A massive computer shutdown of two South Korean banks and
media companies occurred Wednesday via an Internet malware attack. The malware
wiped out the master boot records on the hard drives of the infected computers,
overwriting the MBR with either one of these strings:
PRINCPES
PR!NCPES
HASTATI.
Figure 1: Snapshot of MBR after infection.
The attack also overwrote random parts of the file system
with the same strings, rendering several files unrecoverable. So even if the
MBR is recovered, the files on disk will be compromised too.
After that, the system is forced to reboot via the following
command:
shutdown -r -t 0
That action causes the computers to be unable to start
because the MBR is corrupted.
Figure 2: Error message after reboot
Furthermore, before overwriting the MBR, the malware
attempted to kill the main processes of two Korean antivirus products, Ahnlab
and Hauri:
taskkill /F /IM pasvc.exe
taskkill /F /IM Clisvc.exe
The malware code does not contain any function related to
network communication, and we don’t have any indication that it can communicate
with a remote host.
Also, it didn’t make any other changes in the system such as
dropping files or changing registry keys. The goal of the attack appears to be
solely to make the targeted computers unusable.
A dropper was found that seems to be the original dropper
for this attack. The 418KB file is UPX packed, with the following hash:
9263E40D9823AECF9388B64DE34EAE54
This dropper dropped the MBR-killing module as AgentBase.exe
in the %TEMP% folder, and started it.
It also dropped two clean files, Putty SSH client and Putty
SCP client in %TEMP%. It then scanned the file system looking for the
configuration files of two SSH clients:
Felix Deimel’s mRemote
%sAppData\Local\Felix_Deimel\mRemote\confCons.xml
VanDyke’s Secure CRT
%sAppData\Roaming\VanDyke\Config\Sessions
If the malware finds a configuration file, it looks for any
entry for a “root” user on a remote system, extracts the connection
information, and uses the Putty clients to check if access to the system is
available:
%s -batch -P %s -l %s -pw %s %s %s:/tmp/cups
%s -batch -P %s -l %s -pw %s %s “chmod 755
/tmp/cups;/tmp/cups”
The malware then drops another file in %TEMP% named
“pr1.tmp,” which is a BASH shell script that attempts to perform partition
killing on three Unix types: Linux, HP-UX, and SunOS.
Figure 3: Part of the shell script used in the Unix attack.
This script checks the system, and then calls a specific
function for each OS in an attempt to overwrite the disk partitions. In case
the operation cannot be executed, it also tries to delete the following
folders:
/kernel/
/usr/
/etc/
/home/
McAfee Labs was able to identify the following hashes
related to this attack:
Wiper module
DB4BBDC36A78A8807AD9B15A562515C4 ApcRunCmd.exe
F0E045210E3258DAD91D7B6B4D64E7F3 ApcRunCmd.exe
0A8032CD6B4A710B1771A080FA09FB87 mb_join.exe
5FCD6E1DACE6B0599429D913850F0364 OthDown.exe
Dropper
9263E40D9823AECF9388B64DE34EAE54 APCRunCmd.DRP
Unix Shell Script
DC789DEE20087C5E1552804492B042CD pr1.tmp
As we looked in our sample database for related files, we
identified two other samples that have the same basic structure as the
preceding samples, but they don’t have the MBR-killing capabilities:
E4F66C3CD27B97649976F6F0DAAD9032
E4F66C3CD27B97649976F6F0DAAD9032.bin
50E03200C3A0BECBF33B3788DAC8CD46 jar_cache1221312510715123682.tmp
These samples were found in the wild in August and October
2012. They share the same basic stub for the MBR-killing malware, but they are
simple downloaders and don’t have commands to kill antivirus processes. They
have only MS-DOS commands to remove themselves after executing.
Based on our analysis, these samples are not related to the
attack, but they may be the same malware stub used by the attackers to create
the MBR-killing code, sort of a template Trojan that can be tweaked to execute
any function.
It’s possible to see the differences in the payload on the
following images:
Figure 4: Payload of old samples.
Figure 5: Payload of new samples.
As we can see, the commands executed are different but the
data structure is the same.
McAfee detects the samples involved in the attack as
KillMBR-FBIA and Dropper-FDH.
Kaynakça : http://blogs.mcafee.com
Kaynakça : http://blogs.mcafee.com
Hiç yorum yok:
Yorum Gönderme