Malware that hit South Korea wasn’t so sophisticated
A cyber attack on three of South Korea’s major broadcasters and several of its major banks appears to have been caused by a relatively unsophisticated piece of software, security researchers said Wednesday. [Story updated, see below]
The attacks, which began at around 2pm local time on Wednesday (5:00 UTC) left desktop and laptop computers unable to start at KBS, MBC and YTN and took the auto-teller machines at Shinhan Bank and Nonghyup Bank offline. It didn’t affect the ability of the TV stations to put out programming.
The root of the attack was a malicious piece of software identified by computer security company Sophos Labs as “Mal/EncPk-ACE.” The rather forgettable name has resulted in it being dubbed “DarkSeoul” by researchers at the company who analyzed the code on Wednesday.
“What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated,” the company said in a blog posting.
For that reason — and based on its analysis of the software code alone — Sophos said it’s difficult to conclude the malicious software constituted a “cyberwarfare” attack from North Korea.
Whatever the source, the software was directed at South Korean computers because it attempts to disable two popular local anti-virus scanners, AhnLab and Hauri AV, Sophos said.
When a computer is infected, the software appears to create several files in the “temp” folder of the PC, AhnLab said in a blog posting. The new files include a routine to destroy the master boot record of the disk — the hard disk’s electronic directory of where information is stored.
A computer with a damaged master boot record won’t start — exactly the behavior reported by companies hit by the attack.
In some cases, the malicous code will attempt to overwrite data on the hard disk. In some cases, data is overwritten with the word “PRINCPES” while other cases saw the words “HASTATI” and “NCPES” used, said researchers.
Versions were detected that attack Windows XP, Windows 7 and several lesser used operating systems including Linux, HP Unix, Solaris and AIX Unix.
Separately from the malicious software, network analysis company Renesys said it detected an impact in several South Korean networks as a result of the attack.
“We observed 5 routed networks of Korea Broadcasting System go down at 05:54:18 UTC this morning (20 March). At the time of this writing they are still down. The Yonhap News Network (YTN) also experienced outages of two of its networks today at 05:54:30 UTC and 06:29:26 UTC.”
Renesys said it also noticed network problems at Korea Gas Corp., which saw its networks go completely offline for two hours from 15:26:30 local time (6:26:30 UTC). Three networks at Shinhan Bank also went offline at the same time.
The problems at Korea Gas could be coincidental, but Renesys notes that South Korea’s 15,000 networks are usually pretty reliable with only 40 or 50 offline at anyone time, usually for technical reasons.
“However, networks from these sectors (Media, Energy, and Banking) are typically some of the most stable, and the timing of their simultaneous outages seems suspicious.”
03/22 UPDATE: Korea Gas contacted Renesys to tell it the network was deliberately taken offline when the attacks were reported to protect its system.
The attack came less than a week after North Korea’s considerably smaller Internet was hit was an unknown glitch that resulted in difficulty accessing web sites for almost two days. North Korea blamed the U.S. and its allies for a cyber attack but offered no other details of the incident, which was only reported in the country’s foreign media output.
“Since last week’s disruption in connectivity in North Korea, we have observed additional brief routing outages for the four routed networks of North Korea. On Monday (18 March) and this morning (20 March), we observed outages lasting for just a few minutes in North Korea. It should be noted that although North Korea’s Internet is small, it is very stable. Until last week, North Korean outages had been very rare.”
Additionally, an attack on the website of Internet provider LG Uplus is looking increasingly like it was unrelated to the troubles at the TV stations and banks. The attack resulted in replacing the service’s home page with a page that claimed responsibility in the name of “Team Whois.”
The same behavior wasn’t reported in the other attacks and Sophos said it had been unable to replicate it.
|Print article||This entry was posted by Martyn Williams on March 21, 2013 at 11:23, and is filed under Hacking, Internet, Security, Uncategorized, Websites. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
about 1 month ago - No comments
Despite living in one of the most wired societies in the world, South Korean Internet users enjoy a “partly free” Internet due to government censorship of content, according to the results of a global survey on Internet freedom. Censorship of content, which includes many websites that carry North Korean content, has shot up in recent…
about 2 months ago - 1 comment
South Korean defense officials plan to soon launch a high-tech blimp just south of the disputed maritime border with North Korea in November to get a better look into the neighboring country, according to a report in Stars and Stripes. The airship will hover over the island group that includes Yeonpyong, which is the island that was…
about 5 months ago - No comments
A hacking group called “DarkSeoul” was behind some of this week’s attacks on South Korean websites, according to researchers at computer security company Symantec. The company says the group was responsible for denial of service attacks on South Korean government websites and can be directly linked to similar actions in the past. “We can now…
about 5 months ago - 1 comment
Tuesday’s series of denial of service attacks on major North Korean websites caused delays and frustration for legitimate users but doesn’t appear to have been as large or successful as the first round of attacks in late March and early April this year. Analysis by NorthKoreaTech.org of data related to the attacks shows the so-called…
about 7 months ago - 4 comments
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet. The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider,…
about 8 months ago - No comments
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing. The National Police Agency said it has traced some of the malicious code to addresses in the United…
about 8 months ago - No comments
The mysterious cyber attack that hit an estimated 32,000 computers at South Korean TV stations and banks last week is looking more interesting, based on the latest analysis from computer security companies. The first immediate analysis concluded that the malicious software was pretty unsophisticated, in part because it was based on a piece of malware that…
about 8 months ago - 3 comments
An apparently sophisticated and coordinated cyber attack has caused widespread disruption to computer networks and three of South Koreas largest broadcasters and two of the country’s banks. The attack first showed itself at 2pm on Wednesday when computers at KBS, MBC and YTN shutdown. Upon restarting, the computers displayed error messages saying they were unable…
about 8 months ago - 1 comment
Last week’s Internet outage that pushed North Korean websites offline for almost two days was probably caused by a problem inside the country, not on an external connection, an Internet researcher said Monday. “The impacted equipment was within North Korea,” said Doug Madory, a senior research engineer at Renesys. On Friday, he published a detailed…
about 8 months ago - 1 comment
The Internet disruption that affected North Korea’s Internet link earlier this week lasted almost two days, an Internet monitoring company said Friday. It began just before 0100 GMT on Wednesday — that’s 10am local time — and continued for much of the next day and a half. It then took several hours for traffic levels and…