Global Standards Collaboration (GSC) 14
DOCUMENT #:
GSC14-GTSC-026
FOR:
Presentation
SOURCE:
TTA
AGENDA ITEM:
GTSC 4.2
CONTACT(S):
hyyoum@sch.ac.kr
How to counter web-based attacks on the
Internet in Korea
Heung Youl YOUM
Chairman of Korea ITU-T SG17
Committee, TTA
Geneva, 13-16 July 2009
Fostering worldwide interoperability
What is web-based attacks?
It is very surprise if you realize that just
visiting your favorite web site can either
lead to malware to be silently installed on
your computer without your knowledge or
clicking anything, or being annoyed by
misleading applications, such as fake
antivirus software.
What is web-based attacks?
A type of attacks in which the attackers try to
compromise the legitimate websites resulting
in malicious code to be injected which in turn
can be used to infect a user’s computer visiting
those web sites.
Geneva, 13-16 July 2009
Fostering worldwide interoperability
2
Web-based attacks
According to Google survey released in May
2007,
one in 10 web sites contained malicious codes
which were capable of launching so-called
“drive-by download” type web-based attacks.
In the web-based attacks:
The administrators are not aware that they are
hacked, have resulted injecting the malicious
codes and used to disseminate malicious codes;
Users also are not aware that their computers
get infected by malicious codes from the sites
they have visited;
Installing anti-virus S/W can prevent some
incidents, but, they are not providing ultimate
solutions.
Geneva, 13-16 July 2009
Fostering worldwide interoperability
3
Top Web Threats for 2008
In the Symantic threats Report-2008:
Drive-by downloads from mainstream Web site are
increasing;
Attacks are heavily obfuscated and dynamically
changing making traditional antivirus solutions
ineffective ;
Attacks are targeting browser plug-ins;
SQL injection attacks are being used to infect
mainstream Web sites;
Mal advertisements are redirecting users to
malicious Web sites;
Explosive growth in unique and targeted malware
samples;
Geneva, 13-16 July 2009
Fostering worldwide interoperability
4
Typical scenarios for web-based
attack in Korea
1,000 legitimate web sites
1. Compromise the legitimate web sites.
<iframe> … </iframe>
attacker
6. Personal information such
as ID/Password is
transferred to attacker.
2. Visit their favorite
web sites.
3. Redirect users to the malicious
web site.
5. 92,000 PCs with MS06-014
Vul. infected by malicious
code.
Users
Geneva, 13-16 July 2009
4. Attempts to attack the PCs
using 620,000 IPs.
Malicious code
injected web
site
Fostering worldwide interoperability
5
Korea use case: MC-finder scheme(1/2)
MC-finder scheme
Developed by KISA (Korea Information
Security Agency) and put in place since 2006.
A scheme to search for the malicious codeinjected web sites, malicious web site, and the
web sites which redirect users to the malicious
injected code, the transit web site.
More than 140,000 sites in Korea are being
monitored by MC-finder scheme, as of June
30, 2009.
During 2008, in Korea,
1,324 web sites founded as malicious code
injected web sites, 7,654 web sites turned up
as the transit web sites redirecting users to the
malicious injected web sites.
Geneva, 13-16 July 2009
Fostering worldwide interoperability
6
Korea use case: MC-finder scheme(2/2)
Web sites to be monitored:
Major web sites for enterprise/orgs, etc. sites,
Top 20,000 sites according to number of
visiting users;
Sites which have already experienced the web
pages’ defacement.
Inspect web documents to check whether
an malicious code is injected.
List up the infected URLs.
It has provided the following services;
Inform the administrators by SMS, e-mail, or
phone to take necessary actions;
Maintain and track the history of the MCinfected sites;
Geneva, 13-16 July 2009
Fostering worldwide interoperability
7
Challenges
Nearly impossible to search for all global
web sites therefore, it needs to develop a
global collaboration framework. However,
Lack of framework for sharing security
information;
Lack of globally interoperable framework or
technologies;
No standardization activity on how to
counter this web-based attacks.
Therefore, it needs to;
Identify various web-based attack scenarios,
the requirements and generic framework;
Identify the relevant information exchange
format;
Geneva, 13-16 July 2009
Fostering worldwide interoperability
8
Next Steps/Actions
Korea continue to upgrade the MC-finder scheme
to reflect the fast changing attack environments.
Need for a globally interoperable framework and
technologies which can combat the web-based
attacks effectively;
ITU-T and global SDOs are required to develop
standards or guideline for a globally interoperable
scheme against the web-based attacks on the
Internet.
TTA plans to contribute to launching the
standardization activities on the countering
scheme against the web-based attacks in the
near future.
Geneva, 13-16 July 2009
Fostering worldwide interoperability
9
Proposed Resolution
Generally needs to reaffirm the existing
Resolution GSC11/13.
However, update is required as follows;
In recognizing clause, item i);
that new cyber attacks such as phishing, pharming,
“web-based attacks” and Botnets are emerging and
spreading rapidly;
In Resolves clause, item 4);
work with the ITU and others to develop standards or
guidelines to protect against Botnet attacks “and
web-based attacks” and facilitate tracing the source
of an attack;
Geneva, 13-16 July 2009
Fostering worldwide interoperability
10