Vulnerability Management

Analysis of Korean War Anniversary Cyber Attack and Malware

In both North Korea and South Korea, several websites were defaced and brought down via a DDoS attack on the anniversary of the start of the Korean War.

The Red Alert (R3d4l3rt) team in South Korea have provided an in depth analysis of the vulnerabilities and methods used to access and deface government websites and access personal information, as well as malware used to target DNS servers in a DDoS attack.

At around 9:10AM on June 25th, the Blue House ( equivalent to the U.S.’s White House) and key government agency websites were the target of attacks. These attacks included website defacement, distributed denial of service (DDoS) attacks and compromise of personal data for some government personnel, including the U.S. Army’s 3rd Marine, 25th Infantry, and 1st Cavalry Divisions. As a result the South Korean government raised their cyber-alert level to its third highest and most of the websites had recovered and were back up by the end of the day.

Vulnerability Exploit & Site Defacement

Shortly after the attack a video appeared on YouTube showing the hack of the Blue House website process, which has since removed by YouTube. The Blue House website hosted on a Solars 10 Sparc system appears to have been compromised by taking advantage of a Websphere Application Server (WAS) vulnerability, as well as a file upload/download vulnerability in a bulletin board.

The attack in the video utilized  the “w3b_avtix” toolkit to gain access to deface the website as well as escalate privileges to access data. The list of other defaced websites are assumed to have also been compromised through server vulnerabilities, many of which are known, but the systems targeted were unpatched. Here is a list of sites the Red Alert team have reported listed as compromised.

Org Website
The Blue House
The Office for Government Policy Coordination
The Ministry of National Defense
Chosun Ilbo
Daegu Ilbo
Maeil Shinmun
Korea Press Foundation
Saenuri Party Seoul
Saenuri Party Gyeonggi-do
Saenuri Party Incheon
Saenuri Party Busan
Saenuri Party Ulsan
Saenuri Party Gyeongnam  
Saenuri Party Jeju
Saenuri Party Gyeongsangbuk-do
Saenuri Party Gangwon


DDoS Attack Against DNS Server

In addition to the site defacement a distributed denial of service attack targeted two DNS servers:

  • []
  • []

The connections came from domestic systems that were compromised by malware that was spread , scheduled to initiate DNS queries at a rapid rate with fairly large query size  (1,500 bytes) to increase the load on the server. Looking at the packets of the attack showing the DNS queries it shows randomized subdomain requests:

Image Credit: Red Alert Team

The malware that initiates the attack on unknowing users’ systems is:

Filename MD5
wuauieop.exe F60935E852D0C7BCFFAA54DDA15D009A

Screen Shot 2013-06-27 at 1.50.59 PM

The malcious file was dropped and executed on compromised systems on June 25 at 10AM. From samples the Red Alert team has determined that the malware was created on 6/24/2013.

Once the malware is unpacked it creates a UDP socket and sets the IP address and port of the target Domain Name Server (DNS). Two threads are created on the system to loop through the task. The malware generates a random string and prepends it as a subdomain to “”.

Domain Creation – Image Credit: Red Alert Team

The malware then creates a packet using the sendto function. The malware then reset the connection properties and starts the process all over ad infinitum.

Previous post

NSA and FBI Access to Verizon Phone Records

Next post

Carberp Botnet Lifecycle Infographic

Ken Westin

Ken Westin

Your Pundit of Paranoia