113
2.1. Operations 2.1.1. Operation of Malware-Concealing Site Detection System
KrCERTCC developed the malware-concealing site detection system MC-Find er in-house, and it has been inspecting 2.5 million domestic domains since 2
014. Its purpose is to inspect the homepages for any concealed malware and to delete and block the malware if found in order to prevent the user PCs fr
om being infected. In 2014, 47,703 sites were confirmed to have concealed m alware. This figure represents a 168.7 increase compared to 2013.
2013 Total
2014
Total
1 2
3 4
5 6
7 8
9 10
11 12
Landing site
13,278 1,083
497 640
348 281
671 1,276
3,235 3,762
3,352 9,973
20,002
45,120
Exploit sites
4,472 244
190 283
204 177
117 161
217 210
121 260
399
2,583 sum
17,750 1,327 687
923 552
458 788
1,437 3,452
3,972 3,473
10,233
20,401
47,703
※ Landing site: Homepage that disseminates malware indirectly by automatically connecting the homepage visitors as the disseminating site
※ Exploit site: Homepage that directly disseminates malware to the homepage users
Among the malware-concealing sites detected in 2014, the homepages of small and medium enterprises constituted the biggest portion with 58, followed by others
individuals, etc., non-profit organization, and research institutes. The main types of malware disseminated over homepages included malware to leak financial data,
pharming malware to induce users to go to banking phishing sites, remote controls, and droppers.
2.1.2. Cyber Shelter
KrCERTCC began providing the DDoS Cyber Shelter service to small and medium enterprises in 2009 after several large-scale DDoS attacks took place
in Korea. Since the service was launched, a total of 1,001 organizations have used the shelter as of 2014, with 449 successfully defending themselves
against DDoS attacks.
114 Type
2010 2011
2012 2013
2014 Total
No. of enterprises using the service 52
101 175
260 413
1,001 No. of successful DDoS defenses
25 60
138 116
110 449
Moreover, the service carried out the treatment of zombie PCs collected during the defense against DDoS attacks and blocking of CC servers to prevent secondary
damage from the infection of malware. As the notable characteristics of DDoS attacks blocked by the DDoS shelter in 2014,
there were more DDoS attacks targeting web applications such as DNS and NTP servers. Among the DDoS attack types, UDPICMP flooding, which depletes the
bandwidth of the lines, accounted for the largest portion; large-scale attacks of 3Gbps or more increased visibly. Such trend of large-scale attacks was confirmed by
the 76Gbps8,800Kbps-level DDoS attack around November.
2.1.3. Bug Bounty
Because attacks using the vulnerabilities of popular software such as Hancom Office are occurring continuously in Korea, and new vulnerabilities are found
worldwide, KrCERTCC initiated a reward policy in October 2012 to prevent the incidents in advance and encourage the experts to discover new vulnerabilities.
Since the enactment of the policy in 2012, a total of 478 cases were registered as of 2014. Among them, the analysis data of 330 cases confirmed to be zero-day
vulnerability were provided to software developers to request the development of patch and prevent intrusion incidents in advance.
In 2014, a total of 274 cases were reported, increasing 53 compared to the previous year; KRW 164.3 million was given as reward for 177 cases. In August, an
inspection of ActiveX vulnerabilities used for malware dissemination was conducted. A total of 110 ActiveX vulnerabilities in the public, banking, commerce,
and game sectors were reported, and KRW 65.1 million was given as reward for 81 cases.
115 In 2014, a joint bug bounty program was initiated with Hancom in the second
quarter of 2014 as part of the voluntary security vulnerability discovery program by enterprises. A total of 9 vulnerabilities of Hancom Office were found, with rewards
given accordingly. Hancom also awarded appreciation plaques to the top 3 reporters of vulnerabilities of Hancom Office.
2.2. Abuse statistics 2.2.1. Domestic Phishing Sites