Analysis of Korean War Anniversary Cyber Attack and Malware
In both North Korea and South Korea, several websites were defaced and brought down via a DDoS attack on the anniversary of the start of the Korean War.
The Red Alert (R3d4l3rt) team in South Korea have provided an in depth analysis of the vulnerabilities and methods used to access and deface government websites and access personal information, as well as malware used to target DNS servers in a DDoS attack.
At around 9:10AM on June 25th, the Blue House ( equivalent to the U.S.’s White House) and key government agency websites were the target of attacks. These attacks included website defacement, distributed denial of service (DDoS) attacks and compromise of personal data for some government personnel, including the U.S. Army’s 3rd Marine, 25th Infantry, and 1st Cavalry Divisions. As a result the South Korean government raised their cyber-alert level to its third highest and most of the websites had recovered and were back up by the end of the day.
Vulnerability Exploit & Site Defacement
Shortly after the attack a video appeared on YouTube showing the hack of the Blue House website process, which has since removed by YouTube. The Blue House website hosted on a Solars 10 Sparc system appears to have been compromised by taking advantage of a Websphere Application Server (WAS) vulnerability, as well as a file upload/download vulnerability in a bulletin board.
The attack in the video utilized the “w3b_avtix” toolkit to gain access to deface the website as well as escalate privileges to access data. The list of other defaced websites are assumed to have also been compromised through server vulnerabilities, many of which are known, but the systems targeted were unpatched. Here is a list of sites the Red Alert team have reported listed as compromised.
| Org | Website |
|---|---|
| The Blue House |  www.president.go.kr |
| The Office for Government Policy Coordination | pmo.go.kr/pmo_web/main |
| The Ministry of National Defense  | www.mnd.go.kr |
| The NIS | www.nis.go.kr |
| Chosun Ilbo |  www.chosun.com |
| Daegu Ilbo | www.idaegu.com |
| Maeil Shinmun  |  www.imaeil.com |
| Korea Press Foundation | www.kpf.or.kr/index.jsp |
| eToday | www.etoday.co.kr |
| Saenuri Party Seoul | seoul.saenuriparty.kr |
| Saenuri Party Gyeonggi-do  |  www.visiongg.com |
| Saenuri Party Incheon | www.hannaraincheon.or.kr |
| Saenuri Party Busan  | busan.saenuriparty.kr |
| Saenuri Party Ulsan | ulsan.saenuriparty.kr |
| Saenuri Party Gyeongnam  |  gyeongnam.saenuriparty.kr   |
| Saenuri Party Jeju | jeju.saenuriparty.kr |
| Saenuri Party Gyeongsangbuk-do | www.gbsaenuri.kr |
| Saenuri Party Gangwon | www.hangangwon.org/ |
DDoS Attack Against DNS Server
In addition to the site defacement a distributed denial of service attack targeted two DNS servers:
- ns.gcc.go.kr [152.99.1.10]
- ns2.gcc.go.kr [152.99.200.6]
The connections came from domestic systems that were compromised by malware that was spread , scheduled to initiate DNS queries at a rapid rate with fairly large query size (1,500 bytes) to increase the load on the server. Looking at the packets of the attack showing the DNS queries it shows randomized subdomain requests:
Image Credit: Red Alert Team
The malware that initiates the attack on unknowing users’ systems is:
| Filename | MD5 |
|---|---|
| wuauieop.exe | F60935E852D0C7BCFFAA54DDA15D009A |
The malcious file was dropped and executed on compromised systems on June 25 at 10AM. From samples the Red Alert team has determined that the malware was created on 6/24/2013.
Once the malware is unpacked it creates a UDP socket and sets the IP address and port of the target Domain Name Server (DNS). Two threads are created on the system to loop through the task. The malware generates a random string and prepends it as a subdomain to “gcc.go.kr”.
Domain Creation – Image Credit: Red Alert Team
The malware then creates a packet using the sendto function. The malware then reset the connection properties and starts the process all over ad infinitum.
