Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Last week, there was ample coverage of the SK Comms data breach, which involved one of the more popular service providers in South Korea that offers social networking and instant-messaging (IM) as well as mobile phone services. The breach affected the user accounts of the NATE portal and Cyworld, both SK Comms offerings.

    Within the same week, we also found a malware that may be related to the particular incident. The said backdoor, which we detect as BKDR_SOGU.A (with the SHA1 hash 1733217aa852957269cd201f6cf53ef314e86897), connects to {BLOCKED}, its C&C server. The C&C server communicates with the remote infected system via HTTP POST in order to send and receive commands from a remote malicious user.  As of this writing, this URL is already inaccessible.

    One notable routine of this backdoor is its capability to access a specific database in infected systems in order to fetch and collect data from the said database. This routine was done using several ODBC APIs such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect. The figures below show the code disassembly of how the malware uses the said APIs.

    Click for larger view Click for larger view

    The database the backdoor accesses and the types of information it gathers are defined based on the parameters the remote server provides. Other backdoor routines (e.g., enumerating registry values or listing files in a specified directory) may be able to provide such data as well.

    So far, nothing in the code suggests that it was solely and specifically created for certain attacks. In fact, it may be used and reused as long as the malware is not detected by the network’s security software. As we stated before, attacks against large corporations do not always require highly sophisticated malware technologies but a combination of ingenious use of other techniques (e.g., exploiting known vulnerabilities, social engineering, etc.) that can lead to a successful targeted attack.

    The Trend Micro™ Smart Protection Network™ infrastructure detects the backdoor and blocks access to the malicious URLs related to this attack.

    We are still conducting further investigation on this incident. We will update this blog entry as soon as possible for any relevant development.

    Analysis assistance provided by Paul Kimayong and Kathleen Notario

    Update: We posted a follow-up entry on August 10, 10:47 AM entitled, Updates on the SK Comms Data Breach. Also, read the initial blog post Large Data Breach in South Korea, Data of 35M Users Stolen.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice