ÀÎÅÍ³Ý ÁøÈï¿ø 5¿ù

21 5 Korea Internet & Security Agency

CONTENTS 2 3 3 3 4 4 5 6 6 7 7 8 11 12 14 14 15 15 16 18 2 22 23 24 24 32 35 36

2 215

Bot 1,7511,315 33.2% 1,621,468 27.7% 285 431 33.9% 295 12 6.9% 44 396 2.% 132 227 41.9% 146 312 53.2% Bot PC.8%.9%.1% 29 1 2 3 4 5 6 7 8 9 1 11 12 1,395 932 1,32 1,85 1,315 1,751 6,385 21,23 898 1,76 1,53 1,468 1,62 5,557 1,148 154 317 222 431 285 1,49 988 78 16 116 12 95 497 2,743 232 23 345 396 44 1,67 3,31 223 233 267 227 132 1,82 4,32 211 19 13 312 146 962 Bot 1.%.6%.6%.7%.9%.8%.7% 1,8 1,751 1,6 1,4 1,32 1,315 1,2 1, 932 1,85 8 6 4 2 29 21 1,7 1,2 1 2 3 4 5 6 7 8 9 1 11 12 1 2 3 4 5 6 7 8 9 1 11 12 7 431 317 285 222 2 154 29 21 16 12 8 78 4 116 16 12 95 29 21 1 2 3 4 5 6 7 8 9 1 11 12 Bot 8 612 623 6 536 455 463 4 2 29 21 1 2 3 4 5 6 7 8 9 1 11 12 1,3 1,1 9 7 5 312 3 211 19 146 13 1 29 21 1 2 3 4 5 6 7 8 9 1 11 12 5% 4% 3% 2% 29 21.9% 1%.6%.8%.6%.7% 1 2 3 4 5 6 7 8 9 1 11 12 3 215

29 1 2 3 4 5 6 7 8 9 1 11 12 1,395 932 1,32 1,85 1,315 1,751 6,385 18 16 1,751 29 14 12 1 8 6 4 2 932 1,32 1,315 1,85 1 2 3 4 5 6 7 8 9 1 11 12 4 215

1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 ONLINE GAMEHACK AGENT MALWARE XEMA DOWNLOADER AUTORUN FAKE AV BAGLE BREDOLAB INDUC 122 17 75 52 44 39 24 23 22 16 48 932 AGENT BREDOLAB AUTORUN PALEVO MALWARE ONLINE GAMEHACK DOWNLOADER FAKESYS XEMA BIFROSE 135 126 114 75 61 56 44 43 39 36 573 1,32 ONLINE GAMEHACK AGENT PALEVO AUTORUN FAKE AV DOWNLOADER XEMA LMIRHACK MALWARE DAONOL 149 18 65 6 48 43 41 28 27 26 49 1,85 ONLINE GAMEHACK AGENT AUTORUN MALWARE DOWNLOADER KILLAV FAKEAV XEMA PALEVO DAONOL 233 148 68 64 63 58 56 39 34 24 528 1,315 ONLINE GAMEHACK MALWARE AGENT FAKEAV AUTORUN DOWNLOADER SECURISK VIRUT PATCHED XEMA 294 249 161 118 68 58 38 35 35 25 67 1,751 5 215

29 1 2 3 4 5 6 7 8 9 1 11 12 1,148 154 317 222 431 285 988 2,743 3,31 4,32 78 232 223 211 16 23 233 19 116 345 267 13 12 396 227 312 95 44 132 146 21,23 898 1,76 1,53 1,468 1,62 1,49 497 1,67 1,82 962 5,557 12.4% 13.7% 38.% 26.8% 8.9% 6 215

29 1 2 3 4 5 6 7 8 9 1 11 12 4,185 277 362 451 475 381 1,946 598 36 3 23 2 21 13 239 7 18 38 3 3 123 1 1 16,26 578 666 541 943 63 3,358 21,23 898 1,76 1,53 1,468 1,62 5,557 59.3 % 35.9% 2.% 2.8% 29 1 2 3 4 5 6 7 8 9 1 11 12 Windows 14,174 492 633 667 911 78 3,483 Linux 4,4 238 257 188 41 169 1,253 Solaris 49 17 1 2 6 1 36 2,166 151 176 196 15 112 785 21,23 898 1,76 1,53 1,468 1,62 5,557 7 215

29 988 78 16 116 12 95 1 2 3 4 5 6 7 8 9 1 11 12 497 18 16 29 14 12 1 16 116 12 95 8 78 6 4 2 1 2 3 4 5 6 7 8 9 1 11 12 81 5 9 9.5% 5.3% 85.2% 95 8 215

6 22 2 3 5 9 36 2 1 3 3 3 2 1 1 1 1 23 12 9 5 3 2 2 1 1 1 29 95 9 215

52 5 25 6 7 26.3% 5.3% 6.3% 7.4% 54.7% 95 TCP/8 95 95 1.% 1 215

29 1 2 3 4 5 6 7 8 9 1 11 12 4,32 211 19 13 312 146 962 1,11 44 48 49 41 54 236 7 6 5 4 3 2 1 312 211 19 146 44 48 13 49 41 54 1 2 3 4 5 6 7 8 9 1 11 12 11 215

29 1 2 3 4 5 6 7 8 9 1 11 12 1.%.6%.6%.7%.9%.8%.7% 3% 2.5% 29 2% 1.5%.9% 1%.5%.6%.6%.7%.8% % 1 2 3 4 5 6 7 8 9 1 11 12 1,, 9,, 8,, 7,, 6,, 5,, 4,, 3,, 2,, 1,, 1 4 7 1 13 16 19 22 25 28 31 IP IP 12 215

.1%.3%.2% 22.1% 17.4% 59.6% 445 139 8 135 1433 5.1% 7.6%.2% 445 8 139 23 86.8% Bot Bot 23 Cisco Telnet 2967 Symantec Exploit 8 WebDAV, ASN.1-HTTP, Cisco HTTP 2745 Bagle, Bagle2 135 DCOM, DCOM2 3127 MyDoom 139 NetBIOS, ASN.1-NT 314 Optix 143 IMail 5 UPNP 445 NetBIOS, LSASS, WksSvc, ASN.1-SMB, DCOM, RPC 611 Veritas Backup Exec 93 NetDevil 6129 Dameware 125 DCOM 173 Kuang2 1433 MS-SQL 27347 Sub7 1) Http://www.microsoft.com/technet/security/current.aspx 2) Http://www.boho.or.kr/pccheck/pcch_5.jsp?page_id=5 13 215

1 1 12 1 1 1 1 8 6 4 2 1 1 2 3 4 5 6 7 8 9 1 11 12 25 2 15 1 5 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 29 3 31 14 215

3,5 3, IP IP 2,5 2, 1,5 1, 5 1 2 3 4 5 6 7 8 9 1 11 12 3)KISC - Korea Internet Security Center, KISA 15 215

China Thailand U.S.A 1% 1% 25% 7% 9% 1% 49% 54% 16% 8% 11% 11% 6% 92% China TCP/1433- TCP/1521- TCP/2967- TCP/9415- TCP/22- TCP/1433- TCP/445-netbios smb c$ unicode TCP/445-microsoft windows pnp overflow exploit U.S.A Thailand ICMP/-icmp ping X-scan scan TCP/22- TCP/445-16 215

1 2 3 4 5 6 7 8 9 1 63.6% 8.9% 7.1% 5.5% 2.2% 1.4% 1.2% 1.%.9%.9% 7.4% 43.7% 16.4% 1.8% 6.1% 3.4% 2.3% 1.9% 1.9% 1.7% 1.4% 1.4% 59.4% 12.2% 8.4% 3.3% 2.3% 1.6% 1.6% 1.1%.9%.8% 8.4% 52.6% 11.4% 9.8% 6.2% 3.1% 1.8% 1.8% 1.3%.6%.5% 1.9% 83.9% 3.3% 2.8% 2.3% 1.3%.8%.6%.5%.5%.5% 3.7% 17 215

1 TCP/1433 25.3% TCP/1433 22.7% TCP/445 netbios smb client to lsasrv request 2 TCP/2967 16.7% TCP/445 netbios lsass buffer overflow 2 1.4% TCP/1433 netbios smb client to 3 TCP/22 1.4% TCP/445 lsasrv request 9.4% TCP/2967 4 TCP/445 netbios smb client to lsasrv request 8.4% TCP/22 8.8% UDP/53 udp service scan icmp ping Advanced 5 TCP/18 8.1% ICMP IP Scanner v1.4 4.7% TCP/22 6 TCP/1521 2.8% ICMP icmp ping X-scan scan 4.5% TCP/88 7 TCP/336 2.5% TCP/18 4% TCP/888 8 TCP/8 2.3% TCP/1 3.3% TCP/89 9 TCP/139 worm esbot.a 2.2% TCP/336 3.2% TCP/889 1 TCP/88 2.1% TCP/88 3% TCP/8 19.2% 26.2% 18.8% 18% 13.3% 7.4% 7.1% 3.5% 3.2% 3.2% 2.9% 2.8% 19.7% 1 TCP/1433 2.6% TCP/1433 42.5% 2 3 TCP/22 TCP/445 netbios smb client to lsasrv request 16.2% 11.% TCP/1521 TCP/22 8.8% 8.2% 4 TCP/2967 8.9% TCP/2967 7.3% 5 TCP/53 udp service scan 7.2% TCP/9415 5.8% 6 TCP/88 4.1% TCP/3389 5.4% 7 TCP/8 3.5% ICMP icmp ping X-scan scan 2.9% 8 TCP/888 3.2% TCP/336 2.1% 9 TCP/336 2.3% TCP/445 2.1% 1 TCP/18 2.1% TCP/88 2.% 2.9% 12.9% 18 215

33.2% 7.3% 8.2% 8.8% 42.5% TCP/1433- TCP/1521- TCP/22- TCP/2967-19 215

1 TCP/135 2 3 4 5 6 7 8 TCP/135 TCP/4899 TCP/1433 TCP/135 TCP/22 UDP/1434 UDP/53 netbios dcerpc invalid bind rpc dcom interface overflow exploit worm slammer backdoor famous botnet ddns dns query 19.1% 12.% 1.3% 9.% 7.7% 7.% 6.9% 4.8% TCP/135 TCP/135 UDP/53 TCP/135 TCP/4899 TCP/3389 TCP/1433 UDP/1434 netbios dcerpc invalid bind rpc dcom interface overflow exploit backdoor famous botnet ddns dns query worm slammer 47.9% 37.4% 8% 2.9%.9%.5%.4%.4% TCP/4899 TCP/135 UDP/1434 TCP/189 TCP/1433 TCP/135 TCP/135 UDP/53 netbios dcerpc invalid bind worm slammer rpc dcom interface overflow exploit backdoor famous botnet ddns dns query 21.3% 17.5% 15.3% 1.5% 9.5% 5.4% 4.7% 4% 9 1 TCP/2967 TCP/59 2.8% 2.7% 17.7% TCP/1521 TCP/139 microsoft windows pnp overflow exploit - suspicious zotob.3%.2% 1.2% TCP/22 TCP/3389 2.5% 1.6% 7.9% 1 TCP/135 2 UDP/53 3 TCP/4899 4 TCP/135 5 UDP/1434 netbios dcerpc invalid bind backdoor famous botnet ddns dns query rpc dcom interface overflow exploit worm slammer 19.5% 14.8% 11.1% 9.8% 8.3% TCP/135 TCP/4899 UDP/53 TCP/1433 TCP/135 backdoor famous botnet ddns dns query netbios dcerpc invalid bind 33.3% 13.9% 12.7% 11.7% 8.1% 6 7 TCP/1433 TCP/1521 6.4% 6.2% TCP/22 TCP/135 rpc dcom interface overflow exploit 3.1% 2.7% 8 9 1 TCP/22 TCP/445 TCP/135 netbios lsass buffer overflow2 4.5% 2.7% 1.1% TCP/139 TCP/1338 TCP/1433 mssql xp_cmdshell 2.5% 1.9% 1.8% 15.6% 8.4% 2 215

28.4% 11.7% 12.7% 33.3% 13.9% TCP/135- TCP/4899- UDP/53-backdoor famous botnet ddns dns query TCP/1433-21 215

2,, 18,, 16,, 14,, 12,, 1,, 8,, 6,, 4,, 2,, 5/1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 29 3 31 TCP/8 UDP/9155 TCP/88 TCP/25 UDP/53 TCP/51 TCP/54 TCP/443 TCP/9153 TCP/6242 26,, 24,, 22,, 2,, 18,, 16,, 14,, 12,, 1,, 8,, 6,, 4,, 2,, 5/1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 27 28 29 3 31 HSweep UDP Tear Drop UDP Flooding TCP ACK Flooding Ping Sweep TCP Connect DOS ICMP Unreachable Storm TCP SYN Flooding(DDos) ICMP Tear Drop HTTP Login Brute Force 22 215

1 PWS 14.5% PWS 16.3% PWS 16.7% PWS 21% PWS 25.4% 2 HLLW 13.2% HLLW 12.7% HLLW 16% HLLW 16.9% HLLW 12.8% 3 GENERIC 9.8% GENERIC 8.8% GENERIC 1.9% GENERIC 1.4% ACADAP 11.1% 4 VIRUT 7.4% BREDLAB 8.4% HLLM 7.1% HLLM 5.9% VIRUT 1.8% 5 HLLM 6.9% HLLM 6.5% VIRUT 6.2% VIRUT 5.5% GENERIC 5.2% 6 DOWNLOADER 5.8% PARITE 6.2% PARITE 4.2% UPX 4.4% BURSTED 2.9% 7 PARITE 5.8% VIRUT 5.6% NSANTI 2.9% ACADAP 3.4% HLLM 2.8% 8 NSANTI 2.5% DOWNLOADER 4% ACADAP 2.8% PERITE 3.3% UPX 2.4% 9 PESTUB 1.9% POLIPOS 3.2% DOWNLOADER 2.6% PESTUB 2.2% PSYME 2.1% 1 MULDROP 1.8% ACADAP 2.2% PESTUB 2.3% NSANTI 2% NSANTI 2% 3.4% 26.1% 28.3% 25% 22.5% 1% 1% 1% 1% 1% 23 215

24 215

512855 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/index.php 512486 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/history/index.php 512481 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/customer/index.php 512297 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/index.php 512521 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/intro/index.php 512461 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/appointment/index.php 512535 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/medical/index.php 513363 4 -rw-rw-r-- 1 user group 1211 2 27 13:3./***/wwwhome/board/admin/gallery/index.php 32735443 4 -rw-rw-r-- 1 user1 group1 1211 2 27 13:3./###/wwwhome/board/admin/history/index.php 32735438 4 -rw-rw-r-- 1 user1 group1 1211 2 27 13:3./###/wwwhome/board/admin/customer/index.php 32735477 4 -rw-rw-r-- 1 user1 group1 1211 2 27 13:3./###/wwwhome/board/admin/intro/index.php 32735423 4 -rw-rw-r-- 1 user1 group1 1211 2 27 13:3./###/wwwhome/board/admin/appointment/index.php 32735492 4 -rw-rw-r-- 1 user1 group1 1211 2 27 13:3./###/wwwhome/board/admin/medical/index.php 25 215

-rwxrwxrwx 1 nobody nobody 29955 2 27 12:16 /home/goods_hos/gcafe/cafe/board_pds/title/cell.php -rw-r--r-- 1 nobody nobody 62779 2 27 1:39 /home/goods_hos/gcafe/cafe/board_pds/title/1267234777_th3thunder.php 1) http://toolbox.krcert.or.kr 26 215

***.**.9.3 - - [27/Feb/21:1:39:34 +9] "POST /cafe/admin/title_save.php HTTP/1.1" 2 124 // 12672346777_th3thunder.php ***.**.9.3 - - [27/Feb/21:1:39:45 +9] "GET /cafe/board_pds/title/1267234777_th3thunder.php HTTP/1.1" 2 1973 title_save.php $fname = time()."_".stripslashes($_files[up_file][name]); $dest = $destprefix.$fname; $source = $_FILES[up_file][tmp_name]; if (!move_uploaded_file($source, $dest)) { echo "; exit; } 27 215

[152 12:18] 6D:\Hosting\\######\\Public_html\a.aspx [152 12:18] 3D:\Hosting\\######\\Public_html\\admin\admin_logoncheck1.asp [1523 1:6] 3D:\Hosting\\######\\Public_html\1.asp 28 215

21-5-21 16:49:11 W3SVC54231313 121.78.236.57 GET /admin/admin_logoncheck1.asp - 8 - **.**.242.187 Mozilla/3.+(compatible;+Indy+Library) 44 2 1626 166 21-5-21 19:37:6 W3SVC54231313 121.78.236.57 GET /1.asp - 8 - **.**..114.8 Mozilla/4.+(compatible;+MSIE+7.;+Windows+NT+5.1;+Maxthon+2.) 2 52 523 21-5-21 19:37:15 W3SVC54231313 121.78.236.57 GET /1.asp - 8 - **.**..114.8 Mozilla/4.+(compatible;+MSIE+7.;+Windows+NT+5.1;+Maxthon+2.) 2 893 584 21-5-21 19:37:19 W3SVC54231313 121.78.236.57 GET /1.asp Action=ShowFile 8 - **.**..114.8 Mozilla/4.+(compatible;+MSIE+7.;+Windows+NT+5.1;+Maxthon+2.) 2 26438 575 21-5-21 19:37:27 W3SVC54231313 121.78.236.57 GET /1.asp Action=UpFile 8 - **.**..114.8 Mozilla/4.+(compatible;+MSIE+7.;+Windows+NT+5.1;+Maxthon+2.) 2 5421 573 21-5-21 19:37:37 W3SVC54231313 121.78.236.57 POST /1.asp Action=UpFile&Action2=Post 8 - **.**..114.8 Mozilla/4.+(compatible;+MSIE+7.;+Windows+NT+5.1;+Maxthon+2.) 2 4886 74145 IP : **.**.242.187 (CHN), **.**.114.8 (KOR) 29 215

2) http://www.krcert.net/securenoticeview.do?seq=-1&num=376 3 215

31 215

29 1,731 36 5,621 7,352 1 2 3 4 5 6 7 8 9 1 11 12 52 88 62 13 169 22 192 371 119 172 291 123 21 324 59 757 1,266 32 215

14 29 12 1 8 6 4 2 1,64 1,95 797 86 684 582 526 385 47 416 371 192 291 273 324 317 88 1 2 3 4 5 6 7 8 9 1 11 12 29 4,561 4 68 542 12 329 1,84 1 2 3 4 5 6 7 8 9 1 11 12 6 5 37 111 1 7 8 65 156 1 27 15 172 144 12 12 123 165 1 24 9 125 7,352 88 192 371 291 324 1,266 616 3 76 49 522 7.4% 2.8% 38.6%.3% 5.9% 33 215

29 1 2 3 4 5 6 7 8 9 1 11 12 MS IIS 2,519 28 39 97 113 95 372 Apache 1,8 3,33 17 43 7 83 73 21 37 141 69 16 7,352 88 192 371 291 324 1,266 266 628 34 215

22 8 135 139 445 125 18 1433 1434 2745 341 4899 5 6129 88 35 215

36 215

Trojan Phishing ASP.NET Botnet DHTML Editing Component ActiveX E-mail Hyperlink KrCERT/CC LLS NetBIOS OLE/COM PNG SMB TCP Syn Flooding Windows SharePoint Services Windows Shell 37 215