes in the Age of
Broadband
19
Countermeasures (1)

• Vulnerability analysis of network infrastructure
• Patch management
• Systematic security-planning
• Strict enforcement of the law to eliminate
  vulnerabilities of major organizations and
  enterprises
• More reliable network infrastructure
• Operation of a (replicated) root name server in
  Korea
• Dependable structure for load-balancing and
  reliability enhancement
• Capacity planning for emergency
• RD investment
• Continuous investment in network security and
  antivirus technology
• Research on integration of security and antivirus
  technology
• Continuous research for efficient defense
  mechanisms

20
Countermeasures (2)

• 24x7 monitoring system and emergency response
  process
• Early detection and prevention with a concrete
  24/7 monitoring system
• Set-up of emergency response organizations at the
  government, major corporations and other public
  organizations
• Coordinated efforts among emergence response
  organizations
• Governmental initiatives
• Strict enforcement of the information security
  regulations and policies nationwide
• Long-term plan to improve the security level of
  small and medium-sized businesses
• Allotment of separate budget for security
  information security

21
AhnLabs Response System - Specialized
Emergency Response Team - Early Warning
System - Virus Blocking Service
22
Emergency Response Team
Customers
Non- customers
Alert
Service
ASEC Integrated Emergency Response (AhnLab
Security E-response Center)
Resource integration
New virus detection
Analysis
Engine Update
24/7 Monitoring
Virus Information
Prompt Customer Service
23
Early Warning System, SAB SBTM
Outbreak Monitoring System SAB
24
Early Blocking Interception Service, VBS
VBS Virus Blocking Service

• Blocks new malicious codes prior to the pattern
  file creation.
• Uses advanced Blocking engine. ? VBS Policy
• 24/7 service by dedicated technical support
  engineers
• Provides corporate virus-shield against new virus
  threat in less than 15 minutes
• Flexible service operating architecture
• Remote service

25
VBS Virus Blocking Service
26
Conclusion
Thank you.