introduction of malware issues - oecd.org · introduction of malware issues yuejin du ph.d deputy...
TRANSCRIPT
Intro
duct
ion
of M
alw
are
Issu
es
Yue
jinD
uPh
.DD
eput
y C
TO o
f CN
CER
T/C
C
APE
C-O
ECD
Mal
war
eW
orks
hop
APE
C-T
EL 3
5. 2
007.
4.22
.Man
ila
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Con
tent
s
•W
hat i
s Mal
war
e•
Intro
duct
ion:
som
e of
the
mos
t com
mon
ty
pes o
f mal
war
e•
Sum
mar
y
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Wha
t is M
alw
are
•C
ompu
ter s
yste
ms:
Har
dwar
e &
Sof
twar
e•
Mal
war
e: M
alic
ious
‘war
e’, f
ortu
nate
ly n
ow
this
‘war
e’on
ly in
clud
e ‘s
oft’
som
ethi
ng.
•U
sual
ly th
e m
alw
ares
hurt
you
by:
–th
e m
alw
are
them
selv
es–
bad
guys
‘beh
ind’
them
•des
troy
your
impo
rtant
wor
k or
per
sona
l dat
a;
•mak
e yo
ur c
ompu
ter s
yste
m u
nusa
ble
•ste
al y
our s
ensi
tive
info
rmat
ion
(and
mon
ey);
•wat
ch y
our p
rivat
e ac
tiviti
es;
•abu
se Y
OU
Rco
mpu
ter a
nd n
etw
ork
reso
urce
s;
•con
trol y
our c
ompu
ter a
nd sy
stem
s sec
retly
;•la
unch
atta
ckin
g be
havi
or a
nd c
omm
it cr
ime
•etc
.
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Viru
s: d
estro
y pe
rson
al d
ata
and
com
pute
r sys
tem
•C
ompu
ter v
irus i
s a k
ind
of ‘v
irus’
, jus
t lik
e th
e vi
rus i
n ou
r rea
l wor
ld–
Bas
ic fe
atur
es o
f viru
s in
real
wor
ld•
Invi
sibl
e:at
tach
ed o
n da
ily a
rticl
es•
Prop
agab
le:p
ropa
gate
afte
r the
y ‘s
ettle
’in
a pr
oper
en
viro
nmen
t, e.
g. y
our b
ody
•H
arm
ful:
they
will
mak
e yo
u si
ck if
the
imm
une
syst
em c
an n
ot
hand
le (t
oo m
any
/ new
)–
Bas
ic fe
atur
es o
f com
pute
r viru
s•
This
term
is n
ow o
ften
used
to re
fer a
ll ki
nds o
f m
alw
are,
Invi
sibl
e:hi
de in
pro
gram
s, do
cum
ent
files
, sto
rage
dev
ices
, etc
.In
visi
ble:
hide
in p
rogr
ams,
docu
men
t fil
es, s
tora
ge d
evic
es, e
tc.
Prop
agab
le:
self-
repl
icat
e af
ter t
hey
com
prom
ised
in c
ompu
ters
Prop
agab
le:
self-
repl
icat
e af
ter t
hey
com
prom
ised
in c
ompu
ters
Har
mfu
l:de
stro
y yo
ur p
erso
nal d
ata,
ap
plic
atio
ns, o
r com
pute
r sys
tem
whe
n th
e pr
e-se
t co
nditi
on m
atch
ed
Har
mfu
l:de
stro
y yo
ur p
erso
nal d
ata,
ap
plic
atio
ns, o
r com
pute
r sys
tem
whe
n th
e pr
e-se
t co
nditi
on m
atch
ed
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Abo
ut V
irus
(con
t.)
•N
obod
y’s b
ehin
d th
e m
alw
are:
eve
n th
e w
riter
can
not
con
trol t
he p
ropa
gatio
n.
Thre
at c
omes
from
the
code
itse
lf.•
How
the
targ
et is
cho
sen:
rand
omly
•H
ow c
an it
com
e in
:–
In th
e pa
st: b
oot d
evic
es; f
ile/d
ocum
ent s
harin
g;–
Now
: USB
and
oth
er st
orag
e de
vice
s (au
to-r
un
func
tion)
; em
ail (
spam
) and
oth
er n
etw
ork
appl
icat
ions
; etc
.
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Troj
an &
Spy
war
e: h
idde
n sp
y in
yo
ur c
ompu
ter
•Tr
ojan
Hor
se: j
ust l
ike
the
anci
ent s
tory
abo
ut T
roja
n ho
rse
in T
roja
n W
ar–
YO
Ule
t it c
ome
in (r
un so
me
softw
are,
aw
are
it or
not
)–
YO
U th
ink
it is
a w
oode
n ho
rse
(an
inte
rest
ing
appl
icat
ion)
–B
ut th
ere
are
hidd
en h
ostil
e so
ldie
rs (h
idde
n pr
ogra
m
rem
otel
y co
ntro
lled
by so
meb
ody)
•Sp
ywar
e: so
me
‘war
e’w
orks
like
a sp
y in
you
r co
mpu
ter
–St
eal y
our i
nfor
mat
ion
and
send
it o
ut
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Thre
ats o
f Tro
jan
and
Spyw
are
•Se
nsiti
ve in
form
atio
n le
akag
e–
Pers
onal
ID in
fo. a
nd o
ther
priv
acy
–C
onfid
entia
l inf
o. o
f com
pany
, org
aniz
atio
n, a
nd n
atio
n•
Lose
con
trol o
f run
ning
syst
em: p
erso
nal
com
pute
rs, k
ey se
rver
s, im
porta
nt a
pplic
atio
n sy
stem
s, et
c.–
You
’re
not t
he o
nly
owne
r, an
d yo
u ca
n no
t sup
pose
th
e hi
dden
‘ow
ner’
who
con
trols
you
r all
reso
urce
s is
your
frie
nd!
•U
nlik
e co
mpu
ter v
irus,
the
dang
er o
f Tro
jan
and
spyw
are
does
not
com
e fr
om th
e m
alw
are
itsel
f, bu
t fro
m th
e gu
y be
hind
it.
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Troj
an: F
eatu
res a
nd E
volu
tion
•A
ccor
ding
to th
e re
port
from
Sym
antic
, Tro
jan
hors
e is
the
mos
t pop
ular
in A
P ar
ea d
urin
g th
e la
ter h
alf y
ear o
f 200
6, 4
8% m
alw
are
is T
roja
n•
CN
CER
T/C
C fo
und
mor
e th
an 5
00,0
00 IP
sof
Chi
na h
ad b
een
cont
rolle
d by
troj
anho
rses
dur
ing
the
first
3 m
onth
s of 2
007.
Mor
e th
an 4
0,00
0 co
mpu
ters
out
side
Chi
na w
as c
ontro
lling
thos
e in
fect
edho
sts
•Sp
read
: by
wor
m, e
mai
l,w
eb p
ages
and
any
on
line
serv
ices
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Wor
m: h
uge
thre
at th
at c
ould
mak
e th
e w
hole
Inte
rnet
cra
shed
•W
orm
: jus
t lik
e th
e w
orm
in o
ur re
al w
orld
–In
depe
nden
t cre
atur
es (p
rogr
am ru
n w
ithou
t a h
ost o
ne)
–M
ove
arou
nd b
y th
emse
lves
(sel
f-re
plic
ate
and
prop
agat
e ar
ound
in th
e ne
twor
k)
–C
ome
into
you
r hou
se fr
om th
e ga
ps o
f you
r doo
rs a
nd
win
dow
s (in
fect
onl
ine
com
pute
rs th
roug
h te
ch. o
r m
anag
emen
t vul
nera
bilit
ies)
•
Fast
pro
paga
tion
can
use
up th
e ne
twor
k ba
ndw
idth
th
us c
ause
larg
e ar
ea o
f net
wor
k bl
ocke
d–
Man
y ex
ampl
es: M
orris
, Cod
ered
, SQ
L SL
AM
MER
, etc
.–
One
of t
he b
igge
st d
ange
r to
CII
P
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
‘non
e-tra
ditio
nal’
thre
ats a
nd n
ew
trend
•W
orm
is n
ot ‘p
ure’
any
mor
e, a
buse
the
band
wid
th is
not
the
only
thre
at it
can
cau
se–
Leav
e ba
ckdo
or :
Cod
ered
(to th
e w
hole
wor
ld)
–B
uild
up
Bot
net:
Del
oade
r–
Laun
ch D
DoS
: Msb
last
•0-
day
atta
ck a
nd n
umbe
r of v
ulne
rabi
litie
s•
Wor
m is
bec
omin
g th
e m
ost c
omm
on to
ol
for s
prea
ding
oth
er m
alw
ares
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Bot
net:
unde
rgro
und
dark
arm
y •
The
mos
t sev
ere
thre
at to
the
info
rmat
ion
soci
ety
now
:•
Bot
neti
s jus
t lik
e an
am
plifi
er: i
t can
dra
mat
ical
ly e
nlar
ge
the
dam
age
of n
early
all
othe
r atta
ckin
g be
havi
or:
–La
unch
wor
m to
bre
ak d
own
back
bone
–
DD
oS–
Onl
ine
ID th
eft
–D
eplo
y tro
jan
or sp
ywar
e(f
or S
ecre
t con
trol o
r inf
o st
ealin
g)•
Bad
guy
s hav
e th
eir s
uper
pow
er a
nd u
nder
-gro
und
‘arm
y’no
w–
Mill
ions
of o
nlin
e co
mpu
ters
are
und
er th
eir c
ontro
l and
they
can
co
mm
and
thes
e ‘a
rmy’
to d
o an
ythi
ng
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Wha
t isB
otne
t
Zom
bies
& B
ots(
mal
war
e)Zo
mbi
es &
Bot
s(m
alw
are)
C &
C S
erve
rsC
& C
Ser
vers
Her
der(
s)H
erde
r(s)
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
How
big
the
arm
y is
•In
200
6 C
NC
ERT/
CC
foun
d:–
12 m
illio
n IP
sin
Chi
na w
ere
cont
rolle
d by
bo
tnet
s(2.
5 m
illio
n in
200
5)–
Mor
e th
at 5
00 b
otne
ts(c
onta
ined
at l
east
50
bots
), m
ore
than
160
00 C
&C
Ser
vers
out
side
C
hina
–Th
e bi
gges
t bot
netc
onta
ined
1.2
9 m
illio
n bo
ts•
In A
P ar
ea, 7
1% b
ots w
ere
in C
hina
in th
e se
cond
half
year
of 2
006
(fro
m S
ymen
tic)
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Seve
re a
ttack
s rel
ated
to m
alw
are
•D
DoS
: ver
y da
nger
ous t
o C
II a
nd th
e w
hole
In
tern
et; v
ery
diff
icul
t to
deal
with
–R
easo
n: b
ad g
uys c
an c
ontro
l a G
REA
T am
ount
of
infe
cted
hos
ts to
do
that
–63
% D
DoS
atta
cks w
ere
targ
eted
to C
hina
in 2
006
seco
nd h
alf y
ear (
From
Sym
entic
)•
Onl
ine
ID th
eft:
key
logg
er; r
edire
ctio
n; sp
am a
nd
mal
war
ein
fake
web
site
(phi
shin
g);
–31
055
phis
hing
site
s loc
ated
in C
hina
in 2
006
(fro
m
APW
G)
–57
6 ph
ishi
ngin
cide
nt re
porte
d (2
005:
456
; 200
4: m
ore
than
200
)
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Phis
hing
Vic
tims:
En
d us
ers
Vic
tims:
Com
pani
esan
d th
eir w
ebsi
tes
Tool
s:Fa
ke
web
site
s
Atta
cker
s: G
athe
r inf
o.
from
dum
mie
s and
get
m
oney
from
ban
k/m
arke
t
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Mal
war
edo
wnl
oada
ble
ever
ywhe
re
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Num
ber o
f Vul
nera
bilit
ie’s
incr
easi
ng
8064
5990
3780
3784
4129
2437
1090
417
262
311
345
171
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
Source
:www.cert.org
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Inci
dent
s rep
orte
d to
CN
CER
T/C
C
(sca
nnin
g is
exc
lude
d)
2557
4485
9112
26476
0
5000
10000
15000
20000
25000
30000
2003
年2004
年2005
年2006
年
CNCERT/CC接
收非
扫描
类网
络事
件年
度统
计
Nat
iona
l Com
pute
r net
wor
k Em
erge
ncy
Resp
onse
tech
nica
l Tea
m/C
oord
inat
ion
Cent
er o
f C
Inte
rnat
iona
l coo
pera
tion
need
ed
•La
w is
sues
•Te
ch is
sues
•In
fo sh
arin
g•
Tech
shar
ing
•In
cide
nt h
andl
ing
•et
c.