Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Korean_banks_under_pressure_v3
1. Korean banks under pressure
Title
Jaromír Hořejší
horejsi@avast.com
www.avast.comAvar 2013, Chennai
Jan Širmer
sirmer@avast.com
2. Agenda
• Origin of infection
• Infection stages
• Consequences on a compromised machine
• Origin of attackers
• Summary
• Questions
3. Origin of infection
• March 2013
• Compromised legitimate website
• Korean SPC website as a source of infection
• Works as a bridge between victims and attackers
website
4. The first stage of infection
• Content of the compromised SPC website
11. The second exploit
• Cc.html
– CVE-2012-1889
– Causes Microsoft XML Core Services to access uninitialized
memory location
– Works in IE6, IE7 and possible to extend to work in IE8 and
IE9
15. The second stage of infection
• A small downloader (15KB) written in Visual Basic
• Performs several task on the compromised computer
– Checks internet connection by downloading a file from a
Korean search engine
(http://static.naver.net/w9/blank.gif)
– Downloads hosts file redirecting
several URL addresses
16. The second stage of infection
– Increases the statistics counter
– Makes itself persistent by modifying Run registry key
– Downloads a backdoor file and executes it
– Drops and executes a batch file which schedules to run the
second stage downloader in a 30 minute interval
17. The third stage of infection
• Backdoor with size 1,3MB written in Delphi
• Protected by Safengine
• Injects itself into iexplorer.exe
• Initiates communication via custom communication
protocol
• Remote control of a compromised system
• Contains many build-in functions
21. Origin of the attackers
• Probably Chinese speaking individuals
22. Summary
• Growing number of bank frauds
• Using compromised legitimate websites
• Using more than one exploit
• Combination of fraud attack and remote control
• Probably known origin of attackers