Digital Attack on Korean networks: Wipers, Time-Bombs and Roman soldiers
| March 22, 2013
| Category: Security Research
On March the 20th, little after 2pm, several South Korean financial institutions and TV broadcasters networks were impacted by a destructive virus, which wiped hard drives of infected computers, preventing them to boot up upon restart.
Since then, the team here has been up on the deck, dissecting the attack components. So far, here is what we've found out, that, to our knowledge, hasn't been published anywhere yet:
- The attack made use of two different droppers, in charge of dropping wipers, with md5 sums:
Dropper1: 9263e40d9823aecf9388b64de34eae54
Dropper2: b80153b66fdaafedfc0a65bcb940687d
- Each dropper spawned 2 wipers, leaving us with 4 different wipers:
Wiper1: 5fcd6e1dace6b0599429d913850f0364
Wiper2: 530c95eccdbd1416bf2655412e3dddbe
Wiper3: db4bbdc36a78a8807ad9b15a562515c4
Wiper4: 0a8032cd6b4a710b1771a080fa09fb87
Each of these wipers is indeed deleterious to the infected host's hard drive, but will only trigger upon realization of a subset of the 3 following conditions, different for each wiper:
Absence of a specific File Mapping Object in memory
Absence of a specific temporary file
Current time > preset time (this is usually called a "time-bomb" malware)
Rather interestingly, the File Mapping Objects and temporary files seem to be used by the wipers as mere mutexes, in order to not duplicate work in progress: they check for their existence, but do nothing with them. By the way, the File Mapping Objects do not even map actual files: the mapped files have an invalid handle (-1).
Upon triggering, the wipers take a combination of actions among the following:
Overwrite the Master Boot Record (MBR) of the Hard Drive with string "HASTATI", "PRINCIPES" or "PR!NCPES". These are names for classes of soldiers serving in the Legions of the Roman Republic: Hastati were the "first wave" and Principes the second wave on the battlefield.
Depending on the OS version, either wipe the whole Hard Drive with the same string, or each and every file.
Execute the following commands:
`taskkill /F /IM pasvc.exe
taskkill /F /IM Clisvc.exe`
As it has been reported before, these tasks correspond to antivirus software processes, from Korean companies AhnLab and Hauri.
Let's detail, for each wiper:
Wiper1: Triggers on FileMapping Object + Time-Bomb
FileMapping Object name: JO840112-CRAS8468-11150923-PCI8273V
Time-Bomb:
If the compromised computer doesn’t have a FileMapping Object named as above and its local time is greater than 2013-03-20 14:00:00, it will execute the following commands:
`
taskkill /F /IM pasvc.exe
taskkill /F /IM Clisvc.exe
`
Then it will start a thread, will first overwrite the MBR with the string “HASTATI”, and depending on the OS version, will either overwrite the entire HD or every single file with the same string “HASTATI”. At last, it will execute “shutdown -r -t 0” to reboot the computer.
Wiper2: Triggers on FileMapping Object + Temp File + Time-Bomb
FileMapping Object name: GOLD0112-CRAS8468-PAGE0923-PCI8273V
Temp File: windowstempkb01.tmp
Time-Bomb:
If the compromised computer doesn’t have the FileMapping Object above, if the temp file above does not exist, and if its local time is greater than 03-20 15:00:00, it will start a thread that overwrites the entire HD with string “PR!NCPES”. Then, it will execute “shutdown -r -t 0” to reboot the computer. There is no “taskkill” commands this time. If the compromised computer doesn’t have the FileMapping Object but does have the temp file, it will sleep for a short time and check for the file existence again.
Wiper3: Triggers on FileMapping Object + Temp File
FileMapping Object name: JO840112-CRAS8468-11150923-PCI8273V
Temp File: windowstemp~v3.log
If the compromised computer doesn’t have the FileMapping Object above nor the temp file, it will execute the following commands:
`
taskkill /F /IM pasvc.exe
taskkill /F /IM clisvc.exe
`
Then it will start a thread that overwrites the MBR with string “PRINCIPES”, and depending on the OS version, will either overwrite the entire HD or every single file with the same string. At last, it will execute “shutdown -r -t 0” to reboot the computer.
Wiper4: Triggers on FileMapping Object
FileMapping Object name: JO840112-CRAS8468-11150923-PCI8273V
If the compromised computer doesn't have the FileMapping Object above, it will execute the following commands:
`
taskkill /F /IM pasvc.exe
taskkill /F /IM clisvc.exe
`
Then it will start a thread, that overwrites the MBR with string “PR!NCPES”, and based on the OS version, will either overwrite the entire HD or every single file with string “PR!NCPES”. At last, it will execute “shutdown -r -t 0” to reboot the computer.
Detection patterns for all the pieces above are present in our Antivirus Databases, and as of update 17.333, the detection names were reset to W32/Kast.A!tr and W32/Dloader.74DD!tr.
| March 22, 2013
| Category: Security Research
Twitter
Facebook
LinkedIn
Youtube