SlideShare a Scribd company logo

Korean_banks_under_pressure_v3

J
Jaromir Horejsi
1 of 24
Download to read offline
Korean banks under pressure Title Jaromír Hořejší horejsi@avast.com www.avast.comAvar 2013, Chennai Jan Širmer sirmer@avast.com
Agenda • Origin of infection • Infection stages • Consequences on a compromised machine • Origin of attackers • Summary • Questions
Origin of infection • March 2013 • Compromised legitimate website • Korean SPC website as a source of infection • Works as a bridge between victims and attackers website
The first stage of infection • Content of the compromised SPC website
The first stage of infection • Source code of common1.js
The first stage of infection • Screen.js source code contains link to attacker site
Attack website source code • Contains 3 scripts • One counter for infection statistics • Two scripts with exploits to compromise visitors computer
The first exploit • 1.html – CVE-2010-0806 – Use-after-free vulnerability in the Peer Objects component – Works in IE6, 6 SP1 and IE7
Identification of the first exploit
Shellcode executed by the first exploit • No encryption
The second exploit • Cc.html – CVE-2012-1889 – Causes Microsoft XML Core Services to access uninitialized memory location – Works in IE6, IE7 and possible to extend to work in IE8 and IE9
Identification of the second exploit
Shellcode executed by the second exploit • With encryption
Shellcode executed by the second exploit • Decrypted shellcode
The second stage of infection • A small downloader (15KB) written in Visual Basic • Performs several task on the compromised computer – Checks internet connection by downloading a file from a Korean search engine (http://static.naver.net/w9/blank.gif) – Downloads hosts file redirecting several URL addresses
The second stage of infection – Increases the statistics counter – Makes itself persistent by modifying Run registry key – Downloads a backdoor file and executes it – Drops and executes a batch file which schedules to run the second stage downloader in a 30 minute interval
The third stage of infection • Backdoor with size 1,3MB written in Delphi • Protected by Safengine • Injects itself into iexplorer.exe • Initiates communication via custom communication protocol • Remote control of a compromised system • Contains many build-in functions
Consequences on the compromised machine • Koonmin Bank’s website on the compromised computer
Consequences on the compromised machine • Original and modified website
Consequences on the compromised machine • Victim asked for personal credentials
Origin of the attackers • Probably Chinese speaking individuals
Summary • Growing number of bank frauds • Using compromised legitimate websites • Using more than one exploit • Combination of fraud attack and remote control • Probably known origin of attackers
Questions & Answers • Questions?
Thank you Jan Sirmer (sirmer@avast.com) Virus Analyst & Researcher Jaromir Horejsi(horejsi@avast.com) Virus Analyst & Researcher

Recommended

Recent cyber Attacks
Recent cyber AttacksRecent cyber Attacks
Recent cyber AttacksS.M. Towhidul Islam
 
Worm
WormWorm
WormS.M. Towhidul Islam
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Atlantic Security Conference
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Security threats and trends-topic 2
Security threats and trends-topic 2Security threats and trends-topic 2
Security threats and trends-topic 2Neha Raju k
 

Recommended

Recent cyber Attacks
Recent cyber AttacksRecent cyber Attacks
Recent cyber AttacksS.M. Towhidul Islam
 
Worm
WormWorm
WormS.M. Towhidul Islam
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Atlantic Security Conference
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Security threats and trends-topic 2
Security threats and trends-topic 2Security threats and trends-topic 2
Security threats and trends-topic 2Neha Raju k
 
System tThreats
System tThreatsSystem tThreats
System tThreatsSunipa Bera
 
Security threats and trends topic-3
Security threats and trends topic-3Security threats and trends topic-3
Security threats and trends topic-3Neha Raju k
 
why security is needed
why security is neededwhy security is needed
why security is neededsourov_das
 
Malware part 2
Malware part 2Malware part 2
Malware part 2ShouaQureshi
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Malwares
MalwaresMalwares
MalwaresIshaq Ticklye
 
Keyloggers
KeyloggersKeyloggers
Keyloggersnovacharter
 
Thur Venture
Thur VentureThur Venture
Thur VentureSathishkumar Vasudevan
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumHassaan Anjum
 
Welcome to my presentation
Welcome to my presentationWelcome to my presentation
Welcome to my presentationRakibul islam
 
O p
O pO p
O psaman Iftikhar
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)DataExchangeAgency
 
Bellamy_death_internet1
Bellamy_death_internet1Bellamy_death_internet1
Bellamy_death_internet1Craig Bellamy
 
Ser Publicos Edicion 19
Ser Publicos Edicion 19Ser Publicos Edicion 19
Ser Publicos Edicion 19Andres Mendoza
 
Digital Humanities Workshop 22 March 2011
Digital Humanities Workshop 22 March 2011Digital Humanities Workshop 22 March 2011
Digital Humanities Workshop 22 March 2011Craig Bellamy
 
EL INTERNET
EL INTERNET EL INTERNET
EL INTERNET Diana Sanchez
 
Planning Session 2 AADH (framework)
Planning Session 2 AADH (framework)Planning Session 2 AADH (framework)
Planning Session 2 AADH (framework)Craig Bellamy
 
Resume
ResumeResume
ResumeDonald Smith
 
2 kirushina elena_riw16
2 kirushina elena_riw162 kirushina elena_riw16
2 kirushina elena_riw16Alexandra Lebedeva
 
Kashulinski maxim riw16
Kashulinski maxim riw16Kashulinski maxim riw16
Kashulinski maxim riw16Alexandra Lebedeva
 
Prezentacja zaliczenie
Prezentacja zaliczeniePrezentacja zaliczenie
Prezentacja zaliczenieAgnieszka Szklarczyk
 

More Related Content

What's hot

Security threats and trends topic-3
Security threats and trends topic-3Security threats and trends topic-3
Security threats and trends topic-3Neha Raju k
 
why security is needed
why security is neededwhy security is needed
why security is neededsourov_das
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumHassaan Anjum
 
Welcome to my presentation
Welcome to my presentationWelcome to my presentation
Welcome to my presentationRakibul islam
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)DataExchangeAgency
 

What's hot (13)

System tThreats
System tThreatsSystem tThreats
System tThreats
 
Security threats and trends topic-3
Security threats and trends topic-3Security threats and trends topic-3
Security threats and trends topic-3
 
why security is needed
why security is neededwhy security is needed
why security is needed
 
Malware part 2
Malware part 2Malware part 2
Malware part 2
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
Malwares
MalwaresMalwares
Malwares
 
Keyloggers
KeyloggersKeyloggers
Keyloggers
 
Thur Venture
Thur VentureThur Venture
Thur Venture
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan Anjum
 
Welcome to my presentation
Welcome to my presentationWelcome to my presentation
Welcome to my presentation
 
O p
O pO p
O p
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)
 

Viewers also liked

Bellamy_death_internet1
Bellamy_death_internet1Bellamy_death_internet1
Bellamy_death_internet1Craig Bellamy
 
Ser Publicos Edicion 19
Ser Publicos Edicion 19Ser Publicos Edicion 19
Ser Publicos Edicion 19Andres Mendoza
 
Digital Humanities Workshop 22 March 2011
Digital Humanities Workshop 22 March 2011Digital Humanities Workshop 22 March 2011
Digital Humanities Workshop 22 March 2011Craig Bellamy
 
Planning Session 2 AADH (framework)
Planning Session 2 AADH (framework)Planning Session 2 AADH (framework)
Planning Session 2 AADH (framework)Craig Bellamy
 
Facilitation based training in the Higher Ed sector
Facilitation based training in the Higher Ed sectorFacilitation based training in the Higher Ed sector
Facilitation based training in the Higher Ed sectorCraig Bellamy
 
LabDevelopmentProject
LabDevelopmentProjectLabDevelopmentProject
LabDevelopmentProjectRobyn Kramer
 
Infrastructure As Code
Infrastructure As CodeInfrastructure As Code
Infrastructure As CodeManon PERNIN
 
AASC-PorousCoarseAggregate
AASC-PorousCoarseAggregateAASC-PorousCoarseAggregate
AASC-PorousCoarseAggregatefrank collins
 

Viewers also liked (16)

Bellamy_death_internet1
Bellamy_death_internet1Bellamy_death_internet1
Bellamy_death_internet1
 
Ser Publicos Edicion 19
Ser Publicos Edicion 19Ser Publicos Edicion 19
Ser Publicos Edicion 19
 
Digital Humanities Workshop 22 March 2011
Digital Humanities Workshop 22 March 2011Digital Humanities Workshop 22 March 2011
Digital Humanities Workshop 22 March 2011
 
EL INTERNET
EL INTERNET EL INTERNET
EL INTERNET
 
Planning Session 2 AADH (framework)
Planning Session 2 AADH (framework)Planning Session 2 AADH (framework)
Planning Session 2 AADH (framework)
 
Resume
ResumeResume
Resume
 
2 kirushina elena_riw16
2 kirushina elena_riw162 kirushina elena_riw16
2 kirushina elena_riw16
 
Kashulinski maxim riw16
Kashulinski maxim riw16Kashulinski maxim riw16
Kashulinski maxim riw16
 
Prezentacja zaliczenie
Prezentacja zaliczeniePrezentacja zaliczenie
Prezentacja zaliczenie
 
smith_street_2014
smith_street_2014smith_street_2014
smith_street_2014
 
Facilitation based training in the Higher Ed sector
Facilitation based training in the Higher Ed sectorFacilitation based training in the Higher Ed sector
Facilitation based training in the Higher Ed sector
 
LabDevelopmentProject
LabDevelopmentProjectLabDevelopmentProject
LabDevelopmentProject
 
The pitch
The pitchThe pitch
The pitch
 
Infrastructure As Code
Infrastructure As CodeInfrastructure As Code
Infrastructure As Code
 
La responsabilidad
La responsabilidadLa responsabilidad
La responsabilidad
 
AASC-PorousCoarseAggregate
AASC-PorousCoarseAggregateAASC-PorousCoarseAggregate
AASC-PorousCoarseAggregate
 

Similar to Korean_banks_under_pressure_v3

Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture BCMDLearning
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacksSugirtha Jasmine M
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...GIRISHKUMARBC1
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24
 

Similar to Korean_banks_under_pressure_v3 (20)

Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture B
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Internet security
Internet securityInternet security
Internet security
 
Cyber crimes 12
Cyber crimes 12Cyber crimes 12
Cyber crimes 12
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Regression
RegressionRegression
Regression
 
Sangeetha Venture
Sangeetha VentureSangeetha Venture
Sangeetha Venture
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
 

Korean_banks_under_pressure_v3

  • 1. Korean banks under pressure Title Jaromír Hořejší horejsi@avast.com www.avast.comAvar 2013, Chennai Jan Širmer sirmer@avast.com
  • 2. Agenda • Origin of infection • Infection stages • Consequences on a compromised machine • Origin of attackers • Summary • Questions
  • 3. Origin of infection • March 2013 • Compromised legitimate website • Korean SPC website as a source of infection • Works as a bridge between victims and attackers website
  • 4. The first stage of infection • Content of the compromised SPC website
  • 5. The first stage of infection • Source code of common1.js
  • 6. The first stage of infection • Screen.js source code contains link to attacker site
  • 7. Attack website source code • Contains 3 scripts • One counter for infection statistics • Two scripts with exploits to compromise visitors computer
  • 8. The first exploit • 1.html – CVE-2010-0806 – Use-after-free vulnerability in the Peer Objects component – Works in IE6, 6 SP1 and IE7
  • 9. Identification of the first exploit
  • 10. Shellcode executed by the first exploit • No encryption
  • 11. The second exploit • Cc.html – CVE-2012-1889 – Causes Microsoft XML Core Services to access uninitialized memory location – Works in IE6, IE7 and possible to extend to work in IE8 and IE9
  • 12. Identification of the second exploit
  • 13. Shellcode executed by the second exploit • With encryption
  • 14. Shellcode executed by the second exploit • Decrypted shellcode
  • 15. The second stage of infection • A small downloader (15KB) written in Visual Basic • Performs several task on the compromised computer – Checks internet connection by downloading a file from a Korean search engine (http://static.naver.net/w9/blank.gif) – Downloads hosts file redirecting several URL addresses
  • 16. The second stage of infection – Increases the statistics counter – Makes itself persistent by modifying Run registry key – Downloads a backdoor file and executes it – Drops and executes a batch file which schedules to run the second stage downloader in a 30 minute interval
  • 17. The third stage of infection • Backdoor with size 1,3MB written in Delphi • Protected by Safengine • Injects itself into iexplorer.exe • Initiates communication via custom communication protocol • Remote control of a compromised system • Contains many build-in functions
  • 18. Consequences on the compromised machine • Koonmin Bank’s website on the compromised computer
  • 19. Consequences on the compromised machine • Original and modified website
  • 20. Consequences on the compromised machine • Victim asked for personal credentials
  • 21. Origin of the attackers • Probably Chinese speaking individuals
  • 22. Summary • Growing number of bank frauds • Using compromised legitimate websites • Using more than one exploit • Combination of fraud attack and remote control • Probably known origin of attackers
  • 24. Thank you Jan Sirmer (sirmer@avast.com) Virus Analyst & Researcher Jaromir Horejsi(horejsi@avast.com) Virus Analyst & Researcher