Our investigation and analysis of last week’s MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.
The MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:
- Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
- ~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
- Alg.exe – non-malicious file, related to PuTTY client
- Conime.exe – non-malicious, related to PuTTY client
However, before it wipes the MBR, it performs two additional routines: firstly, it terminates the processes of two Korean antivirus suites, if these are running on the affected systems. (Other variants we’ve seen also terminate a third antivirus product, which is also Korean.)
Secondly, it searches for saved SSH credentials from two known SSH clients – mRemote and Secure CRT. It searches the folders where these two clients save credentials, namely:
- %AppDataLocal%\Felix_Deimel\mRemote\confCons.xml (for mRemote)
- %Application Data%\VanDyke\Config\Sessions (for Secure CRT)
It checks the credentials stored at these locations at looks for accounts with root access to servers. If it finds any, the malware will attempt to log onto these servers. It checks the operating system of these servers; if it find any of the following operating systems it will upload the ~pr1.tmp file to this server and run it.
The actual MBR wiper overwrites the MBR with three repeated strings: PRINCPES, HASTATI. or PR!NCPES. Some variants of this wiper only trigger at or before 2PM on March 20, 2013; others may trigger only at 3PM or later. Deleting the MBR results in the system being unable to boot as normal.
For newer versions of Windows (Vista and later), some variants of the MBR wiper also deletes all files in all folders on the affected system as well. It restarts the PC, and users are then unable to use their machine.
The file uploaded to servers, UNIX_KILLMBR.A, has a similar routine. It overwrites or deletes the following important folders:
We do not have any information that could be used to directly attribute this attack to any party. However, we did find another sample (TROJ_KILLMBR.DF), which contains the code that modifies MBR. It also overwrites certain files (typically .HTML, .HTM, .ASPX, .ASP, .DO, .PHP file types) found in the infected system. Because the malware modified any .HTML file it finds, users who open the said file will instead see this image.
This modification of the MBR also causes the system unbootable upon restart and only shows a black screen showing an underscore, unlike the other MBR-wiping payload which tells users to remove some disks.
We are continuing to monitor this threat to see if it could pose any additional risks for our customers.