4. Contents
01 Malware Trends in Korea
1) 2011MalwareInfectionStatus
2) 2011MalwareInfectionType
02 Internet Threats and Issues in Korea
1) APT(AdvancedPersistentThreat)
2) MobileThreats
3) DDoSAccidents
4) ApplicationVulnerability
5) SocialNetworkThreats
6. 1)2011MalwareInfectionStatus
Almost 2 billion(177,473,697) infections were reported in 2011
Infection increased over 18% than 2010(146,097,262)
Since October, malware using web application vulnerabilities are increasing
2011 MonthlyMalwareInfectionStatus
7. 2)MalwareTypeinKorea2011(1)
2011 Infection Report : Trojan 42.1%, Script 17.4%, Worm 11.6%
2011 New Malware Type : Trojan 62%, Adware 16%, Dropper 7%
Script malwares are using vulnerabilities of Web Brower and Web Application
Increase of malware using vulnerabilities of Adobe Flash, Java and MS12-004 in
first quarter 2012
Reported MalwareTypesin2011 NewMalwareTypesin2011
8. 2)MalwareTypeinKorea2011(2)
Almost every malwares are script related files in TOP10 list in 2011
Most of them are “Autorun.inf” files which were spread by USB
Also, Induc and Palevo worms are in high rank
Trojan was the most reported new malware in 2011
Windows related files were infected or replaced by the malware
OnlineGameHack related families were the most reported malware in 2011
Also, Conficker and Virut family as well
1 Textimage/Autorun 9,458,847 24.20%
2 JS/Agent 6,217,163 15.90%
3 Win32/Induc 2,149,558 5.50%
4 Html/Agent 1,859,891 4.80%
5 JS/Downloader 1,789,695 4.60%
6 JS/Redirect 1,580,959 4.10%
7 JS/Exploit 1,545,389 4.00%
8 JS/Iframe 1,446,928 3.70%
9 Swf/Agent 1,432,679 3.70%
10 Win32/Palevo1.worm.Gen 1,389,561 3.60%
TOP10ReportedMalwarein2011
1 Win-Trojan/Patched.CR 757,876 25.80%
2 Win-Trojan/Overtls11.Gen 700,456 23.90%
3 Win-Trojan/Downloader.59904.AK 278,527 9.50%
4 Win-Trojan/Winsoft17.Gen 222,208 7.60%
5 Win-Trojan/Adload.77312.LPU 181,176 6.20%
6 Win-Trojan/Winsoft18.Gen 104,026 3.50%
7 Win-Trojan/Winsoft.263168.KX 75,337 2.60%
8 Win-Trojan/Winsoft.263168.LO 73,994 2.50%
9 Win-Trojan/Agent.339968.EI 69,762 2.40%
10 Win-Trojan/Agent.323584.FK 68,946 2.30%
TOP10ReportedNewMalwarein2011
10. 1)APT(AdvancedPersistentThreat)(1)
Incident occurred in Korean companies using APT and Targeted Attacks
S company, N Bank and N company in 2011 was the big issue
35 million client information has been leaked by the S company incident
IncidentinScompany
Attacker
Free software update server
DB Server
Spreading the
malware
1
Other Victim
Server
Malware infection
2
Connect to DB server
4
Remote control3
Data transfer to
external server
5
Data transmit6
11. 1)APT(AdvancedPersistentThreat)(2)
Incident in N Bank
Over 13 million game user’s information has been leaked by the N company
incident (It is on investigation)
N Bank system has been corrupted after the attack from the outside
Attacker has spread the malware with P2P program and waited 7 month for the
attack
P2P
Program
Laptop from
the outsourced staff
Attacker
Internal
System
Spreading the
malware
1
Malware infection
2
Remote control3
Delete all to DB server
4
12. 2)MobileThreats(1)
No report of any kind, about Android malwares that has been made or spread
in Korea
Android samples which AhnLab has collected is from foreign countries
Mobile Threats in Korea are not related by Android malwares
Android Malware founded in 2011
13. 2)MobileThreats(2)
Disguised as public institution or bank to redirect to phishing website
Using URL shortening of spam SMS to adult website
Mobile messenger phishing by using KakaoTalk and MyPeople Mobile
MobilePhishing,MobileSpamSMSandMobileMessengerPhishing
Hello it’s KB Bank. For the
security reasons please access
to the website below
Come to the Hot Adult website
Disguise as your friend to borrow
some money
14. 3)DDoSAccidents(1)
4th March2011DDoSaccidentTimeLine
In Korea, DDoS attack was to obtain money, but the objective is getting wider
3.4 DDoS (4th March) attack and the attack of National Election Commission in
2011 was the big issue
Almost of the DDoS attack in Korea uses malwares that are capable for DDoS
15. 3)DDoSAccidents(2)
MalwareBuilderforDDoSattack
A lot of computers that attacked National Election Commission was infected by
the malware
Most of the malware builder was made by Chinese underground
Change the malware builder into Korean language and spread from online cafe
Malware disguised as game or media files and spread by P2P or online cafe
Packet type for DDoS attack
16. 4)ApplicationVulnerability
Online game related malwares are spread by using web browser and application
vulnerabilities
Malware using vulnerabilities of I.E(MS10-018), Adobe Flash Player(CVE-2011-2110, CVE-
2011-2140, CVE-2011-0609) and Adobe Reader(CVE-2011-0611) in 2011
Malware using vulnerabilities of Hangul word-process(.hwp) is increasing
Increase of malware using vulnerabilities of Windows Media(MS12-004), Adobe Flash
Player(CVE-2011-0611, CVE-2011-2140, CVE-2012-0754) and JAVA(CVE-2011-3544) in first
quarter 2012
HackedWebsitesusingvariousvulnerabilitiestospreadmalwares
Web sites which were found in 2th February
2012
Vulnerabilities
MS10-018 Internet Explorer
MS12-004 Windows Media
CVE-2011-2140 Adobe Flash Player
CVE-2011-3544 JAVA
Weekdays, they make the systems to spread the
malware
Weekends, they hack a system and insert a
script to redirect to their system
Last goal is to spread online game related
malwares
17. 5)SocialNetworkThreats
Social Network Websites Developed in Korea, me2DAY, yozm and Cyworld
Increase of Twitter and Facebook users in Korea, cause of increasing smartphone
Social Network Websites are also used for spreading malwares and phishing
website
MalwarespreadingbyTwitter TwitBotcommandwhichwerefoundinme2DAY
Disguised as media file
of a famous actress