Your hard drive will self-destruct at 2pm: Inside the South Korean cyberattack

A cyberattack in South Korea on Wednesday took the networks of several companies offline. While some recovered in a matter of hours, South Korea's public broadcasting organization, KBS, is still offline. But the identity of the person or group behind the attacks is still an open question—one muddied by the hackers who are taking credit for at least part of it. It's not clear at this point if the attack was state-sponsored, cyberwarfare by North Korea, or simply an act of cyberterrorism by hackers looking to make a virtual name for themselves.

As we reported earlier, at about 2pm Seoul time, the networks of three broadcasters and three banks were affected by an attack that disrupted their networks, possibly caused by malware. But while malware was initially blamed for the outage, the malware that's been discovered thus far could not have taken networks down by itself. There was a lot more going on than just a malware attack; the convergence of multiple types of attacks suggests a coordinated effort by an organized attacker.

The latest update from South Korean officials is that the attack emanated from a Chinese IP address. But the identity of the attackers is still unclear.

Read 19 remaining paragraphs | Comments

South Korean Banks, Media Companies Targeted by Destructive Malware

A massive computer shutdown of two South Korean banks and media companies occurred Wednesday via an Internet malware attack. The malware wiped out the master boot records on the hard drives of the infected computers, overwriting the MBR with either one of these strings:

  • PRINCPES
  • PR!NCPES
  • HASTATI.

jarias-MBR

Figure 1: Snapshot of MBR after infection.

The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable. So even if the MBR is recovered, the files on disk will be compromised too.

After that, the system is forced to reboot via the following command:

  • shutdown -r -t 0

That action causes the computers to be unable to start because the MBR is corrupted.

jarias-Corrupted MBR

Figure 2: Error message after reboot

Furthermore, before overwriting the MBR, the malware attempted to kill the main processes of two Korean antivirus products, Ahnlab and Hauri:

  • taskkill /F /IM pasvc.exe
  • taskkill /F /IM Clisvc.exe

The malware code does not contain any function related to network communication, and we don’t have any indication that it can communicate with a remote host.

Also, it didn’t make any other changes in the system such as dropping files or changing registry keys. The goal of the attack appears to be solely to make the targeted computers unusable.

A dropper was found that seems to be the original dropper for this attack. The 418KB file is UPX packed, with the following hash:

  • 9263E40D9823AECF9388B64DE34EAE54

This dropper dropped the MBR-killing module as AgentBase.exe in the %TEMP% folder, and started it.

It also dropped two clean files, Putty SSH client and Putty SCP client in %TEMP%. It then scanned the file system looking for the configuration files of two SSH clients:

  • Felix Deimel’s mRemote
    %sAppData\Local\Felix_Deimel\mRemote\confCons.xml
  • VanDyke’s Secure CRT
    %sAppData\Roaming\VanDyke\Config\Sessions

If the malware finds a configuration file, it looks for any entry for a “root” user on a remote system, extracts the connection information, and uses the Putty clients to check if access to the system is available:

  • %s -batch -P %s -l %s -pw %s %s %s:/tmp/cups
  • %s -batch -P %s -l %s -pw %s %s “chmod 755 /tmp/cups;/tmp/cups”

The malware then drops another file in %TEMP% named “pr1.tmp,” which is a BASH shell script that attempts to perform partition killing on three Unix types: Linux, HP-UX, and SunOS.

jarias-shellscript

Figure 3: Part of the shell script used in the Unix attack.

This script checks the system, and then calls a specific function for each OS in an attempt to overwrite the disk partitions. In case the operation cannot be executed, it also tries to delete the following folders:

  • /kernel/
  • /usr/
  • /etc/
  • /home/

McAfee Labs was able to identify the following hashes related to this attack:

Wiper module

  • DB4BBDC36A78A8807AD9B15A562515C4  ApcRunCmd.exe
  • F0E045210E3258DAD91D7B6B4D64E7F3  ApcRunCmd.exe
  • 0A8032CD6B4A710B1771A080FA09FB87  mb_join.exe
  • 5FCD6E1DACE6B0599429D913850F0364  OthDown.exe

Dropper

  • 9263E40D9823AECF9388B64DE34EAE54  APCRunCmd.DRP

Unix Shell Script

  • DC789DEE20087C5E1552804492B042CD  pr1.tmp

As we looked in our sample database for related files, we identified two other samples that have the same basic structure as the preceding samples, but they don’t have the MBR-killing capabilities:

  • E4F66C3CD27B97649976F6F0DAAD9032 E4F66C3CD27B97649976F6F0DAAD9032.bin
  • 50E03200C3A0BECBF33B3788DAC8CD46  jar_cache1221312510715123682.tmp

These samples were found in the wild in August and October 2012. They share the same basic stub for the MBR-killing malware, but they are simple downloaders and don’t have commands to kill antivirus processes. They have only MS-DOS commands to remove themselves after executing.

Based on our analysis, these samples are not related to the attack, but they may be the same malware stub used by the attackers to create the MBR-killing code, sort of a template Trojan that can be tweaked to execute any function.

It’s possible to see the differences in the payload on the following images:

jarias-old

Figure 4: Payload of old samples.

jarias-new

Figure 5: Payload of new samples.

As we can see, the commands executed are different but the data structure is the same.

McAfee detects the samples involved in the attack as KillMBR-FBIA and Dropper-FDH.

 

One day after iOS 6.1.3, a new iPhone lock screen bug emerges

Just a day after Apple released iOS 6.1.3, a new lock screen bug has been discovered that could give an attacker access to private information. The vulnerability is different from the passcode bug(s) addressed by Tuesday's iOS update, but the end result is similar: access to iPhone's contact list and photos.

The new lock screen bug was first documented by YouTube user videosdebarraquito, who posted a video demoing the procedure. The basic gist, seen in the video below, is to eject the iPhone's SIM card while using the built-in voice controls to make a phone call.

Bypassing the iPhone passcode lock on iOS 6.1.3.

There are a couple important things to keep in mind, though. For one, it seems like this bug applies to most modern iPhones, though apparently the procedure isn't as easy as it looks. The YouTube video above shows the hack being executed on an iPhone 4, and iphoneincanada was able to replicate it on an iPhone 4. TheNextWeb was able to replicate it on an iPhone 4S but not an iPhone 5. But the iPhone 5 didn't get away scot free, as German language site iPhoneblog.de appears to have been able to replicate the bug on that version of the phone. We have not yet seen a confirmed case of the bug existing on the iPhone 3GS, though it's probably safe to assume that it does.

Read 1 remaining paragraphs | Comments

Remote Linux Wiper Found in South Korean Cyber Attack

Earlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.
 


Figure 1. Bash wiper script targeting remote Linux machines
 

The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager. The mRemote application keeps a configuration file for saved connections at the following path:

%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
 

Figure 2. Parsing mRemote path information
 

The dropper for Trojan.Jokra parses this XML file for any connection with root privileges using the SSH protocol. It then extracts the parameters used in the connection.
 

Figure 3. Parsing mRemote configuration file connection details
 

The dropper then spawns another thread, which drops a bash script to %Temp%\~pr1.tmp then uploads and executes this temporary file as /tmp/cups on the remote Linux computer with the connection information parsed from mRemote’s configuration file.
 

Figure 4. Remote command execution
 

The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.

Symantec is continuing to investigate this attack and will provide further updates as they become available.