by RSS Kyle Yang  |  Jul 14, 2013  |  Filed in: Security Research

Shortly after 10:00am Jun 25th 2013, many government websites from South Korea were not accessible. It was actually caused by the malware performing ddos attack on 2 major DNS servers (ns.gcc.go.kr and ns2.gcc.go.kr).


Original Attack Vector


During the investigation, we managed to find the original attack sample which was served by a compromised website at that time (simdisk.co.kr).

The downloaded file named SimDisk_setup.exe turned out to be a self-extracting RAR file. 6 25 DNS DDOS Attack In Korea 1

In this SFX RAR file were sitting 2 files: 6 25 DNS DDOS Attack In Korea 2


Simdiskup.exe file


SimDiskup.exe (created on 2013-06-24) is the malicious file. It downloads other malicious files from a remote website. 6 25 DNS DDOS Attack In Korea 3

For instance it tried to download c.jpg from the website above. 6 25 DNS DDOS Attack In Korea 4

Actually c.jpg is obviously an executable, saved as ~simdisk.exe and run after successfully downloaded.


~simdisk.exe (c.jpg)


Upon execution, it will drop 3 files, 2 of them (explorer.exe and config.ini) turning out to be the TOR system version 0.2.3.25. The third file, alg.exe, is yet another downloader. 6 25 DNS DDOS Attack In Korea 5

alg.exe will then use the tor network to download yet another file, which is the final DDoS payload. It will try to connect to the following tor onions (onions are hidden, untraceable websites available only via Tor nodes):

The interesting thing here is, the files mentioned above are all packed with the infamous run-time packer called Themida. But the final payload, downloaded by alg.exe, is not.


Final Step


First, it will check for a FileMapping Object 6 25 DNS DDOS Attack In Korea 6

Does this remind us of the 3.20 disk wipe-out attack?

After that, it will check for the OS architecture, 32bit or 64bit. In the case of a 32bit OS, it will drop ~DR[random number].tmp file from the resource section. After loading the ~DR tmp file, it will load another DLL file as a service. (It will do the same in 64bit OS).

After the service starts, it will check for the FileMapping Object: 6 25 DNS DDOS Attack In Korea 7

After resolving the API address, it will create a thread to start the communication. 6 25 DNS DDOS Attack In Korea 8

The response data is split in 2 parts:

1.) BM6W -> The only command which is hardcoded in the binary 6 25 DNS DDOS Attack In Korea 9

If the response data is anything other than BM6W, it will sleep, then try again.

2.) - 06 19 0a 00 - 0x06 - Month - 0x19 - Day - 0x0a - hour - 0x00 - minute

Looks like a time-bomb. Does this also remind us the 3.20 disk wipe-out attack?

If the system time has passed 6-25 10:00, it will drop another file which is packed by Themida as well. The filename is seen below: 6 25 DNS DDOS Attack In Korea 10


_
DDoS Payload


It will start 2 threads to perform the Ddos attack by querying [random string].gcc.go.kr: 6 25 DNS DDOS Attack In Korea 11

The 2 Ddos targets are hardcoded in the binary. 6 25 DNS DDOS Attack In Korea 12

6 25 DNS DDOS Attack In Korea 13

  • Ns.gcc.go.kr - 152.99.1.10
  • Ns2.gcc.go.kr - 152.99.200.6

In a nutshell the attack scenario flow can be represented as follows:

simdisk.co.kr → serves SimDisk_setup.exe → ** extracts to **SimDiskup.exe → downloads c.jpg → saved as ~simdisk.exe → drops alg.exe (plus Tor) → gets time of attack from hidden websites and drops wuauieop.exe → queries DNS for [random string].gcc.go.kr

by RSS Kyle Yang  |  Jul 14, 2013  |  Filed in: Security Research