113 2.1. Operations 2.1.1. Operation of Malware-Concealing Site Detection System KrCERTCC developed the malware-concealing site detection system MC-Find er in-house, and it has been inspecting 2.5 million domestic domains since 2 014. Its purpose is to inspect the homepages for any concealed malware and to delete and block the malware if found in order to prevent the user PCs fr om being infected. In 2014, 47,703 sites were confirmed to have concealed m alware. This figure represents a 168.7 increase compared to 2013. 2013 Total 2014 Total 1 2 3 4 5 6 7 8 9 10 11 12 Landing site 13,278 1,083 497 640 348 281 671 1,276 3,235 3,762 3,352 9,973 20,002 45,120 Exploit sites 4,472 244 190 283 204 177 117 161 217 210 121 260 399 2,583 sum 17,750 1,327 687 923 552 458 788 1,437 3,452 3,972 3,473 10,233 20,401 47,703 ※ Landing site: Homepage that disseminates malware indirectly by automatically connecting the homepage visitors as the disseminating site ※ Exploit site: Homepage that directly disseminates malware to the homepage users Among the malware-concealing sites detected in 2014, the homepages of small and medium enterprises constituted the biggest portion with 58, followed by others individuals, etc., non-profit organization, and research institutes. The main types of malware disseminated over homepages included malware to leak financial data, pharming malware to induce users to go to banking phishing sites, remote controls, and droppers.

2.1.2. Cyber Shelter

KrCERTCC began providing the DDoS Cyber Shelter service to small and medium enterprises in 2009 after several large-scale DDoS attacks took place in Korea. Since the service was launched, a total of 1,001 organizations have used the shelter as of 2014, with 449 successfully defending themselves against DDoS attacks. 114 Type 2010 2011 2012 2013 2014 Total No. of enterprises using the service 52 101 175 260 413 1,001 No. of successful DDoS defenses 25 60 138 116 110 449 Moreover, the service carried out the treatment of zombie PCs collected during the defense against DDoS attacks and blocking of CC servers to prevent secondary damage from the infection of malware. As the notable characteristics of DDoS attacks blocked by the DDoS shelter in 2014, there were more DDoS attacks targeting web applications such as DNS and NTP servers. Among the DDoS attack types, UDPICMP flooding, which depletes the bandwidth of the lines, accounted for the largest portion; large-scale attacks of 3Gbps or more increased visibly. Such trend of large-scale attacks was confirmed by the 76Gbps8,800Kbps-level DDoS attack around November.

2.1.3. Bug Bounty

Because attacks using the vulnerabilities of popular software such as Hancom Office are occurring continuously in Korea, and new vulnerabilities are found worldwide, KrCERTCC initiated a reward policy in October 2012 to prevent the incidents in advance and encourage the experts to discover new vulnerabilities. Since the enactment of the policy in 2012, a total of 478 cases were registered as of 2014. Among them, the analysis data of 330 cases confirmed to be zero-day vulnerability were provided to software developers to request the development of patch and prevent intrusion incidents in advance. In 2014, a total of 274 cases were reported, increasing 53 compared to the previous year; KRW 164.3 million was given as reward for 177 cases. In August, an inspection of ActiveX vulnerabilities used for malware dissemination was conducted. A total of 110 ActiveX vulnerabilities in the public, banking, commerce, and game sectors were reported, and KRW 65.1 million was given as reward for 81 cases. 115 In 2014, a joint bug bounty program was initiated with Hancom in the second quarter of 2014 as part of the voluntary security vulnerability discovery program by enterprises. A total of 9 vulnerabilities of Hancom Office were found, with rewards given accordingly. Hancom also awarded appreciation plaques to the top 3 reporters of vulnerabilities of Hancom Office. 2.2. Abuse statistics 2.2.1. Domestic Phishing Sites