How South Korean Bank Malware Spread

Attackers used stolen usernames and passwords for legitimate AhnLab Patch Manager accounts, set wiper software for staggered deletes to maximize damage.

The malware attacks that successfully compromised an estimated 32,000 South Korean systems Wednesday were distributed, at least in part, using legitimate enterprise patch management software.

Attackers used stolen usernames and passwords to access AhnLab Patch Management software running in at least some of the affected businesses. "The credentials were used to gain access to individual patch management systems located on the affected networks," read a statement released Friday by the AhnLab Security Emergency Response Center (ASEC). "Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates."

The resulting malware infections compromised Windows, Unix and Linux systems at South Korea's Jeju, NongHyup and Shinhan banks, as well as television broadcasters KBS, MBC and YTN. The malicious code used by attackers included "wiper" malware, with a built-in logic bomb set to begin overwriting a computer's master boot record (MBR) data at a preset time Thursday afternoon, and then rebooting, which would render the system inoperable. Some of the Trojan applications used in the attacks could also remotely wipe network-connected Unix and Linux systems.

[ South Korea back-pedals after blaming North Korea for bank hack. Read South Korea Changes Story On Bank Hacks. ]

AhnLab emphasized that when attackers accessed its patch management software, running at targeted sites, they used legitimate access credentials rather than exploiting zero-day vulnerabilities in the code or stealing or compromising any of the digital certificates the company uses to sign its code. "Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code," said AhnLab's statement.

AhnLab also cited a report that Ryou Jae Cheol, a professor of computer engineering and securities at South Korea's Chungnam National University, said that the North Korean government had launched the attack, using Chinese-developed code. In fact, Cheol -- referencing a Thursday report from the Korean Communications Commission (KCC) that the attacks had been launched via an IP address registered in China -- told Bloomberg Thursday that "discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there."

By Friday, however, South Korean officials changed their story, noting that they'd been "careless" to ascribe to China an IP address that was actually privately registered to South Korea's NongHyup bank. According to the KCC, at least some of the malware attacks were launched from a single NongHyup system, inside South Korea.

Many of the systems exploited in the attacks were infected with malware at least one day prior. According to research published by Trend Micro, some of the malware used in the attacks was distributed via a spear-phishing campaign that commenced on Tuesday, March 19.

But a threat researcher at security firm F-Secure, who goes by the name "Brod," said in a blog post Monday that a malicious HTML archive used in some of the South Korea attacks was created on March 17, which is three days before the logic bomb was triggered.

The malicious HTML archive claimed to be an account history for Shinhan bank customers, which was one of the businesses exploited in the attacks. "The malware inside the archive is using double extensions combined with a very long filename to hide the real extension," said Brod. "This is a common social engineering tactic that started during the era of mass-mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing e-mails."

Not all of the malware, however, was launched via spear-phishing emails. "Some variants also wipe remote systems using credentials found in configuration files of certain SSH clients installed in infected systems. Therefore an affected system can simply have one of its users, who uses a vulnerable SSH client, infected for it to get toasted," said Brod.

Attackers used software that could not only wipe Windows systems but also remotely wipe Unix and Linux systems. "Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks," said Brod. "These are either third-party applications or not supported by Windows natively."

Researchers at Symantec reported Friday that they've now recovered four different types of wipers used in the attacks. One of the wipers was written as a DLL file that was injected into LSASS.exe, which is the Windows Local Security Authentication Server, while the other three are standalone position-independent executable (PIE) code.

Timing-wise, two of the wipers were instructed to immediately wipe upon execution, according to a Symantec Security Response blog post. "Another was instructed to wipe specifically at 2PM on March 20, 2013. We have recently come across another sample ... that wipes at 3PM on March 20, independent of year," the post continued.

In the wake of last week's attacks, some security researchers had suggested that the apparently scattershot list of targets may have been designed solely to cause panic. But researchers have since discovered overlapping malware that's able to wipe multiple systems, backed by redundant logic bomb timing seemingly designed to cause maximum damage. "All these specifics give the impression of a targeted attack," said F-Secure's Brod.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!