New Disk Wiper Found in Korean Attacks

Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed "DarkSeoul" against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.

Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to "highanon2013" or executing specific wipe instructions related to the following file types:

  • asp
  • aspx
  • avi
  • bmp
  • dll
  • do
  • exe
  • flv
  • gif
  • htm
  • html
  • jpeg
  • jpg
  • jsp
  • mp4
  • mpeg
  • mpg
  • nms
  • ocx
  • php
  • php3
  • png
  • sys
  • wmv

The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.


Figure. Trojan.Korhigh wallpaper

The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:


Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.

One-click/key attack forces IE and Chrome to execute malicious code

A researcher says he has uncovered a security weakness that can easily trick people into executing malicious code when they use the Microsoft Internet Explorer and Google Chrome browsers to visit booby-trapped websites.

The attack was recently presented at the Hack in the Box security conference by independent security researcher Rosario Valotta. It exploits weaknesses in the way browsers notify users when they execute operating-system-level commands, such as printing or saving. He said the attack works against Windows 7 and Windows 8 users running IE versions 9 and 10 when they enter either one or two characters while visiting a malicious website. Windows 8 machines running Chrome can be forced to execute malicious code when users click on a single HTML button on a malicious page, such as "Play" for a video or a Facebook "Like." Windows provides some protection against this social engineering attack, but Valotta said attackers can often bypass those defenses.

When a user visits the attack website, it opens a pop-under window that in most cases will remain invisible. The hidden window immediately begins downloading a malicious executable file without notifying the user or requiring any kind of permission. When the website is visited using IE, the file can be executed when English-speaking Windows 7 users type "r" and when Windows 8 users enter the tab key followed by the r key. The keystrokes, which can be invoked by asking the visitor to solve a CAPTCHA puzzle used to filter out bots, send a Windows command to the pop-under window instructing it to run the recently downloaded file. Clicking a booby-trapped HTML button while visiting the page in Chrome similarly executes the malicious file.

Read 8 remaining paragraphs | Comments


Phishers Ensuring Social Security with Fake Apps

Contributor: Avdhoot Patil

As usual, phishers continue to focus on social networking as a platform for their phishing activities. Fake social networking applications on phishing sites are not uncommon. Phishers continue to come up with new fake applications for the purpose of harvesting sensitive information.

In the past six months, phishing on social media sites consisted of 6.9 percent of all phishing activity. Among the phishing sites targeting social media, 0.9 percent consisted of fake applications offering features such as adult videos, video chatting, adult chatting, free mobile recharge etc.

In May 2013, phishers implemented a fake security application on a phishing site that claimed to secure Facebook Fan Pages and thereby increase the “social security” of the user profile. A Facebook Fan Page is important, as it is a public profile on Facebook that can be used by celebrities, companies, and also by  regular Facebook users who can create fan/community pages. Facebook Fan Pages help celebrities and companies  to get visitors and connect with people around the globe. The phishing site was hosted on a server based in San Francisco, Northern California, in the United States.


Figure 1. Phishing site asking users to enter login information

As we can see in Figure 1, the phishing page is titled “Ensuring Social Security.”  A message on the page states that it is a Fan Page verification process and it is a brand new feature to increase social security. The page also states that the process is mandatory and it is “open until 30.05.2013.” The phishing page also warns users that any Fan Pages that are not verified before that date will be permanently closed. The login form is displayed in the middle of the phishing page and titled “New Facebook Guidelines.”  The login form included the following fields:

  • Fan Page Name
  • Email Address
  • Password
  • Security Code
  • Confirm Security Code

The login form also displays a message about a security code and asks users to enter a ten-digit number and to also write it down on a piece of paper  because “it is really important” and required if transferring administrative rights or adding new administrators or managers. After entering the login information and clicking on the “submit” button, the phishing site displays an acknowledgement message saying “Thank You. Your Fan Page is being verified and we will notify you within 48 hours when the process is completed.”


Figure 2.  Phishing site acknowledgement message

As we can see in Figure 2, the acknowledgement message is displayed on the same phishing page. The fake application site was designed to look like an official application site.

The site was created with the motive of tricking users into believing that once their social networking website login credentials have been entered, their account would be secured. The truth is quite to the contrary because after entering their credentials the user gets the bogus acknowledgement message and, if the phishers are successful, the user will have given up their account details to the phishing site.

The phishing site was SSL secured.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Avoid providing any personal information when answering an email
  • Never enter personal information in a pop-up page or screen
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar
  • Use comprehensive security software such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
  • Exercise caution when clicking on enticing links sent through email or posted on social networks
  • Report fake websites and email (for Facebook, send phishing complaints to [email protected])