Loading...

Black Hat Asia 2014 - Z:\MAKE TROY\NOT WAR: Case Study of the Wiper APT in Korea, and Beyond

2,563 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Apr 3, 2014

By: Kyle Yang

On March 20th, 2013, shortly after 2PM, several South Korean financial institutions and TV networks were impacted by unknown malware, which wiped all the data off their computer hard drives before force-rebooting them, thereby sending them into the limbs.

That coordinated melt down was due to several dormant viruses, later deemed "Wiper", pre-set by their makers to wake up at 2pm. Much was speculated regarding how those were planted in the targeted networks in the first place. In this paper, we lift the lid on the initial infection vector: The targeted infrastructures were running a security management server, to coordinate patching policies across the corporate network from a central point. We demonstrate how the attackers compromised this server, and made it dispatch malicious updates to the computers under its rule.

We then examine several samples of Wiper used in the attack, and go through the relationships between them; at this point, we show that based on some distinctive characteristics, and the coding style of their author(s), they have ties to other APT cases, some of which we could trace back to 2009.

Based on the connections established above, we end by examining attribution hypotheses.

Loading...

When autoplay is enabled, a suggested video will automatically play next.

Up next


to add this to Watch Later

Add to

Loading playlists...