Fostering worldwide interoperabilityGeneva, July 2009 How to counter web-based attacks on the Internet in Korea Heung Youl YOUM Chairman of Korea ITU-T SG17 Committee, TTA Global Standards Collaboration (GSC) 14 DOCUMENT #:GSC14-GTSC-026 FOR:Presentation SOURCE:TTA AGENDA ITEM:GTSC 4.2

Fostering worldwide interoperability 2 Geneva, July 2009 It is very surprise if you realize that just visiting your favorite web site can either lead to malware to be silently installed on your computer without your knowledge or clicking anything, or being annoyed by misleading applications, such as fake antivirus software. What is web-based attacks? A type of attacks in which the attackers try to compromise the legitimate websites resulting in malicious code to be injected which in turn can be used to infect a user’s computer visiting those web sites. What is web-based attacks?

Fostering worldwide interoperability 3 Geneva, July 2009 Web-based attacks According to Google survey released in May 2007, one in 10 web sites contained malicious codes which were capable of launching so-called “ drive-by download ” type web-based attacks. In the web-based attacks: The administrators are not aware that they are hacked, have resulted injecting the malicious codes and used to disseminate malicious codes; Users also are not aware that their computers get infected by malicious codes from the sites they have visited; Installing anti-virus S/W can prevent some incidents, but, they are not providing ultimate solutions.

Fostering worldwide interoperability 4 Geneva, July 2009 Top Web Threats for 2008 In the Symantic threats Report-2008: Drive-by downloads from mainstream Web site are increasing; Attacks are heavily obfuscated and dynamically changing making traditional antivirus solutions ineffective ; Attacks are targeting browser plug-ins; SQL injection attacks are being used to infect mainstream Web sites; Mal advertisements are redirecting users to malicious Web sites; Explosive growth in unique and targeted malware samples;

Fostering worldwide interoperability 5 Geneva, July 2009 Typical scenarios for web-based attack in Korea 1,000 legitimate web sites … Malicious code injected web site Users 1. Compromise the legitimate web sites. 2. Visit their favorite web sites. 3. Redirect users to the malicious web site. 4.Attempts to attack the PCs using 620,000 IPs ,000 PCs with MS Vul. infected by malicious code. 6. Personal information such as ID/Password is transferred to attacker. attacker

Fostering worldwide interoperability 6 Geneva, July 2009 Korea use case: MC-finder scheme(1/2) MC-finder scheme Developed by KISA (Korea Information Security Agency) and put in place since A scheme to search for the malicious code- injected web sites, malicious web site, and the web sites which redirect users to the malicious injected code, the transit web site. More than 140,000 sites in Korea are being monitored by MC-finder scheme, as of June 30, During 2008, in Korea, 1,324 web sites founded as malicious code injected web sites, 7,654 web sites turned up as the transit web sites redirecting users to the malicious injected web sites.

Fostering worldwide interoperability 7 Geneva, July 2009 Korea use case: MC-finder scheme(2/2) Web sites to be monitored: Major web sites for enterprise/orgs, etc. sites, Top 20,000 sites according to number of visiting users; Sites which have already experienced the web pages’ defacement. Inspect web documents to check whether an malicious code is injected. List up the infected URLs. It has provided the following services; Inform the administrators by SMS, , or phone to take necessary actions; Maintain and track the history of the MC- infected sites;

Fostering worldwide interoperability 8 Geneva, July 2009 Nearly impossible to search for all global web sites therefore, it needs to develop a global collaboration framework. However, Lack of framework for sharing security information; Lack of globally interoperable framework or technologies; No standardization activity on how to counter this web-based attacks. Therefore, it needs to; Identify various web-based attack scenarios, the requirements and generic framework; Identify the relevant information exchange format; Challenges

Fostering worldwide interoperability 9 Geneva, July 2009 Korea continue to upgrade the MC-finder scheme to reflect the fast changing attack environments. Need for a globally interoperable framework and technologies which can combat the web-based attacks effectively; ITU-T and global SDOs are required to develop standards or guideline for a globally interoperable scheme against the web-based attacks on the Internet. TTA plans to contribute to launching the standardization activities on the countering scheme against the web-based attacks in the near future. Next Steps/Actions

Fostering worldwide interoperability 10 Geneva, July 2009 Generally needs to reaffirm the existing Resolution GSC11/13. However, update is required as follows; In recognizing clause, item i); that new cyber attacks such as phishing, pharming, “web-based attacks” and Botnets are emerging and spreading rapidly; In Resolves clause, item 4); work with the ITU and others to develop standards or guidelines to protect against Botnet attacks “and web-based attacks” and facilitate tracing the source of an attack; Proposed Resolution