Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Marco Dela Vega (Threats Researcher)

    Our investigation of the June 25 South Korea incident led us to the compromise of an auto-update mechanism attack scenario. As part of our continuous monitoring, we documented another scenario (presented in this blog entry) pertaining to a DDoS attack scenario launched at specific sites.

    The recent attack against South Korean websites has revealed a certain similarity between this attack and the March 20 MBR Wiper incident: a time trigger.

    Recall that the March 20 MBR wiper attack involved a malware that was set to wipe the MBR files of affected systems at specific times (triggers were set to either at or before 2PM on March 20, 2013, or 3PM or later on the same date. This trigger date is dependent on files downloaded from certain URLs that function, in effect, as commands that specify when the DDoS attack will occur. We also uncovered that the malware re-checks the trigger time to re-execute the DDoS component every 24 hours for 3 days to possibly ensure that the DDoS attack occurs for a specific duration of time.

    This ticking “time bomb” illustrates the great impact portrayed by time-triggered attacks, showing big effects in a short amount of time.”

    Figure 1. DDoS Behavior

    Looking more into the attack, maximum impact appears to be its primary goal. The DDoS attack is carried out by repeatedly sending relatively large DNS packets (more than one kilobyte) to two IP addresses. These targeted IP addresses are the primary and secondary DNS name servers of record for multiple South Korean government sites. The attack is intended to knock all of these sites offline indirectly: users that don’t have a DNS record cached for these domains would need to use DNS to translate the domain name to the IP address, but because the name servers for these domains are offline, they would be unable to do so. By targeting a single point of failure, attackers are able to take down multiple sites using only one attack.

    All the components of this attack are already detected as TROJ_DIDKR.A, and the URLs of these malicious files have been blocked as well. We will continue to be on the lookout for further threats, and will release new information if it becomes available.

    With additional analysis from Threat Researchers Rhena Inocencio and Teoderick Contreras.

    Posted in Malware, Targeted Attacks | Comments Off on South Korean Government DNS Servers Targeted By DDoS Attacks

    On Tuesday, South Korea raised the country’s cyber security alarm from level 1 to 3, because of several incidents that affected different government and news websites in South Korea. One of the several attacks related to the June 25 security incident involved the compromise of the auto-update mechanism related to the legitimate installer file SimDisk.exe, which we were able to get a sample of. SimDisk is a file-sharing and storage service.

    Most software vendors’ auto-update mechanisms are intended to be non-intrusive to the user experience in order to help consumers keep their software patched and updated with the latest versions of the software. This is extremely important in preventing exploit attacks that leverage software vulnerabilities in order to perpetrate cybercrime or targeted attacks.

    In the SimDisk case, the legitimate software are configured to automatically download updates from a specific website. However, this website was compromised with a modified version of the installer (detected as TROJ_DIDKR.A). The modified version drops a copy of the legitimate installer in order to simulate what should typically happen. But it actually also drops another file, which is a malicious component that connects to a malicious location, allowing the infection chain to play out as intended.

    Figure 1. Possible attack scenario

    All the files noted above are detected as TROJ_DIDKR.A. The malicious file which connects to the Tor network takes its name from any process that is currently running on the system.

    We are currently investigating this and related incidents. We currently do not have exact details about the method of compromise, but this shows that users also need to be vigilant about the security of the auto-update mechanism of the vendors they choose to trust. Software vendors should also prioritize safeguarding product servers and the overall security of their network using products, considering the impact that a compromise in this area has on their software’s users.

    Trend Micro blocks all the malicious URLs related to this specific attack and also the malicious component of the compromised installer file. Trend Micro Deep Discovery helps enterprises defend their networks through network-wide visibility, insight, and control.

    With additional analysis from Threat researchers Harli Aquino and Nikko Tamaña

    Update as of June 26, 6:35 AM PDT

    We also found evidence that the same technique of compromising the auto-update mechanisms of web application installers is being used in other attacks. Specifically, Songsari_setup.exe, a legitimate installer file, has also been modified to drop a malicious component that will connect to a URL to download files. Our detection for these compromised installer files and other related files is TROJ_DIDKR.A.

    Figure 2. Possible attack scenario

    With additional analysis from Network threat researcher Dexter To

    Posted in Targeted Attacks | Comments Off on Compromised Auto-Update Mechanism Affects South Korean Users

    In an inevitable turn of events, cybercriminals leveraged the death of Apple co-founder Steve Jobs through Facebook scams within hours after the announcement.

    The particular scam we found involves a website, which claims that Apple has decided to give away 1,000 iPads in memory of Steve Jobs. The said site displays the following:

    The site asks users to share the page, in order to be eligible to get an iPad. Following the instructions directs users to an ad site while in the background, the link is posted on their Facebook wall.

    Read the rest of this entry »

    Posted in Spam | TrackBacks (5) »

    Last week, we discussed the SK Communications data breach where a large number of user accounts in South Korea were exposed. The scope appears to be bigger than initially reported, as ESTsoft, a South Korean company that develops software (including antivirus, compression utility, and other software), came forward with a public notice disclosing that one of their update servers was compromised.

    According to the advisory, a vulnerability found in a common DLL update module allowed a hacker to drop a malicious file (BKDR_SOGU.A, the same file discussed in the entry, “Analysis of BKDR_SOGU.A, a Database-Accessing Malware,”) onto infected computers.

    ESTsoft already released a patch on August 4 and pushed it as an update. They also stressed that they are cooperating and closely working with South Korean law enforcement agencies to understand the cause and extent of the said compromise.

    As of today, the details of the attack are still incomplete but the above suggests that ESTsoft is one possible infection vector, among others, that may eventually have led to the SK Comms data breach. With this development, the involvement of not one but several companies indicates that this may not have started as a targeted attack specifically against one company. The attacker may have first triggered a wide range of initial attacks, a reconnaissance step to find vulnerable public-facing interfaces while assessing if those vulnerable interfaces will be useful. In this case, ESTsoft may have been a useful infection vector to host the malicious file while SK Comms served as a good target due to its rich repository of information that can be of further use to cybercriminals.

    Read the rest of this entry »


    Last week, there was ample coverage of the SK Comms data breach, which involved one of the more popular service providers in South Korea that offers social networking and instant-messaging (IM) as well as mobile phone services. The breach affected the user accounts of the NATE portal and Cyworld, both SK Comms offerings.

    Within the same week, we also found a malware that may be related to the particular incident. The said backdoor, which we detect as BKDR_SOGU.A (with the SHA1 hash 1733217aa852957269cd201f6cf53ef314e86897), connects to {BLOCKED}, its C&C server. The C&C server communicates with the remote infected system via HTTP POST in order to send and receive commands from a remote malicious user.  As of this writing, this URL is already inaccessible.

    One notable routine of this backdoor is its capability to access a specific database in infected systems in order to fetch and collect data from the said database. This routine was done using several ODBC APIs such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect. The figures below show the code disassembly of how the malware uses the said APIs.

    Click for larger view Click for larger view

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice