• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.101-115
• /
• 2011

A botnet is a huge network of hacked zombie PCs. Recognizing the fact that the majority of email spam is sent out by botnets, a system that is capable of detecting botnets and zombie PCS will be designed in this study by analyzing email spam. In this study, spam data collected in "an email spam trail system", Korea's national spam collection system, were used for analysis. In this study, we classified the spam groups by the URLs or attached files, and we measured how much the group has the characteristics of botnet and how much the IPs have the characteristics of zombie PC. Through the simulation result in this study, we could extract 16,030 zombie suspected PCs for one hours and it was verified that email spam can provide considerably useful information in tracing zombie PCs.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.15 no.8
• /
• pp.1720-1726
• /
• 2011

The DDoS attacks which are increasing recently must have many zombie PCs before attacking targeted systems by attacker. A zombie PC is infected by attacker's malignant code and may be operated by the his/her special malicious purposes. But most users generally don't know that their PCs are infected and used as zombies by illegal activities covertly. In this paper, we propose a new scheme that decreases vulnerable PCs and isolates them from Internet before being zombie PCs. The proposed scheme point the reputations of connected PCs and decide whether their Internet connections are keeping continuously or not. Also We show the figures how to infect susceptable PCs to zombie PCs, and analyze the decrease effects of DDoS attacks adapted by the proposed scheme with various experiments.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.17 no.8
• /
• pp.1835-1841
• /
• 2013

With the increase in smartphone users, attacks targeting smartphone malware, zombie smartphone, such as smart phones is increasing. Security of smart phones is more vulnerable than PC security, for a zombie smartphone and generates a serious problem than the zombie PC attack on the smartphone every day is diversification. In this paper, the comparative analysis of malicious code and smartphone DDoS attacks and DDoS attacks from the PC, When using a service by connecting to the data network, proposes a method for users to confirm the packet smartphone direct a method for detecting by using the PC malware Smart PC Phone. Propose the measures of malicious code and smartphone DDoS attacks.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.5
• /
• pp.1445-1462
• /
• 2012

While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of "group pollution level" - the degree to which a certain spam group is suspected of being a botnet - and "IP pollution level" - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an "email spam trap system" - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70% of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.19 no.6
• /
• pp.1374-1379
• /
• 2015

Malicious network attacks such as DDoS has no clear measures, the damage is also enormous. In particular, in addition to a network failure, such as leakage of personal information and damage of the communication charge in the case of zombie smartphone is infected, is expected damages of various users. In this study, we extract the zombie smartphone's phenomena and features that appear while the zombie service is running and introduce a corresponding technique to prevent zombie smartphone.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2015.05a
• /
• pp.222-223
• /
• 2015

Malicious network attacks such as DDoS is no clear preparedness, the damage is also a bar. In particular, when a smartphone is infected to the zombies, the damage such as communication fee billing and leakage of personal information with numerous network failures are expected. In this study, with reference of the features that appear in a zombie PC we extract the zombie smartphone's phenomena and features that appear while the zombie service is running.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2012.05a
• /
• pp.667-669
• /
• 2012

Traditional DDoS defence methods are performed at server side which was attacked. If servers detect DDoS attack, they use some methods for defending the attack such as increasing the bandwidth, bypassing the traffic, blocking the IP addresses or blocking the ports by the firewall. But as lots of people use smart-phones, it is possible a smart-phone to be a zombie and DDoS attack could be much more a huge and powerful forms than now. Victims are not only a server but also a host which becomes a zombie. While it performs DDoS attack, zombie smart-phone users have to pay the extra charge. After finish the attack, DDoS try to destroy hard drives of zombie hosts. Therefore the situation is changed rather than to defend DDoS server side only, we should protect a client side who needs to prevent DDoS attacks. In this paper, we study a defence method that we terminates a process which perform the attack, send the information to different hosts when a zombie PC or smart-phone perform DDoS attacks.

• Journal of Advanced Information Technology and Convergence
• /
• v.9 no.1
• /
• pp.1-10
• /
• 2019

In recent years, information collection of attacks through stealth port scanning technology has become more sophisticated. The most commonly used Nmap port scanner supports a variety of stealth scanning technologies along with the existing scanning techniques. Nmap also supports Idle scan that is different from conventional stealth scans. This is a more sophisticated stealth scan technique by applying the SYN scan and ACK scan techniques. In previous studies, the detection of Idle scanning was on zombie system, but was not on victim system. In this paper, we propose an effective detection method of Idle scan on victim system. The Idle scanning is composed of two stages; they are probing the zombie and victim system and scanning the victim system. We analyzed the characteristics of the two stages. The characteristics, we captured, are that SYN and RST packets are different from normal packet. We applied them to detection method, then Idle scanning is detected effectively.

• The Journal of Society for e-Business Studies
• /
• v.17 no.3
• /
• pp.117-128
• /
• 2012

There was a large scale of DDoS(Distributed Denial of Service) attacks mostly targeted at Korean government web sites and cooperations's on March 4, 2010(3.4 DDoS attack) after 7.7 DDoS on July 7, 2009. In these days, anyone can create zombie PCs to attack someone's website with malware development toolkits and farther more improve their knowledge of hacking skills as well as toolkits because it has become easier to obtain these toolkits on line, For that trend, it has been difficult for computer security specialists to counteract DDoS attacks. In this paper, we will introduce an essential control list to prevent malware infection with live forensics techniques after analysis of monitoring network systems and PCs. Hopefully our suggestion of how to coordinate a security monitoring system in this paper will give a good guideline for cooperations who try to build their new systems or to secure their existing systems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.679-689
• /
• 2012

There were clear differences between the DDoS attack on 7th July 2009 and the rest of them prior to the attack. Despite It had emitted relatively small sized packets per infected PC, the attack was very successful making use of HTTP Flooding attack by aggregating small sized packets from the well sized zombie network. As the objective of the attack is not causing permanent damage to the target system but temporal service disruption, one should ensure the availability of the target server by deploying effective defense strategy. In this paper, a novel HTTP based DDoS defense mechanism is introduced with capacity based defense-in-depth strategy.