Feeds

South Korea data-wipe malware spread by patching system

Long dark teatime in Seoul saga continues to unfold

Secure remote control for conventional and virtual desktops

South Korea's data wiping malware that knocked out PCs at TV stations and banks earlier this week may have been introduced through compromised corporate patching systems.

Several South Korean financial institutions - Shinhan Bank, Nonghyup Bank and Jeju Bank - and TV broadcaster networks were impacted by a destructive virus (since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec), which wiped the hard drives of infected PCs, preventing them from booting up upon restart.

Initially it was thought that the malware spread through local telco LG U+ and may have came from a single Chinese IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-hack, The New York Times reports. The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault.

Late on Friday afternoon security appliance firm Fortinet claimed hackers broke into the servers of an (unnamed) but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet's Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news media about the apparent find. However late on Friday evening Guillaume Lovet of Fortinet called El Reg and stated that the security appliance firm no longer stood by its earlier pronouncement.

By Monday morning things had moved on again with South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the spread of the malware. It said its own security technology was not involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.

Attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates. Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors' patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update. This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record (MBR) on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 14:00 hrs Korea time on the infected PCs, like a time bomb.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware's victims.

The prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened tension on the peninsula. However there's no hard evidence to support this conclusion. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.