Stolen passwords behind South Korea data-wipe malware

A security firm, TheRegister says it now believes that the malware that wiped out files on computers at South Korean banks and media companies was planted on corporate patching systems and, disguised as a legitimate security update, was then pushed out to computers at the affected organizations.

Several South Korean financial institutions – Shinhan Bank, Nonghyup Bank and Jeju Bank – and TV broadcaster networks were impacted by a destructive virus which wiped the hard drives of infected PCs, preventing them from booting up upon restart.

Earlier, an IP address was erroneously identified as being the source of the attack; later it was learned that the IP address belongs to one of the victims of the attack. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-hack, The New York Times reports. The malware was programed to activate at a certain time on March 20.

South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the spread of the malware. It said its own security technology was not involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.

Attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates. Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors’ patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update. This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record (MBR) on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 14:00 hrs Korea time on the infected PCs, like a time bomb.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware’s victims.