***** - PDF 무료 다운로드

Korea Internet & Security Agency 21 2

본 보고서 내용의 전부나 일부를 인용하는 경우에는 반드시 출처 [자료:한국인터넷진흥원 인터넷침해대응센터]를 명시하여 주시기 바랍니다.

CONTENTS 1 2 2 2 3 3 4 5 5 6 6 7 9 1 12 12 13 13 14 16 18 2 21 22 22 34 37 38

1 212

Bot 1,32 932 39.6 1,76 898 19.8 317 154 15.8 16 78 35.9% 23 232.9% 233 223 4.5% 19 211 9.9% Bot 1,395 932 1,32 21,23 1,148 988 2,743 3,31 4,32 1.% 1 2 3 4 5 6 7 8 9 1 11 12 898 154 78 232 223 211.6% 1,76 317 16 23 233 19.6% 21 2,234 1,974 471 184 462 456 41.6% 1,6 29 21 1,4 1,32 1,2 1, 932 8 6 4 2 1 2 3 4 5 6 7 8 9 11112 1,7 1,2 7 317 2 154 29 21 1 2 3 4 5 6 7 8 9 11112 16 12 8 78 4 16 29 21 1 2 3 4 5 6 7 8 9 11112 Bot 8 6 455 463 4 2 29 21 1 2 3 4 5 6 7 8 9 11112 1,3 29 5% 21 1,1 4% 9 3% 7 5 2% 3 211 1% 19.6%.6% 1 1 2 3 4 5 6 7 8 9 11112 29 21 1 2 3 4 5 6 7 8 9 1 11 12 2 212

1,395 932 21 1 2 3 4 5 6 7 8 9 1 11 12 1,32 2,234 18 16 29 21 14 12 1 8 6 4 2 932 1,32 1 2 3 4 5 6 7 8 9 1 11 12 3 212

21 1 2 3 4 5 6 1 ON LINE GAME HACK 122 AGENT 135 2 AGENT 17 BREDOLAB 126 3 MALWARE 75 AUTORUN 114 4 XEMA 52 PALEVO 75 5 DOWNLOADER 44 MALWARE 61 6 AUTO RUN 39 ONLINE GAME HACK 56 7 FAKE AV 24 DOWNLOADER 44 8 BAGLE 23 FAKESYS 43 9 BREDOLAB 22 XEMA 39 1 INDUC 16 BIFROSE 36 48 573 932 1,32 4 212

21 1 2 3 4 5 6 7 8 9 1 11 12 1,148 154 317 471 988 78 16 184 2,743 232 23 462 3,31 223 233 456 4,32 211 19 41 21,23 898 1,76 1,974 21.7% 21.4% 17.7% 29.5% 9.9% 5 212

21 1 2 3 4 5 6 7 8 9 1 11 12 4,185 277 362 639 598 36 3 66 239 7 18 25 1 1 16,26 578 666 1,244 21,23 898 1,76 1,974 61.9% 33.6% 2.8% 1.7% 21 1 2 3 4 5 6 7 8 9 1 11 12 Windows 14,174 492 633 1,125 Linux 4,4 238 257 495 Unix 49 17 1 27 2,166 151 176 327 21,23 898 1,76 1,974 6 212

988 78 16 21 1 2 3 4 5 6 7 8 9 1 11 12 184 18 16 29 21 14 12 16 1 8 78 6 4 2 1 2 3 4 5 6 7 8 9 1 11 12 97 5.7% 2.8% 3 6 91.5% 16 7 212

9 1 3 7 7 3 2 1 1 1 1 1 1 38 31 3 4 9 16 4 5 4 1 1 1 25 2 16 38 72 14.2% 4 15 1 5 3.8% 4.7% 9.4% 67.9% 16 TCP/8 16 16 1% 8 212

21 1 2 3 4 5 6 7 8 9 1 11 12 4,32 211 19 41 1,11 44 48 92 7 6 5 4 3 2 211 19 1 44 48 1 2 3 4 5 6 7 8 9 1 11 12 9 212

21 1 2 3 4 5 6 7 8 9 1 11 12 1.%.6%.6%.6% 3% 2% 1%.6%.6% % 1,2, 1,1, 1,, 9, 8, 7, 6, 5, 4, 3, 2, 1, 1 212

.8%.4%.7% 445 16.3% 139 2.8% 61% 8 135 1433 1.2%.3% % 4.6% 7% 85.9% 445 8 139 23 1433 23 Cisco Telnet 2967 Symantec Exploit 8 WebDAV, ASN.1-HTTP, Cisco HTTP 2745 Bagle, Bagle2 135 DCOM, DCOM2 3127 MyDoom 139 NetBIOS, ASN.1-NT 314 Optix 143 IMail 5 UPNP 445 NetBIOS, LSASS, WksSvc, ASN.1-SMB, DCOM, RPC 611 Veritas Backup Exec 93 NetDevil 6129 Dameware 125 DCOM 173 Kuang2 1433 MS-SQL 27347 Sub7 1) Http://www.microsoft.com/technet/security/current.aspx 2) Http://www.boho.or.kr/pccheck/pcch_5.jsp?page_id=5 11 212

1 1 1 1 1 12 1 8 6 4 2 1 1 2 3 4 5 6 7 8 9 1 11 12 16 14 12 1 8 6 4 2 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 12 212

3,5 3, IP IP 2,5 2, 1,5 1, 5 1 2 3 4 5 6 7 8 9 1 11 12 KISC - Korea Internet Security Center, KISA 13 212

China U.S.A Taiwan 28% 7% 7% 9% 49% 38% 6% 24% 1% 22% 58% 23% 8% 11% China TCP/1433-tcp service scan TCP/22-tcp service scan TCP/1-tcp service scan TCP/336-tcp service scan U.S.A TCP/18-tcp service scan TCP/445-netbios smb client to lsasrv request TCP/22-tcp service scan TCP/445-microsoft windows pnp overflow exploit -suspicious zotbot Taiwan TCP/445-netbios lsass buffer overflow2 TCP/445-netbios smb client to lsasrv request TCP/139-netbios smd client to lsasrv request 14 212

1 2 3 4 5 6 7 8 9 1 63.6% 43.7% 8.9% 16.4% 7.1% 1.8% 5.5% 6.1% 2.2% 3.4% 1.4% 2.3% 1.2% 1.9% 1.% 1.9%.9% 1.7%.9% 1.4% 7.4% 1.4% 15 212

1 TCP/1433 tcp service scan 25.3% TCP/1433 tcp service scan 22.7% netbios lsass buffer 2 TCP/2967 tcp service scan 16.7% TCP/445 overflow 2 1.4% TCP/22 tcp service scan netbios smb client to lsasrv 3 1.4% TCP/445 9.4% request netbios smb client to lsrv 4 TCP/445 request 8.4% TCP/22 tcp service scan 8.8% icmp ping Advanced IP 5 TCP/18 tcp service scan 8.1% ICMP 4.7% Scanner v1.4 6 TCP/1521 tcp service scan 2.8% ICMP icmp ping X-scan scan 4.5% 7 8 9 1 TCP/336 tcp service scan 2.5% TCP/18 tcp service scan 4% TCP/8 tcp service scan 2.3% TCP/1 tcp service scan 3.3% TCP/139 worm esbot.a 2.2% TCP/336 tcp service scan 3.2% TCP/88 tcp service scan 2.1% TCP/88 tcp service scan 3% 19.2% 26.2% 16 212

48.7% 22.7% 1.4% 9.4% 8.8% TCP/1433 - tcp service scan TCP/445 - netbios lsass buffer overflow 2 TCP/445 - netbios smb client to lsasrv request TCP/22 - tcp service scan 17 212

1 TCP/135 tcp service scan netbios dcerpc 19.1% TCP/135 invalid bind 47.9% 2 TCP/135 netbios dcerpc invalid bind 12.% TCP/135 rpc dcom interface overflow exploit TCP/4899 tcp service scan backdoor famous 3 1.3% UDP/53 botnet ddns dns query 37.4% 8% 4 TCP/1433 tcp service scan 9.% TCP/135 tcp service scan 2.9% rpc dcom interface 5 TCP/135 overflow exploit 7.7% TCP/4899 tcp service scan.9% 6 TCP/22 tcp service scan 7.% TCP/3389 tcp service scan.5% 7 8 9 1 UDP/1434 worm slammer 6.9% TCP/1433 tcp service scan.4% backdoor famous UDP/53 botnet ddns dns query 4.8% UDP/1434 worm slammer.4% TCP/2967 tcp service scan 2.8% TCP/1521 tcp service scan.3% TCP/59 tcp service scan 2.7% 17.7% TCP/139 microsoft windows pnp overflow exploit - suspicious zotob.2% 1.2% 18 212

47.9% 37.4% 8.% 2.9% 3.8% TCP/135 - netbios dcerpc invalid bind TCP/135 - rpc dcom interface overflow exploit TCP/53 - backdoor famous botnet ddns dns query TCP/135 - tcp service scan 19 212

4,, 35,, 3,, 25,, 2,, 15,, 1,, 5,, 2 / 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 TCP/8 UDP/9155 TCP/25 TCP/9153 TCP/88 UDP/53 TCP/51 TCP/24 UDP/443 TCP/54 8, 7, 6, 5, 4, 3, 2, 1, 2 / 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 TCP SYN Flooding(DDoS) UDP Flooding Host Sweep TCP ACK Flooding UDP Tear Drop TCP Connect DOS Ping Sweep HTTP Login B SMB Service sweep (tcp-445) FIN Port Sean 2 212

1 2 PWS 14.5% HLLM 13.2% PWS 16.3% HLLM 12.7% 3 GENERIC 9.8% GENERIC 8.8% 4 VIRUT 7.4% BREDLAB 8.4% 5 HLLM 6.9% HLLM 6.5% 6 DOWNLOADER 5.8% PARITE 6.2% 7 PARITE 5.8% VIRUT 5.6% 8 NSANTI 2.5% DOWNLOADER 4% 9 PESTUB 1.9% POLIPOS 3.2% 1 MULDROP 1.8% ACADAP 2.2% 3.4% 1% 26.1% 1% 21 212

22 212

23 212

24 212

25 212

26 212

18, 16,692 16, 14, 12, 1, 8, 6, 4,32 4, 2, 3,26 2,293 2.24 25 26 27 28 29 27 212

1, 9, 8, 8,978 7, 6,617 7,352 6, 5, 5,551 4, 3, 2, 1, 25 26 27 28 28 212

29 212

3 212

31 212

32 212

33 212

1,731 36 5,621 7,352 1 2 3 4 5 6 7 8 9 1 11 12 52 88 62 13 192 21 98 182 28 34 212

14 29 21 12 1 8 6 4 2 1,64 1,95 797 86 684 582 526 385 47 416 192 273 317 88 1 2 3 4 5 6 7 8 9 1 11 12 21 1 2 3 4 5 6 7 8 9 1 11 12 4,561 4 111 151 68 1 1 542 6 7 13 12 329 5 8 13 1,84 37 65 12 7,352 88 192 28 33.9% 4.2% 3.6%.5% 57.8% 35 212

21 1 2 3 4 5 6 7 8 9 1 11 12 2,519 28 39 67 1,8 17 7 87 3,33 43 83 126 7,352 88 192 28 36 212

22 8 135 139 445 125 18 1433 1434 2745 341 4899 5 6129 88 37 212

38 212

Trojan Phishing ASP.NET Botnet DHTML Editing Component ActiveX E-mail Hyperlink KrCERT/CC LLS NetBIOS OLE/COM PNG SMB TCP Syn Flooding Windows SharePoint Services Windows Shell 39 212