North Korean military blamed for “wiper” cyber attacks against South Korea

The South Korean government is pointing a finger toward Pyongyang in its assessment of last month's cyber-attacks on banks and media companies that affected thousands of computers and took electronic banking sites and ATM networks offline.

A report by South Korea's Ministry of Science, Information and Computer Technology, and Future Planning found evidence that the attack was carried out by North Korea's military intelligence, otherwise known as its "general reconnaissance bureau." The March 20 attack—which spread "wiper" malware that deleted the master boot record of PCs and attempted to delete volumes from Unix and Linux servers they were connected to—"resembled North Korea's past hacking patterns," a ministry spokesperson said in a Wednesday press briefing.

The attack targeted private citizen's computers as well as the website of an anti-North Korean organization and South Korean broadcaster YTN. Forensic evidence from it pointed directly to North Korean involvement. Six computers located at North Korean IP addresses were involved in the spreading of the malware used in the attacks, either directly or through proxies in China. Based on 76 malware samples collected by the investigation, the attack was planned at least eight months ago, when the code was spread to victims' PCs. This was largely accomplished through e-mail attachments disguised as bank account statements.

Read 1 remaining paragraphs | Comments

Fake Vertu App Infects Korean and Japanese Android Users

A new threat has surfaced targeting users in Korea and Japan, but this attack, unlike others making the news, is not one motivated by political or ideological dogma. Instead, this one is based purely on old-fashioned greed. Vertu phone owners or those looking for a localized Vertu theme in Korean or Japanese for an Android phone had better think twice before downloading something. McAfee Mobile Research has identified a new variant of Android/Smsilence distributed under the guise of a Vertu upgrade/theme that is targeting Japanese and Korean users.

Fake Vertu app in Japanese.

Fake Vertu app in Japanese. (Click on images to enlarge.)

On installation, Android/Smsilence.C attempts to display a loading screen, while in the background registering the device phone number with an external server [XXX.XX.24.134] by sending an HTTP post. The malware then registers an Internet filter on the local device so that any incoming messages are handled first by the Trojan and then forwarded to the same server. The loading screen eventually stops with the message in Japanese or Korean reporting that the service was unavailable and to please try again.

Threat Details 2

McAfee’s research into the control management system used by this threat has shown that multiple domains (pointing to the same server) were used in addition to multiple guises to spread the threat. Around 20 fake branded apps–from coffee to fast-food chains, including an antivirus product from Korea that was uploaded and revoked from Google Play–were used. Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis.

Fake Vertu app in Korean.

Fake Vertu app in Korean.

The new variant now extends to Japanese victims. Most other threats targeting  Japan this year have been minor variations of one-click fraud (also called scareware), which has been around in one form or another since 2004. Devices infected with Android/Smsilence.C are capable of sending back a lot more information, in addition to downloading additional spyware to the infected device.

Because carriers in Japan use the CMAIL protocol for text messaging, attempting to control and maintain a mobile botnet from outside of Japan is not easy (due to the security features implemented by Japanese carriers). We wonder if there was a local accomplice facilitating the spread or control of infected devices. This would also explain the function of a secondary package that is downloaded to an infected device only on demand by the botnet controller, and contains additional spyware functionality not limited to text messaging.

The most bizarre aspect of this new strain remains to be explained, and highlights a limitation in the antimalware research field. Regardless whether we analyze an Android Trojan or a complex threat like Stuxnet, given enough time we can reverse-engineer any piece of code into its basic building blocks. Nonetheless, there are sometimes aspects to a case in which no matter how much time is spent investigating, we have no idea what the malware authors were thinking. In this case we discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors. But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson.

image files discovered in the package

The malware authors included an image of  London Mayor Boris Johnson.

The spammer who logged into my PC and installed Microsoft Office

(credit: Aurich Lawson / Thinkstock)

It's Memorial Day, all Ars staff is off, and we're grateful for it (running a site remains tough work). But on a normal Monday, inevitably we'd continue to monitor the security world. Our Jon Brodkin willingly embraced a firsthand experience with low-grade scammers in April 2013, and we're resurfacing his piece for your holiday reading pleasure.

It all began with an annoying text message sent to an Ars reader. Accompanied by a Microsoft Office logo, the message came from a Yahoo e-mail address and read, "Hi, Do u want Microsoft Office 2010. I Can Remotely Install in a Computer."

An offer I couldn't refuse.

The recipient promptly answered "No!" and then got in touch with us. Saying the spam text reminded him of the "'your computer has a virus' scam," the reader noted that "this seems to be something that promises the same capabilities, control of your computer and a request for your credit card info. Has anyone else seen this proposal?"

Read 22 remaining paragraphs | Comments