Feeds

Seoul-blackening disk wipe badness linked to 4-year SPY CAMPAIGN

Can Norks afford malware writers?

Application security programs and practises

The March attack that hit tens of thousands of computers in South Korea was part of a much larger campaign waged against the Asian nation since at least 2009. That's according to a new report by security biz McAfee.

About 30,000 PCs in banks, insurance companies and TV stations were knackered a few months ago on 20 March in an assault dubbed the Dark Seoul Incident.

South Koreans from Busan to Namyangju couldn't draw money or transfer cash as they were shut out of their online banking accounts and entire networks of cash machines in the country fell over.

The McAfee report avoids leaping to the obvious conclusion that the attacks may be sponsored by North Korea. McAfee's EMEA CTO, Raj Samani, said the firm didn't want to second-guess a South Korean government investigation into the attacks.

What actually happened on 20 March

Spear-phishing emails - precisely targeted messages booby-trapped with attack code - were sent in the preceding three months and were used to open back doors on the PCs. The compromised Windows machines were then told to download and run the data-wiping malware on 20 March.

The software nasties unleashed on computers on the day wiped their master boot records, which are needed to successfully start up the machines.

The attack shouldn't have been particularly damaging beyond being an absolute pain in the neck for IT workers to fix, which is why no one linked the affair to an attempt to snaffle data rather than merely to wipe it.

Beware of Norks snoops bearing gifts

However, security bods at McAfee theorise that malware used in the attack emerged from a hidden years-long campaign. The security firm has dubbed it "Operation Troy" after repeated citations of the ancient city were found in file path strings present in malware associated with the attacks.

The report (PDF) stated:

McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities.

McAfee researchers who analysed the malware deployed for Dark Seoul said it shared some of the code in the NSTAR Trojan and other nasties linked to attacks launched against South Korea some three years ago, as McAfee explains:

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR, seven known variants have been identified. Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets.

The Operation Troy control process historically involved routing operating commands through concealed Internet Relay Chat (IRC) servers, the researchers said. The first three Troy variants were managed through a South Korean manufacturing website in which the attackers installed an IRC server. This all changed just before the Dark Seoul incident.

The "Concealment" Troy variant, which appeared earlier this year, broke with this dependance on a hardcoded IRC control server control network and moved to running command and control through a more sophisticated (but harder to manage) botnet-based system.

Timeline of the development of Dark Seoul's malware

The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families. The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.

Raj Samani, EMEA CTO at McAfee, told El Reg that behind "noisy" DDoS attacks against South Korean targets, a far more insidious espionage campaign is taking place. "The attacks involve destruction, disruption and espionage," said Samani, adding that the espionage campaign had featured military-themed keywords such as brigade. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.