• Proceedings of the Korea Information Assurance Society Conference
• /
• 2004.05a
• /
• pp.175-180
• /
• 2004

In early 2003, a worm called Sobig was found. Later, many of its variations were found, and win32.Sobig.F caused the most serious problems. This kind of simply modified worms (including those caused by the 'war' between Netsky vs. Beagle Worm) will be expected to cause many more problems. In this paper, we analyze the Sobig Worm and its variations. We, further, design a method that can expect future directions of modifications. We believe this will prevent serious loss such as we experienced on Jan 25.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.19 no.12
• /
• pp.2858-2864
• /
• 2015

Internet worms have been the major Internet threats may disclose important information and can bring about faults of computer systems, which spread with the fastest speed among malicious codes. Simultaneously spreading multiple worms and its variants are revealing the limitation of conventional responses based on single worms. In order to defend them effectively, it is necessary to study how multiple worms propagate and what factors affect worm spreading. In this paper, we improve the existed single worm spreading models and try to describe the correct spreads of multiple worms. Thus we analyze the spreading effects of multiple worms and its variants by various experiments.

• Proceedings of the Korean Information Science Society Conference
• /
• 2004.10a
• /
• pp.346-348
• /
• 2004

급증하고 있는 인터넷 환경에서 정보보호는 가장 중요한 고려사항 중 하나이다. 특히, 인터넷의 발달로 빠르게 확산되고 있는 웜 바이러스는 현재 바이러스의 대부분을 차지하며, 다양한 종류의 바이러스들과 악성코드들을 네트워크에 전파시키고 있다 지금 이 순간도 웜 바이러스가 네트워크를 통해 확산되고 있지만, 웜 바이러스의 탐지가 응용레벨에서의 룰-매칭 방식에 근거하고 있기 때문에 신종이나 변종 웜 바이러스에 대해서 탐지가 난해하고, 감염된 이후에 탐지를 할 수밖에 없다는 한계를 가지고 있다. 본 연구에서는 신종이나 변종 웜 바이러스의 탐지가 가능하고, 네트워크 레벨에서 탐지할 수 있는 신경망의 인공지능 모델 중 SOFM을 이용한 웜 바이러스 탐지 방안을 제시한다.

• Proceedings of the Korea Information Assurance Society Conference
• /
• 2004.05a
• /
• pp.333-337
• /
• 2004

The Internet worm is changed rapidly and virus vaccine can not defense the whole Internet worm. To prevent them form spreading into network and analysis specifications, we design and implement the Internet Worm Traffic Generator. In this research, we offer the real worm propagation environment through protocol and scenario specification.

• The Journal of the Korea Contents Association
• /
• v.7 no.11
• /
• pp.94-101
• /
• 2007

We introduce the way to detect the mutation worm. We implemented the program that can generate signature using LCSeq(Longest Common Subsequence) technique in Suffix Tree studied as pattern recognition algorithm. We also showed the process to detect the mutation of CodeRed worm and Nimda worm and evaluated signatures generated by snort and LCSeq.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.17-28
• /
• 2006

The appearance of variant malicious codes using obfuscation techniques is accelerating the spread of malicious codes around the detection by a vaccine. n a system does not patch detection patterns for vulnerabilities and worms to the vaccine, it can be infected by the worms and malicious codes can be spreaded rapidly to other systems and networks in a few minute. Moreover, It is limited to the conventional pattern based detection and treatment for variants or new malicious codes. In this paper, we propose a method of behavior based detection by the static analysis, the dynamic analysis and the dynamic monitoring to detect a malicious code using obfuscation techniques with the PE compression. Also we show that dynamic monitoring can detect worms with the PE compression which accesses to important resources such as a registry, a cpu, a memory and files with the proposed method for similarity.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.2
• /
• pp.283-293
• /
• 2012

A new type of malware that extracts personal and account data over an extended period of time and that apparently is resistant to detection by vaccines has been identified. Generally, a malware is installed on a computer through network-to-network connections by utilizing Web vulnerabilities that contain injection, XSS, broken authentication and session management, or insecure direct-object references, among others. After the malware executes registration of an arbitrary service and an arbitrary process on a computer, it then periodically communicates the collected confidential information to a hacker. This paper is a systematic approach to analyzing a new type of malware called "winweng," a kind of worm that frequently made appearances during the first half of 2011. The research describes how the malware came to be in circulation, how it infects computers, how its operations expose its existence and suggests improvements in responses and countermeasures. Keywords: Malware, Worm, Winweng, SNORT.

• KIPS Transactions on Computer and Communication Systems
• /
• v.11 no.10
• /
• pp.363-372
• /
• 2022

Since the recent COVID-19 Pandemic, the ransomware fandom has intensified along with the expansion of remote work. Currently, anti-virus vaccine companies are trying to respond to ransomware, but traditional file signature-based static analysis can be neutralized in the face of diversification, obfuscation, variants, or the emergence of new ransomware. Various studies are being conducted for such ransomware detection, and detection studies using signature-based static analysis and behavior-based dynamic analysis can be seen as the main research type at present. In this paper, the frequency of ".text Section" Opcode and the Native API used in practice was extracted, and the association between feature information selected using K-means Clustering algorithm, Cosine Similarity, and Pearson correlation coefficient was analyzed. In addition, Through experiments to classify and detect worms among other malware types and Cerber-type ransomware, it was verified that the selected feature information was specialized in detecting specific ransomware (Cerber). As a result of combining the finally selected feature information through the above verification and applying it to machine learning and performing hyper parameter optimization, the detection rate was up to 93.3%.