A massive computer shutdown of two South Korean banks and media companies occurred Wednesday via an Internet malware attack. The malware wiped out the master boot records on the hard drives of the infected computers, overwriting the MBR with either one of these strings:
Figure 1: Snapshot of MBR after infection.
The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable. So even if the MBR is recovered, the files on disk will be compromised too.
After that, the system is forced to reboot via the following command:
shutdown -r -t 0
That action causes the computers to be unable to start because the MBR is corrupted.
Figure 2: Error message after reboot
Furthermore, before overwriting the MBR, the malware attempted to kill the main processes of two Korean antivirus products, Ahnlab and Hauri:
taskkill /F /IM pasvc.exe
taskkill /F /IM Clisvc.exe
The malware code does not contain any function related to network communication, and we don’t have any indication that it can communicate with a remote host.
Also, it didn’t make any other changes in the system such as dropping files or changing registry keys. The goal of the attack appears to be solely to make the targeted computers unusable.
A dropper was found that seems to be the original dropper for this attack. The 418KB file is UPX packed, with the following hash:
This dropper dropped the MBR-killing module as AgentBase.exe in the %TEMP% folder, and started it.
It also dropped two clean files, Putty SSH client and Putty SCP client in %TEMP%. It then scanned the file system looking for the configuration files of two SSH clients:
Felix Deimel’s mRemote
VanDyke’s Secure CRT
If the malware finds a configuration file, it looks for any entry for a “root” user on a remote system, extracts the connection information, and uses the Putty clients to check if access to the system is available:
%s -batch -P %s -l %s -pw %s %s %s:/tmp/cups
%s -batch -P %s -l %s -pw %s %s “chmod 755 /tmp/cups;/tmp/cups”
The malware then drops another file in %TEMP% named “pr1.tmp,” which is a BASH shell script that attempts to perform partition killing on three Unix types: Linux, HP-UX, and SunOS.
Figure 3: Part of the shell script used in the Unix attack.
This script checks the system, and then calls a specific function for each OS in an attempt to overwrite the disk partitions. In case the operation cannot be executed, it also tries to delete the following folders:
McAfee Labs was able to identify the following hashes related to this attack:
Unix Shell Script
As we looked in our sample database for related files, we identified two other samples that have the same basic structure as the preceding samples, but they don’t have the MBR-killing capabilities:
These samples were found in the wild in August and October 2012. They share the same basic stub for the MBR-killing malware, but they are simple downloaders and don’t have commands to kill antivirus processes. They have only MS-DOS commands to remove themselves after executing.
Based on our analysis, these samples are not related to the attack, but they may be the same malware stub used by the attackers to create the MBR-killing code, sort of a template Trojan that can be tweaked to execute any function.
It’s possible to see the differences in the payload on the following images:
Figure 4: Payload of old samples.
Figure 5: Payload of new samples.
As we can see, the commands executed are different but the data structure is the same.
McAfee detects the samples involved in the attack as KillMBR-FBIA and Dropper-FDH.
Kaynakça : http://blogs.mcafee.com
Kaynakça : http://blogs.mcafee.com