• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Summary of March 20 Korea MBR Wiper

Summary of March 20 Korea MBR Wiper

  • Posted on:March 27, 2013 at 12:03 pm
  • Posted in:Malware, Targeted Attacks
  • Author:
    Trend Micro
0

Our investigation and analysis of last week’s MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.

The MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:

  • Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
  • ~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
  • Alg.exe – non-malicious file, related to PuTTY client
  • Conime.exe – non-malicious, related to PuTTY client

However, before it wipes the MBR, it performs two additional routines: firstly, it terminates the processes of two Korean antivirus suites, if these are running on the affected systems. (Other variants we’ve seen also terminate a third antivirus product, which is also Korean.)

Secondly, it searches for saved SSH credentials from two known SSH clients – mRemote and Secure CRT. It searches the folders where these two clients save credentials, namely:

  • %AppDataLocal%\Felix_Deimel\mRemote\confCons.xml (for mRemote)
  • %Application Data%\VanDyke\Config\Sessions (for Secure CRT)

It checks the credentials stored at these locations at looks for accounts with root access to servers. If it finds any, the malware will attempt to log onto these servers. It checks the operating system of these servers; if it find any of the following operating systems it will upload the ~pr1.tmp file to this server and run it.

  • AIX
  • HP-UX
  • Linux
  • SunOS

The actual MBR wiper overwrites the MBR with three repeated strings: PRINCPES, HASTATI. or PR!NCPES. Some variants of this wiper only trigger at or before 2PM on March 20, 2013; others may trigger only at 3PM or later. Deleting the MBR results in the system being unable to boot as normal.

For newer versions of Windows (Vista and later), some variants of the MBR wiper also deletes all files in all folders on the affected system as well. It restarts the PC, and users are then unable to use their machine.

The file uploaded to servers, UNIX_KILLMBR.A, has a similar routine. It overwrites or deletes the following important folders:

  • /etc/
  • /home/
  • /kernel/
  • /usr/

We do not have any information that could be used to directly attribute this attack to any party. However, we did find another sample (TROJ_KILLMBR.DF), which contains the code that modifies MBR. It also overwrites certain files (typically .HTML, .HTM, .ASPX, .ASP, .DO, .PHP file types) found in the infected system. Because the malware modified any .HTML file it finds, users who open the said file will instead see this image.

This modification of the MBR also causes the system unbootable upon restart and only shows a black screen showing an underscore, unlike the other MBR-wiping payload which tells users to remove some disks.

We are continuing to monitor this threat to see if it could pose any additional risks for our customers.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.