S YMANTEC ENTERPRISE SECURITY (APJ) 2006 7 12 2007 3
Dean Turner Stephen Entwisle Marci Denesiuk Marc Fossi Joseph Blackbird David McKinney Ronald Bowes Nicholas Sullivan Peter Coogan Candid Wueest Ollie Whitehouse - Zulfikar Ramzan - David Cole Peter Szor David Cowings Shravan Shashikant Igor Moochnick
2007 3 (APJ) APJ.......................................................4............................................................................. 5......................................................................... 7................................................................... 19............................................................................ 28............................................................................ 32 A......................................................... 37 B..................................................... 39 C................................................... 42 E.................................................... 43
APJ APJ APJ / ( APJ) ( ) APJ 2006 7 1 2006 12 31 Internet (Symantec Global Intelligence Network) Internet Symantec DeepSight Threat Management System 180 40,000 (Symantec Managed Security Services) Internet 1 2 Internet BugTraq 50,000 1 7,000 45,000 20,000 200 (Symantec Probe Network) 20 (Symantec Phish Report Network) APJ Internet 4 1 BugTraq SecurityFocus (http://www.securityfocus.com) http://www.securityfocus.com/archive/1
APJ 2006 APJ APJ 39% 2006 DoS 46,929 1 APJ Dos DoS 6 APJ 19,095 Bot 2006 APJ 2,268,219 Bot ( ) APJ Bot 7 Bot APJ 16% APJ 98% APJ 39% APJ Internet APJ 48% APJ Looked.P APJ Stration APJ 50 60% CIFS APJ 60% 5
APJ APJ APJ 19% APJ 37% APJ (spam zombie) APJ 4 APJ 14% APJ 69% APJ 20 88% 6
APJ APJ 2006 7 1 12 31 (IDS) (Symantec Global Intelligence Network) Internet Symantec DeepSight Threat Management System 180 40,000 (Symantec Managed Security Services) Internet Internet Bot APJ Bot Bot Bot Internet 2006 APJ APJ 39% 3 APJ 1 39% 39% 3 2 19% 2 1 3 5% 4 5% 6% 5 5% 8% 6 7 5% 8 9 < 6% 10 5% 1. APJ 7
APJ APJ 19% Internet 1 APJ Bot 26% 5% Bot IRC Bot Bot Bot Bot Bot ( ) APJ APJ 5% Bot ( ) APJ 2 APJ APJ APJ (Denial of Service DoS) DoS DoS DoS Internet DoS ( ) DoS 3 8 2 9 (2006 3 ) http://enterprisesecurity.syma ntec.com/content.cf m?articleid=153913 3 8 (2005 9 ) http://eval.veritas.com/mktginfo/enterprise/white_papers/ent-whitepaper_symantec_internet_security_threat_report_viii.pdf11 30
APJ 2006 DoS 46,929 53,114 1 Bot 470 600 29% Bot DoS Bot DoS APJ DoS 9,968 9,447 5% 2006 APJ Dos Dos 6 APJ 64% DoS 1 6 64% 1 2 1 10% 3 8% 10% 4 4% 4% 5 4% 5% 6 < 7 < 8 < 9 < 10 < 2. APJ DoS APJ 4 Internet DoS 2006 APJ DoS APJ DoS 1 10% 4 http://www.webhosting.info/do ma ins/country_stats 9
APJ APJ 5 DoS 6 DoS APJ DoS DoS 8% DoS APJ DoS DoS DoS (ISP) DoS ISP Bot Bot IRC Bot Bot Bot DoS Bot Bot Bot Bot 7 Bot 10 5 http://www.webhosting.info/domains/country_stats 6 http://news.com.com/consumers+gaming+their+way+to+growth+-+part+3+of+south+koreas+digital+dynasty/2009-1040_3-5239555.html 7
APJ 90,000 80,000 Bot / APJ Bot / 70,000 Bot 60,000 50,000 40,000 30,000 20,000 10,000 0 Jul Aug Sept Oct Nov Dec 1. APJ Bot 2006 7 1 2006 12 31 APJ 19,095 Bot ( 1) 63,912 Bot APJ Bot 30% 2006 APJ 2,268,219 Bot ( ) APJ 1,002,915 Bot 126% 2006 Bot 6,049,594 APJ Bot 37% APJ Bot ( APJ ) APJ DoS 9,968 9,447 ( 5%) Bot Bot DoS DoS DoS Bot 11
APJ 2006 Bot (9 ) APJ Bot Bot APJ Bot APJ Internet Bot APJ Bot Bot (command-and-control) Bot Bot 2006 2 APJ Bot 34% APJ Bot APJ Bot APJ Bot Bot APJ Bot ( 3) Bot APJ Bot Bot 2006 7 1 12 31 APJ Bot 7 Bot 8 1 9 12 8 http://www.point-topic.com/contentdownload/dslanalysis/world%20broadband%20statistics%20q202006.pdf () 9 http://www.internetworldstats.com
APJ Bot Bot Bot 1 2 3 4 5 6 7 8 9 10 7 1 6% < 26% 4% < < < < 20% 6% < < < < < < < < 3. APJ Bot Internet Bot 10 Internet ISP ISP 2006 APJ Bot 1 Bot 4% 6% ISP Bot APJ Bot 6% 6% APJ 4 ( APJ ) Bot Bot 10 9 (2006 3 ) http://eva l. veritas.com/mktginfo/enterprise/white_papers/ent-whitepaper_sy ma ntec_in tern et_security_threat_report_ix.pdf 13 13
APJ Bot Bot Bot Bot 1 2 3 4 5 6 7 8 9 10 16% 8% 5% 4% 5% 20% 9% 7% 5% 4% 96% 97% 97% 4. APJ Bot APJ Bot 2006 Bot 16% ( 4) Bot Bot Bot 20% 11 APJ Bot 8% Bot 5% Bot Bot Bot (spam zombie) Bot Bot ( DoS ) ISP Bot APJ Bot APJ 12 Bot () 52 Bot Bot Bot 14 11 Bot 12 http://www.point-topic.com/contentdownload/dslanalysis/world%20broadband%20statistics%20q202006.pdf ()
APJ ( ) 3 IP 2006 7 1 12 31 APJ 98% ( ) IP ISP 2006 APJ 1.5% APJ APJ Bot Bot Internet Internet APJ APJ 2006 7 1 12 31 APJ 39% ( 5) 15
APJ Bot 1 2 3 4 5 6 7 8 9 10 39% 16% 14% 1 6% 1 5 3 2 4 9 10 8 11 7 1 2 3 4 10 5 7 9 8 12 2 1 3 4 5 6 8 7 11 13 3 4 2 1 5 6 7 8 13 10 1 3 2 4 5 9 6 7 8 11 1 3 4 2 5 10 7 6 9 8 5. APJ Bot ( 7) APJ ( 2) Bot Bot Internet Internet Internet 1 Internet APJ 16% Bot Bot 6% 4 Bot APJ (15%) Bot (6%) Bot ( ) Bot Internet Internet ( 66% Internet) ( 2000 2007 78%) 13 Internet Bot 16 13 http://www.internetworldstats.com
APJ 2006 APJ 14% APJ APJ ( ) 14 Internet 1 APJ Internet APJ Internet Internet APJ Internet Internet Internet 15 Internet 20% ( 6) 14 http://www.hess.com.tw/en/about 17
APJ 1 2 3 4 5 6 7 8 9 10 20% 14% 10% 9% 8% 8% 7% 6% 5% 6. Internet Internet APJ Internet Bot Internet 14% Internet Internet 10% Internet ( Internet 0.) Internet 24 Internet APJ Internet Internet 15 Internet ISP Internet 18 15 http://www.internetworldstats.com
APJ 1 2 (Symantec Digital Immune System) 2006 7 1 12 31 Sober ( ) W32.Sober@mm ( Sober) Sober.X Sober ( HTTP FTP SMTP DNS ) DMZ 19
APJ 2006 APJ 48% ( 2) 45% 16 50 28% 48% 5 48% 45% 9% 10% 15% 2. ( ) 2006 APJ 50 48% 5 APJ APJ Netsky.P 17 Looked.P 18 APJ 50 28% 9% Looked ( Looked.P) APJ 20 16 100% 17 http://www.symantec.com/security_response/writeup.jsp?docid=2004-032110-4938-99 18 http://www.symantec.com/security_response/writeup.jsp?docid=2006-071212-0124-99
APJ APJ Looked.P ( 7) Looked.P 75% 1 2 3 4 5 6 7 8 9 10 2 3 5 40 1 11 >50 22 38 4 W32.Looked.P W32.Stration W32.Stration.DL W32.Looked.O W32.Netsky.P W32.Sality.U W32.Looked.I W32.Mytob.U W32.Mytob.AA W32.Blackmal.E SMTP SMTP SMTP, P2P SMTP SMTP SMTP, www.e-gold.com (Lineage) 7. APJ (Geographic Cluster) Looked / APJ 25 Looked 75% Looked.P 96% Looked.I 19 99% Looked.J 20 70% Looked.AH 21 P2P P2P 19 http://www.symantec.com/security_response/writeup.jsp?docid=2006-052911-4543-99 20 http://www.symantec.com/security_response/writeup.jsp?docid=2006-061614-3351-99 21 http://www.symantec.com/security_response/writeup.jsp?docid=2006-091513-2550-99 21
APJ () Looked Mytob.AA 22 Mytob.AG 23 Mytob.EE 24 Mytob.U 25 SMTP SMTP APJ Stration 26 Stration.DL 27 Stration Stration Internet Gampass 28 Lineage 29 APJ APJ 2006 APJ Gampass 8 Lineage 5 Bacalid 30 Bacalid.B 31 22 22 http://www.symantec.com/security_response/writeup.jsp?docid=2005-040421-3550-99 23 http://www.symantec.com/security_response/writeup.jsp?docid=2005-041009-4908-99 24 http://www.symantec.com/security_response/writeup.jsp?docid=2005-061118-3634-99 25 http://www.symantec.com/security_response/writeup.jsp?docid=2005-040116-4532-99 26 http://www.symantec.com/security_response/writeup.jsp?docid=2006-092111-0525-99 27 http://www.symantec.com/security_response/writeup.jsp?docid=2006-103112-2047-99 28 http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99 29 http://securityresponse1.symantec.com/sarc/sarc.nsf/html/infostealer.lineage.html 30 http://www.symantec.com/security_response/writeup.jsp?docid=2006-090109-5610-99 31 http://www.symantec.com/security_response/writeup.jsp?docid=2006-092010-4342-99
APJ APJ Stration ( 8) 2006 150 ( EMEA) Stration Stration APJ 1 1 Stration SMTP 2 3 3 2 Shufa Gampass Yahoo! IM, SMTP (Lineage) 8. 2006 Shufa 32 Gampass APJ 33 Shufa Gampass.vbs.bat.exe.com.pif.scr 32 http://www.symantec.com/security_response/writeup.jsp?docid=2006-080815-5056-99 33 http://news.com.com/consumers+gaming+their+way+to+growth+-+part+3+of+south+koreas+digital+dynasty/2009-1040_3-5239555.html 23
APJ ( ) 34 2006 APJ 50 60% 66% APJ Looked.P APJ () 84 % ( 3) 80% 7 70% 75% 79% 84% 84% 6 6 59% 3. 24 34 http://www.opsi.gov.uk/acts/acts1998/19980029.htm
APJ APJ 80% Internet 6 APJ APJ Lineage 35 Looked.I 2006 2006 APJ 7 6 APJ 75% 79% () 70% 59% ( 1) 35 http://www.symantec.com/security_response/writeup.jsp?docid=2005-011211-3355-99 25
APJ () (SMTP) Internet (CIFS) 36 (P2P) 2006 100% 2006 CIFS APJ 60% ( 4) 3 CIFS APJ CIFS Looked.P 37 APJ Looked.O 38 Looked.P 50 Looked API 48% Looked.P 50 Looked 10% 78% P2P CIFS SMTP 45% 60% 15% 3 29% 10% 4% 7% 4. 26 36 Internet (CIFS) CIFS Internet 37 http://www.symantec.com/security_response/writeup.jsp?docid=2006-071212-0124-99 38 http://www.symantec.com/security_response/writeup.jsp?docid=2006-071212-0828-99
APJ APJ 50 45% SMTP SMTP SMTP 50 78% APJ SMTP Looked APJ SMTP SMTP APJ APJ 7% P2P 29% P2P P2P SMTP APJ P2P Antinny 39 Antinny P2P Winny Antinny Winny 2006 Antinny APJ P2P P2P ( Netsky.P Mydoom.L 40 ) P2P SMTP P2P SMTP P2P SMTP 39 http://www.symantec.com/security_response/writeup.jsp?docid=2003-080817-4045-99 40 http://www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99 27
APJ (Phishing) ( ) APJ 2006 7 1 2006 12 31 APJ 20 600 2 5 () APJ APJ APJ ( 9) 41 42 28 41 http://www.webhosting.info/webhosts/globalstats 42 http://webhosting.info/domains/countrystats
APJ 1 2 3 4 5 6 7 8 9 10 5 6 8 9 17 19 30 38 39 42 2 20% 17% 15% 8% 6% < < < < 9. ( ) APJ APJ 43 45 APJ Bot Bot Web Bot Web APJ 17% Bot Bot 29
APJ APJ ( 10) 19% Internet ISP APJ 1 3 19% 2 6 14% 3 9 1 4 13 9% 5 24 6% 6 42 4% 7 56 < 8 84 < 9 91 < 10 95 < 10. APJ Internet APJ Internet (.jp.tw ) 43 30
APJ (MTA) IP HTTP DNS 44 ( A ) 45 46 ( A ) ( ) Internet Computer Complaint Center (IC3) Internet 47 APJ 48 49 Web Proxy 43 http://www.citymayors.com/features/quality_survey.html 44 45 http://www.antiphishing.org 46 bigbank.combigbankalerts.com big-bank-security.com 47 http://www.ic3.gov/preventiontips.aspx 48 http://www.standardchartered.com/global/home/security_tips/online_threats.htm 49 http://www.aic.gov.au/publications/crm/crm037.html 31
APJ APJ 2006 7 1 2006 12 31 APJ Symantec Brightmail AntiSpam 1,000 Symantec Brightmail AntiSpam ( ) Internet Internet APJ 10 (spam zombie) 10 APJ 10 Internet DNS Bot 32
APJ (2) R2 (X) = % = (8) R (10) R (1) R37% 澳洲 (7) R (9) R (6) R (3) R20% (4) R8% (5) R4% 5. APJ 10 APJ 37% APJ ( 5) Bot Bot Bot APJ 4 Bot APJ 2 ISP 50 APJ 2006 APJ 20% ISP APJ 50 SMTP () Internet ( ) 33
APJ (spam zombie) (spam zombie) Bot 2006 7 1 12 31 APJ ( 11) 4 Bot Bot 10 Bot ( Mytob.U) 1 2 3 4 5 6 7 8 9 10 2 9 11 16 17 24 26 27 32 33 4 15% 1 9% 5% 9% < < 11. (spam zombie) 15% 51 Internet Internet Bot 2006 APJ 1 Bot 34 51 http://www.point-topic.com/contentdownload/dslanalysis/world%20broadband%20statistics%20q202006.pdf ( )
APJ APJ 14% ( 12) 15% ISP 10 Bot 1 2 14% 2 5 1 3 14 5% 4 15 4% 5 18 4% 6 24 7 26 8 30 9 31 10 37 < 12. (spam zombie) 2006 APJ (spam zombie) 1 1 ISP Bot APJ APJ 5% Bot APJ 35
APJ Symantec Brightmail AntiSpam 52 2006 7 1 12 31 Internet 59% APJ 59% 13 20 5 1 2 3 4 5 88% 86% 86% 85% 84% 13. APJ APJ 20 88% 86% 86% APJ 53 Bot 2005 7 35% 2005 90% 6 8% 28% 36 52 Symantec Brightmail AntiSpam SMTP DNS SMTP SMTP 53 http://www.bsa.org/globalstudy/upload/2005%20piracy%20study%20-%20official%20version.pdf
APJ A 1. 2. 3. 4. ( HTTP FTP DNS ) 5. ( ) 6. 7..vbs.bat.exe.pif.scr 8. 9. Internet 10. 11. 12. 13. ( IM ) ( ) 37
APJ 1. 2. 3. 4. 5. 6. www.symantec.com/securitycheck Macintosh 7. 8. ISP 9. ( IM ) ( ) 10. (EULA) EULA 11. 38
APJ B Symantec DeepSight Symantec honeypot IDS (DoS) SYN DoS SYM SYN IP SYN () Internet DoS DoS DoS DoS IP IP DoS IDS IPS DoS 39
APJ Bot Bot Bot Bot Bot Bot 2006 Bot Bot Bot Bot Bot Bot Internet Bot Bot Bot Bot IP IP Bot IP IP 40
APJ 6 r < < < < < < < < < < < < < < < < < < < < < < < < < < < 89% < < < / < / < / < / < < < < < < / < / < / < < < < Internet < < < < < < < / < VAR/VAD < 6. 41
APJ C 1 2 (Symantec Digital Immune System) (SARA) Symantec Antivirus SARA (zoo ) 42
APJ D APJ Internet APJ Symantec Brightmail AntiSpam Internet Symantec Brightmail AntiSpam URL 20 600 2 5 / ( ) Symantec Brightmail AntiSpam Symantec Brightmail AntiSpam 43
APJ IP 20 600 2 5 / Symantec Brightmail AntiSpam Symantec Brightmail AntiSpam Brightmail Logistical Operations Center (BLOC) Symantec Brightmail AntiSpam Symantec Brightmail AntiSpam SMTP DNS SMTP SMTP 1,000 Symantec Brightmail AntiSpam Internet 44
APJ 10 IP IP (spam zombie) IP IP IP TCP 25 (spam zombie) IP (spam zombie) Symantec Brightmail AntiSpam 45
46 APJ
2007 Symantec Symantec Brightmail DeepSight Digital Immune System Symantec AntiVirus Apple Mac OS Macintosh Apple Inc. IBM DB2 International Business Machines Corporation ( ) ActiveX MSN PowerPoint Visual Studio Win32 Windows Windows Vista Microsoft Corporation ( ) Sun Solaris Sun Microsystems, Inc.
Cupertino 40 http://www.symantec.com 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com 105 188 2F-7 (02) 8761-5800 (02) 2742-2838 2007 03/07 WP-00152-TW 110 200 20F (02) 8722-7000 (02) 2345-5009 www.symantec.com.tw