Upload
avast-software
View
26
Download
1
Embed Size (px)
Citation preview
Korean banks under pressureTitle
Jaromír Hořejší[email protected]
www.avast.com
Avar 2013, Chennai
Jan Š[email protected]
Agenda
• Origin of infection• Infection stages• Consequences on a compromised machine• Origin of attackers• Summary• Questions
Origin of infection
• March 2013• Compromised legitimate website• Korean SPC website as a source of infection• Works as a bridge between victims and attackers
website
Attack website source code
• Contains 3 scripts• One counter for infection statistics• Two scripts with exploits to compromise visitors
computer
The first exploit
• 1.html– CVE-2010-0806– Use-after-free vulnerability in the Peer Objects
component– Works in IE6, 6 SP1 and IE7
The second exploit
• Cc.html– CVE-2012-1889– Causes Microsoft XML Core Services to access
uninitialized memory location– Works in IE6, IE7 and possible to extend to work in IE8
and IE9
The second stage of infection• A small downloader (15KB) written in Visual Basic• Performs several task on the compromised
computer– Checks internet connection by downloading a file from a
Korean search engine(http://static.naver.net/w9/blank.gif)
– Downloads hosts file redirecting several URL addresses
The second stage of infection
– Increases the statistics counter– Makes itself persistent by modifying Run registry key– Downloads a backdoor file and executes it– Drops and executes a batch file which schedules to run
the second stage downloader in a 30 minute interval
The third stage of infection
• Backdoor with size 1,3MB written in Delphi• Protected by Safengine• Injects itself into iexplorer.exe• Initiates communication via custom
communication protocol• Remote control of a compromised system• Contains many build-in functions
Summary
• Growing number of bank frauds• Using compromised legitimate websites• Using more than one exploit• Combination of fraud attack and remote control• Probably known origin of attackers
Thank you
Jan Sirmer ([email protected])Virus Analyst & ResearcherJaromir Horejsi([email protected])Virus Analyst & Researcher