Yesterday South Korean computers were hit by a big systems crash across banks and major media, prompting many to point the finger at North Korea. A few sources have suggested that a certain piece of malware was used in the suspected attack that wiped the Master Boot Record – but that would require access to the affected systems. So how did whoever was responsible gain access?
Labs director over at Alienvault, Jaime Blasco has been speaking about it on the company blog, suggesting that there are two main ways something like this could go down. Either those responsible purchased a malware kit, hacked into websites and then redirected visitors to their “malicious infrastructure,” or rented a botnet that already has access to the systems they wanted to use.
One of the affected files found on South Korean systems that was shown to be in the wild a couple of days before the attack, was “b7c6caddb869d8c64e34478223108c605c28c7b725f4d1f79e19064cffca74fa.” Catchy name right? This particular binary creates new files when executed that clears Internet Explorer's DNS cache and changes the host file to point people to a new IP address should they attempt to access the South Korean bank's domain. It then goes on to create other malicious tasks and inserts an autostart registry key to make sure it continues to run.
All of this resolves to infect the machine with the GonDad exploit kit, which Alienvault is suggesting has now infected many, many South Korean websites – and therefore many, many users, creating a South Korean botnet. Ultimately with this many people affected, it's not surprising that such high level facilities were hit in yesterday's attack, as chances are people that work there have simply infected their local systems – giving the exploiters access.
But who was responsible? Blasco isn't 100 per cent sure, but the files point in one direction: “The Exploit kit and the malware mentioned seem to come from China but the attackers could have bought/rent it in the black market. The addresses used to register some of the related domain names were also Chinese ones.”
KitGuru Says: Digital security is a bit of a minefield, but your organisation is only as strong as your weakest link. If someone is browsing around using Internet Explorer and with little virus protection, it puts everyone else at risk.