DarkSeoul: SophosLabs identifies malware used in South Korean internet attack

Filed Under: Denial of Service, Featured, Malware

Whois teamSophosLabs has identified the malware used in the major internet attack that hit systems in South Korea earlier today.

Computer networks belonging to South Korean TV broadcasters and at least two major banks in the country have been disrupted by what some have suggested was a malicious internet attack originating in North Korea.

At approximately 2pm local time, computers at the Shinhan and NongHyup banks were brought down - impacting internet banking and ATMs. Similarly, systems at the KBS, MBC, and YTN television stations were reportedly crippled - although broadcasts were not interrupted.

Failing to boot

Some media reports have said that computers failed to boot up properly, and displayed an image of three skulls alongside a message claiming that the systems had been "hacked by Whois Team".

Whois Team message

However, in Sophos's testing so far we have not been able to replicate this payload.

According to a Reuters report, LG U+, the company which provides internet services to at least some of the companies named above, says that it believes its network was hacked.

The malware, detected proactively by Sophos products as Mal/EncPk-ACE, has been dubbed "DarkSeoul" by experts analysing its code at SophosLabs.

What's curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated.

For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a "cyberwarfare" attack coming from North Korea.

Backing up the evidence that the attack was targeted against South Korean computers, Sophos experts have determined that "DarkSeoul" attempts to disable two popular anti-virus products developed in the country: AhnLab and Hauri AV.

Section of malware code designed to disable Korean anti-virus products

Section of malware code designed to disable Korean anti-virus products

Who are the "Whois Team"? No-one is sure. And as yet no strong evidence has emerged that whoever was behind this attack is based in, or has backing from, North Korea.

What we do know is that there have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea's military command and control centre were the target of a spyware attack from North Korea's electronic warfare division.

The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.

In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.

Both countries recognise how the internet can be harnessed for the purpose of spying and military advantage.

To help other security researchers here are some checksums of samples we have seen of this malware:

db4bbdc36a78a8807ad9b15a562515c4
0a8032cd6b4a710b1771a080fa09fb87
5fcd6e1dace6b0599429d913850f0364

Thanks to Paul Baccas of SophosLabs for his assistance with this article.

, , , , , ,

You might like

8 Responses to DarkSeoul: SophosLabs identifies malware used in South Korean internet attack

  1. Richard · 581 days ago

    > Who are the "Whois Team"?

    Are there no clues to be had from the website address in the picture? (Between the "who is 'whois'" line and the "warning" line.)

    It's hard to make out the URL in the screen-shot. I'm not sure whether it's been censored, or it's just a poor quality image. I can definitely make out a ".com" at the end, and a "who" slightly before it.

    • Boris · 581 days ago

      It's just "@whois.com," with one of with one of six possible "addresses" in front of it.

    • t0paz · 580 days ago

      http://www.youtube.com/watch?v=BAz0cQfr3F4

      Look at that vid.

      it's the screen (at least they say it is) with moving picture n text.
      You can see multiple e-mailadresses, but no website.

      With little luck these adresses might be used more on 'certain' forums ?

  2. Graham,

    You said: "Some media reports have said that computers failed to boot up properly, and displayed an image of three skulls alongside a message claiming that the systems had been "hacked by Whois Team."

    Correct me if I'm wrong, but the "Whois" team attack appears to be separate from the "malware" attack. As we understood it, the "Whois" skulls appeared as a site defacement on LG U+ not when people booted their systems.

    Thoughts?

    Anthony

    • Yes, that looks like it's correct. We've found no reference to Whois or the Skulls message in the malware itself.

      Some of the early media reports combined the skulls message with the malware itself. Hopefully our article made clear that we hadn't been able to prove that the malware did that.

  3. eddie · 577 days ago

    Graham,
    Use spell check!

  4. John · 574 days ago

    Having played around with the image in GIMP, as far as I can make out, that address reads WICKEnm4St3r..whois.com. There appears to be a character before 'whois.com' that I can't make out. It doesn't seem to have the roundness of an '@' but its just too distorted to tell.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.