A massive computer shutdown of two South Korean banks and media companies occurred Wednesday via an Internet malware attack. The malware wiped out the master boot records on the hard drives of the infected computers, overwriting the MBR with either one of these strings:
Figure 1: Snapshot of MBR after infection.
The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable. So even if the MBR is recovered, the files on disk will be compromised too.
After that, the system is forced to reboot via the following command:
- shutdown -r -t 0
That action causes the computers to be unable to start because the MBR is corrupted.
Figure 2: Error message after reboot
Furthermore, before overwriting the MBR, the malware attempted to kill the main processes of two Korean antivirus products, Ahnlab and Hauri:
- taskkill /F /IM pasvc.exe
- taskkill /F /IM Clisvc.exe
The malware code does not contain any function related to network communication, and we don’t have any indication that it can communicate with a remote host.
Also, it didn’t make any other changes in the system such as dropping files or changing registry keys. The goal of the attack appears to be solely to make the targeted computers unusable.
A dropper was found that seems to be the original dropper for this attack. The 418KB file is UPX packed, with the following hash:
This dropper dropped the MBR-killing module as AgentBase.exe in the %TEMP% folder, and started it.
It also dropped two clean files, Putty SSH client and Putty SCP client in %TEMP%. It then scanned the file system looking for the configuration files of two SSH clients:
- Felix Deimel’s mRemote
- VanDyke’s Secure CRT
If the malware finds a configuration file, it looks for any entry for a “root” user on a remote system, extracts the connection information, and uses the Putty clients to check if access to the system is available:
- %s -batch -P %s -l %s -pw %s %s %s:/tmp/cups
- %s -batch -P %s -l %s -pw %s %s “chmod 755 /tmp/cups;/tmp/cups”
The malware then drops another file in %TEMP% named “pr1.tmp,” which is a BASH shell script that attempts to perform partition killing on three Unix types: Linux, HP-UX, and SunOS.
Figure 3: Part of the shell script used in the Unix attack.
This script checks the system, and then calls a specific function for each OS in an attempt to overwrite the disk partitions. In case the operation cannot be executed, it also tries to delete the following folders:
McAfee Labs was able to identify the following hashes related to this attack:
- DB4BBDC36A78A8807AD9B15A562515C4 ApcRunCmd.exe
- F0E045210E3258DAD91D7B6B4D64E7F3 ApcRunCmd.exe
- 0A8032CD6B4A710B1771A080FA09FB87 mb_join.exe
- 5FCD6E1DACE6B0599429D913850F0364 OthDown.exe
- 9263E40D9823AECF9388B64DE34EAE54 APCRunCmd.DRP
Unix Shell Script
- DC789DEE20087C5E1552804492B042CD pr1.tmp
As we looked in our sample database for related files, we identified two other samples that have the same basic structure as the preceding samples, but they don’t have the MBR-killing capabilities:
- E4F66C3CD27B97649976F6F0DAAD9032 E4F66C3CD27B97649976F6F0DAAD9032.bin
- 50E03200C3A0BECBF33B3788DAC8CD46 jar_cache1221312510715123682.tmp
These samples were found in the wild in August and October 2012. They share the same basic stub for the MBR-killing malware, but they are simple downloaders and don’t have commands to kill antivirus processes. They have only MS-DOS commands to remove themselves after executing.
Based on our analysis, these samples are not related to the attack, but they may be the same malware stub used by the attackers to create the MBR-killing code, sort of a template Trojan that can be tweaked to execute any function.
It’s possible to see the differences in the payload on the following images:
Figure 4: Payload of old samples.
Figure 5: Payload of new samples.
As we can see, the commands executed are different but the data structure is the same.
McAfee detects the samples involved in the attack as KillMBR-FBIA and Dropper-FDH.