In recent years, cybernetic attacks against banks have become more and more popular. Attackers are motivated by potential profits. The number of people connecting to their bank accounts online has steadily increased, however their knowledge of computer security is often insufficient. Unaware users often become victims of phishing attacks, where they lose control of their login credentials and private data, which may eventually lead to them losing money.
During March 2013, we discovered attacks targeting major Korean banks. This attack originated from a legitimate Korean website which belonged to Korea Software Property Right Council (SPC). Although some websites appear visually the same, their inner structure looks different on a clean and compromised computer.
Many users fall victims of such types of attacks when legitimate websites are compromised. In these situations they do not expect any security risk, because they consider the high reputation of the legitimate company as a measure of security.
In this presentation, we present what happens on a compromised computer of an unaware user.
Presented at AVAR 2013 by Jaromir Horejsi and Jan Sirmer, Virus Analysts & Researchers at Avast Software.
1. Korean banks under pressure
Title
Jaromír Hořejší
horejsi@avast.com
www.avast.comAvar 2013, Chennai
Jan Širmer
sirmer@avast.com
2. Agenda
• Origin of infection
• Infection stages
• Consequences on a compromised machine
• Origin of attackers
• Summary
• Questions
3. Origin of infection
• March 2013
• Compromised legitimate website
• Korean SPC website as a source of infection
• Works as a bridge between victims and attackers
website
4. The first stage of infection
• Content of the compromised SPC website
11. The second exploit
• Cc.html
– CVE-2012-1889
– Causes Microsoft XML Core Services to access uninitialized
memory location
– Works in IE6, IE7 and possible to extend to work in IE8 and
IE9
15. The second stage of infection
• A small downloader (15KB) written in Visual Basic
• Performs several task on the compromised computer
– Checks internet connection by downloading a file from a
Korean search engine
(http://static.naver.net/w9/blank.gif)
– Downloads hosts file redirecting
several URL addresses
16. The second stage of infection
– Increases the statistics counter
– Makes itself persistent by modifying Run registry key
– Downloads a backdoor file and executes it
– Drops and executes a batch file which schedules to run the
second stage downloader in a 30 minute interval
17. The third stage of infection
• Backdoor with size 1,3MB written in Delphi
• Protected by Safengine
• Injects itself into iexplorer.exe
• Initiates communication via custom communication
protocol
• Remote control of a compromised system
• Contains many build-in functions
21. Origin of the attackers
• Probably Chinese speaking individuals
22. Summary
• Growing number of bank frauds
• Using compromised legitimate websites
• Using more than one exploit
• Combination of fraud attack and remote control
• Probably known origin of attackers