Summary of March 20 Korea MBR Wiper
Our investigation and analysis of last week’s MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.
Arrival and File Downloader
While the attacks began on March 20, we believe that the attack arrived via spammed messages a day earlier (March 19). This is because on that day, a Trend Micro customer received an e-mail message that posed as a message from a major bank in Korea.
The message contained two attachments. One was a non-malicious file named card.jpg; the other was a malicious .RAR file which we detected as TROJ_DLDR.HB. If this file is opened/run, it opens an included HTML file (to make the user think the file was not malicious) and drops another malicious file, which we detect as WORM_STTKR.A.
This particular malware downloads other malicious files onto the affected system whenever it is started. It does this by registering itself as a service named Vmsecurity and creating rules to bypass the Windows firewall. Interestingly, one of the two URLs it downloads files from is a .co.kr address; the other is a .net address. The mutex used – AMrypBloodXYZFlowUSA – also suggests political motivations.
The above method may have been used to deliver the actual MBR wiper onto affected systems. However it arrives, the MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:
- Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
- ~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
- Alg.exe – non-malicious file, related to PuTTY client
- Conime.exe – non-malicious, related to PuTTY client
However, before it wipes the MBR, it performs two additional routines: firstly, it terminates the processes of two Korean antivirus suites, if these are running on the affected systems. (Other variants we’ve seen also terminate a third antivirus product, which is also Korean.)
Secondly, it searches for saved SSH credentials from two known SSH clients – mRemote and Secure CRT. It searches the folders where these two clients save credentials, namely:
- %AppDataLocal%\Felix_Deimel\mRemote\confCons.xml (for mRemote)
- %Application Data%\VanDyke\Config\Sessions (for Secure CRT)
It checks the credentials stored at these locations at looks for accounts with root access to servers. If it finds any, the malware will attempt to log onto these servers. It checks the operating system of these servers; if it find any of the following operating systems it will upload the ~pr1.tmp file to this server and run it.
The actual MBR wiper overwrites the MBR with three repeated strings: PRINCPES, HASTATI. or PR!NCPES. Some variants of this wiper only trigger at or before 2PM on March 20, 2013; others may trigger only at 3PM or later. Deleting the MBR results in the system being unable to boot as normal.
For newer versions of Windows (Vista and later), some variants of the MBR wiper also deletes all files in all folders on the affected system as well. It restarts the PC, and users are then unable to use their machine.
The file uploaded to servers, UNIX_KILLMBR.A, has a similar routine. It overwrites or deletes the following important folders:
In the course of our research, we also uncovered the malware TROJ_DROPPER.ZZR that drops TROJ_KILLMBR.SM onto infected systems.
We do not have any information that could be used to directly attribute this attack to any party. However, we did find one variant of the dropper (TROJ_KILLMBR.DF) that in addition to dropping an MBR wiper, dropped an HTML file that attributed the attack to the WhoIs team, as can be seen below.
TROJ_KILLMBR.DF infects the MBR by writing garbage code and forces the boot to enter an infinite loop, in turn the image above repeatedly.
Trend Micro solutions
As we discussed in one of our previous entries, Deep Discovery was able to detect the spammed messages that we believe was the original attack vector. In addition to this, we block and detect all the URLs and samples related to this attack we have encountered.
We are continuing to monitor this threat to see if it could pose any additional risks for our customers.