SlideShare a Scribd company logo

Korean Banks Under Pressure

Avast
Avast

In recent years, cybernetic attacks against banks have become more and more popular. Attackers are motivated by potential profits. The number of people connecting to their bank accounts online has steadily increased, however their knowledge of computer security is often insufficient. Unaware users often become victims of phishing attacks, where they lose control of their login credentials and private data, which may eventually lead to them losing money. During March 2013, we discovered attacks targeting major Korean banks. This attack originated from a legitimate Korean website which belonged to Korea Software Property Right Council (SPC). Although some websites appear visually the same, their inner structure looks different on a clean and compromised computer. Many users fall victims of such types of attacks when legitimate websites are compromised. In these situations they do not expect any security risk, because they consider the high reputation of the legitimate company as a measure of security. In this presentation, we present what happens on a compromised computer of an unaware user. Presented at AVAR 2013 by Jaromir Horejsi and Jan Sirmer, Virus Analysts & Researchers at Avast Software.

Internet
1 of 24
Korean banks under pressure Title Jaromír Hořejší horejsi@avast.com www.avast.comAvar 2013, Chennai Jan Širmer sirmer@avast.com
Agenda • Origin of infection • Infection stages • Consequences on a compromised machine • Origin of attackers • Summary • Questions
Origin of infection • March 2013 • Compromised legitimate website • Korean SPC website as a source of infection • Works as a bridge between victims and attackers website
The first stage of infection • Content of the compromised SPC website
The first stage of infection • Source code of common1.js
The first stage of infection • Screen.js source code contains link to attacker site
Attack website source code • Contains 3 scripts • One counter for infection statistics • Two scripts with exploits to compromise visitors computer
The first exploit • 1.html – CVE-2010-0806 – Use-after-free vulnerability in the Peer Objects component – Works in IE6, 6 SP1 and IE7
Identification of the first exploit
Shellcode executed by the first exploit • No encryption
The second exploit • Cc.html – CVE-2012-1889 – Causes Microsoft XML Core Services to access uninitialized memory location – Works in IE6, IE7 and possible to extend to work in IE8 and IE9
Identification of the second exploit
Shellcode executed by the second exploit • With encryption
Shellcode executed by the second exploit • Decrypted shellcode
The second stage of infection • A small downloader (15KB) written in Visual Basic • Performs several task on the compromised computer – Checks internet connection by downloading a file from a Korean search engine (http://static.naver.net/w9/blank.gif) – Downloads hosts file redirecting several URL addresses
The second stage of infection – Increases the statistics counter – Makes itself persistent by modifying Run registry key – Downloads a backdoor file and executes it – Drops and executes a batch file which schedules to run the second stage downloader in a 30 minute interval
The third stage of infection • Backdoor with size 1,3MB written in Delphi • Protected by Safengine • Injects itself into iexplorer.exe • Initiates communication via custom communication protocol • Remote control of a compromised system • Contains many build-in functions
Consequences on the compromised machine • Koonmin Bank’s website on the compromised computer
Consequences on the compromised machine • Original and modified website
Consequences on the compromised machine • Victim asked for personal credentials
Origin of the attackers • Probably Chinese speaking individuals
Summary • Growing number of bank frauds • Using compromised legitimate websites • Using more than one exploit • Combination of fraud attack and remote control • Probably known origin of attackers
Questions & Answers • Questions?
Thank you Jan Sirmer (sirmer@avast.com) Virus Analyst & Researcher Jaromir Horejsi(horejsi@avast.com) Virus Analyst & Researcher

Recommended

Recent cyber Attacks
Recent cyber AttacksRecent cyber Attacks
Recent cyber AttacksS.M. Towhidul Islam
 
Worm
WormWorm
WormS.M. Towhidul Islam
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Atlantic Security Conference
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Security threats and trends-topic 2
Security threats and trends-topic 2Security threats and trends-topic 2
Security threats and trends-topic 2Neha Raju k
 

Recommended

Recent cyber Attacks
Recent cyber AttacksRecent cyber Attacks
Recent cyber AttacksS.M. Towhidul Islam
 
Worm
WormWorm
WormS.M. Towhidul Islam
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Atlantic Security Conference
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Security threats and trends-topic 2
Security threats and trends-topic 2Security threats and trends-topic 2
Security threats and trends-topic 2Neha Raju k
 
System tThreats
System tThreatsSystem tThreats
System tThreatsSunipa Bera
 
Security threats and trends topic-3
Security threats and trends topic-3Security threats and trends topic-3
Security threats and trends topic-3Neha Raju k
 
why security is needed
why security is neededwhy security is needed
why security is neededsourov_das
 
Malware part 2
Malware part 2Malware part 2
Malware part 2ShouaQureshi
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Malwares
MalwaresMalwares
MalwaresIshaq Ticklye
 
Keyloggers
KeyloggersKeyloggers
Keyloggersnovacharter
 
Thur Venture
Thur VentureThur Venture
Thur VentureSathishkumar Vasudevan
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumHassaan Anjum
 
Welcome to my presentation
Welcome to my presentationWelcome to my presentation
Welcome to my presentationRakibul islam
 
O p
O pO p
O psaman Iftikhar
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)DataExchangeAgency
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture BCMDLearning
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacksSugirtha Jasmine M
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2Kabul Education University
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 

More Related Content

What's hot

Security threats and trends topic-3
Security threats and trends topic-3Security threats and trends topic-3
Security threats and trends topic-3Neha Raju k
 
why security is needed
why security is neededwhy security is needed
why security is neededsourov_das
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumHassaan Anjum
 
Welcome to my presentation
Welcome to my presentationWelcome to my presentation
Welcome to my presentationRakibul islam
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)DataExchangeAgency
 

What's hot (13)

System tThreats
System tThreatsSystem tThreats
System tThreats
 
Security threats and trends topic-3
Security threats and trends topic-3Security threats and trends topic-3
Security threats and trends topic-3
 
why security is needed
why security is neededwhy security is needed
why security is needed
 
Malware part 2
Malware part 2Malware part 2
Malware part 2
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
Malwares
MalwaresMalwares
Malwares
 
Keyloggers
KeyloggersKeyloggers
Keyloggers
 
Thur Venture
Thur VentureThur Venture
Thur Venture
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan Anjum
 
Welcome to my presentation
Welcome to my presentationWelcome to my presentation
Welcome to my presentation
 
O p
O pO p
O p
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)
 

Similar to Korean Banks Under Pressure

Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture BCMDLearning
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacksSugirtha Jasmine M
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...GIRISHKUMARBC1
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24
 

Similar to Korean Banks Under Pressure (20)

Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture B
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Internet security
Internet securityInternet security
Internet security
 
Cyber crimes 12
Cyber crimes 12Cyber crimes 12
Cyber crimes 12
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Regression
RegressionRegression
Regression
 
Sangeetha Venture
Sangeetha VentureSangeetha Venture
Sangeetha Venture
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
 

More from Avast

Home Security Map of the World
Home Security Map of the World Home Security Map of the World
Home Security Map of the World Avast
 
IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 Avast
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast
 
Where There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsWhere There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsAvast
 
Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Avast
 
Google-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareGoogle-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareAvast
 

More from Avast (7)

Home Security Map of the World
Home Security Map of the World Home Security Map of the World
Home Security Map of the World
 
IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
 
Where There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsWhere There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based Threats
 
Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)
 
Google-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareGoogle-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malware
 

Recently uploaded

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 

Recently uploaded (20)

Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 

Korean Banks Under Pressure

  • 1. Korean banks under pressure Title Jaromír Hořejší horejsi@avast.com www.avast.comAvar 2013, Chennai Jan Širmer sirmer@avast.com
  • 2. Agenda • Origin of infection • Infection stages • Consequences on a compromised machine • Origin of attackers • Summary • Questions
  • 3. Origin of infection • March 2013 • Compromised legitimate website • Korean SPC website as a source of infection • Works as a bridge between victims and attackers website
  • 4. The first stage of infection • Content of the compromised SPC website
  • 5. The first stage of infection • Source code of common1.js
  • 6. The first stage of infection • Screen.js source code contains link to attacker site
  • 7. Attack website source code • Contains 3 scripts • One counter for infection statistics • Two scripts with exploits to compromise visitors computer
  • 8. The first exploit • 1.html – CVE-2010-0806 – Use-after-free vulnerability in the Peer Objects component – Works in IE6, 6 SP1 and IE7
  • 9. Identification of the first exploit
  • 10. Shellcode executed by the first exploit • No encryption
  • 11. The second exploit • Cc.html – CVE-2012-1889 – Causes Microsoft XML Core Services to access uninitialized memory location – Works in IE6, IE7 and possible to extend to work in IE8 and IE9
  • 12. Identification of the second exploit
  • 13. Shellcode executed by the second exploit • With encryption
  • 14. Shellcode executed by the second exploit • Decrypted shellcode
  • 15. The second stage of infection • A small downloader (15KB) written in Visual Basic • Performs several task on the compromised computer – Checks internet connection by downloading a file from a Korean search engine (http://static.naver.net/w9/blank.gif) – Downloads hosts file redirecting several URL addresses
  • 16. The second stage of infection – Increases the statistics counter – Makes itself persistent by modifying Run registry key – Downloads a backdoor file and executes it – Drops and executes a batch file which schedules to run the second stage downloader in a 30 minute interval
  • 17. The third stage of infection • Backdoor with size 1,3MB written in Delphi • Protected by Safengine • Injects itself into iexplorer.exe • Initiates communication via custom communication protocol • Remote control of a compromised system • Contains many build-in functions
  • 18. Consequences on the compromised machine • Koonmin Bank’s website on the compromised computer
  • 19. Consequences on the compromised machine • Original and modified website
  • 20. Consequences on the compromised machine • Victim asked for personal credentials
  • 21. Origin of the attackers • Probably Chinese speaking individuals
  • 22. Summary • Growing number of bank frauds • Using compromised legitimate websites • Using more than one exploit • Combination of fraud attack and remote control • Probably known origin of attackers
  • 24. Thank you Jan Sirmer (sirmer@avast.com) Virus Analyst & Researcher Jaromir Horejsi(horejsi@avast.com) Virus Analyst & Researcher

Editor's Notes

  1. AVAST Software, Czech Republic-based company avast! Antivirus scanning engine
  2. - What signed executable are and what difference the signature makes