Different Wipers Identified in South Korean Cyber Attack

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • HASTATI and PR!NCPES in combination

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.


Table. Trojan.Jokra wipers

Two of the wipers were instructed to immediately wipe upon execution. Another was instructed to wipe specifically at 2 PM on March 20, 2013. We have recently come across another sample (530c95eccdbd1416bf2655412e3dddb) that wipes at 3 PM on March 20, independent of year.


Figure. Trojan.Jokra wiper countdown

To ensure that your machine is protected from Trojan.Jokra and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.

Apple suspends password resets after critical account-hijack bug is found (Updated)

Update: Apple restored the password resets on Friday night.

Apple suspended the password-reset functionality for its iCloud and iTunes services following a published report that hackers could exploit it to hijack other people's accounts.

The password reset page stopped loading a few hours after The Verge reported there was an online tutorial that provided detailed instructions for taking unauthorized control of Apple accounts. The report didn't identify the website or the precise technique, except to say it involved "pasting in a modified URL while answering the DOB security question on Apple's iForgot page."

Read 4 remaining paragraphs | Comments

Apple blocks ad-injecting Mac trojan, Yontoo

A day after Russian anti-virus firm Doctor Web highlighted an adware Mac trojan called "Yontoo," Apple has moved to block it. Confirmed by Intego, Apple has updated the definitions included in OS X's Xprotect.plist in order to detect the adware, meaning users don't need to run anything special in order to be protected.

"In testing, it appears this detection is very specific and potentially location-dependent," wrote Intego. "This extra specificity is likely there so as to catch only the surreptitious installations of this file."

As we wrote on Thursday, the Yontoo adware socially engineers users into installing it as a browser plugin. Once it's installed into Safari, Firefox, and Chrome, the plugin injects advertising into the websites you're visiting—including those that don't even normally show ads.

Read 1 remaining paragraphs | Comments

New Tidserv Variant Downloads 50 MB Chromium Embedded Framework

Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.

The Backdoor.Tidserv variant uses a modular framework that allows it to download new modules and inject them into clean processes. Previous variants of Tidserv had used a serf332 module to perform network operations, such as link clicking and ad popups. It does this using COM (Component Object Model) objects to open Web pages and inspect page content. In the last week we have observed Tidserv downloading a new module called cef32. This new cef32 module has been found to have the same functionality as serf332 but requires cef.dll which is part of the CEF. Unusually, this requires a download of the full 50 MB CEF to the compromised system.

There has been a considerable increase in the download of the CEF over the last 18 days. While we cannot be certain as to how many of these downloads may relate to Tidserv infection activities, if these downloads are a result of the malware the number of computers compromised with Tidserv would be sizeable.

new tidserv 1.jpeg

Figure 1. Chromium Embedded Framework downloads, last 18 days

The CEF provides a Web browser control based on the Google Chromium project. This allows developers to build applications that include Web browser windows. The CEF libraries perform all of the functionality required to run the browser, such as parsing HTML or parsing and executing JavaScript.

new tidserv 2.png

Figure 2. Tidserv JavaScript passed to Chromium Embedded Framework library

Using the CEF allows Tidserv to move a lot of the basic Web browser functionality out of its own modules and into the CEF library. This allows for smaller modules that are easier to update with new functionality. The downside of Tidserv using CEF is that the cef32 module needs the CEF cef.dll Dynamic Link Library in order to load. The URL to the CEF zip file for download is currently hardcoded in the serf332 binary, so any change to this URL will require an update to the serf332 module.

The Chromium Embedded Framework (CEF) and its authors do not condone or promote the use of the CEF framework for illegal or illicit purposes. They will take all actions reasonably within their power to frustrate this use case. For that reason the binary that was being used by the malware product from the Google Code project page has been deleted. Other means of providing free binaries to users that protect, as much as possible, against this or similar abuses will be explored.

Symantec is continuing to track the evolution of threats such as Tidserv. Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protections are in place.