Someone is not playing nice….

UPDATE: This is the second attempt to hack into my computer by someone claiming to be a journalist.  It is similar to the first attack but this time there is no PDF, just a link to a hostile server:

Dear Curtis Melvin,

My name is Ichikawa Hayami, from Nihon TV
Would you have some time to do a short
interview on the foreign direct investment in NK by letter?
If possible, prefer to below please.

documents

Best regards.

Ichikawa Hayami
Producer
Nihon TV World View

If you click on “documents” you are routed to a hostile server.

Here is the email header:

Delivered-To: nkeconwatch@gmail.com
Received: by 10.224.28.208 with SMTP id n16cs123243qac;
Tue, 6 Apr 2010 00:20:31 -0700 (PDT)
Received: by 10.220.107.227 with SMTP id c35mr3152197vcp.42.1270538430714;
Tue, 06 Apr 2010 00:20:30 -0700 (PDT)
Return-Path: <Ichikwa.hayami@asia.com>
Received: from imr-da03.mx.aol.com (imr-da03.mx.aol.com [205.188.105.145])
by mx.google.com with ESMTP id 26si25578441vws.46.2010.04.06.00.20.30;
Tue, 06 Apr 2010 00:20:30 -0700 (PDT)
Received-SPF: neutral (google.com: 205.188.105.145 is neither permitted nor denied by best guess record for domain of Ichikwa.hayami@asia.com) client-ip=205.188.105.145;
Authentication-Results: mx.google.com; spf=neutral (google.com: 205.188.105.145 is neither permitted nor denied by best guess record for domain of Ichikwa.hayami@asia.com) smtp.mail=Ichikwa.hayami@asia.com
Received: from imo-da04.mx.aol.com (imo-da04.mx.aol.com [205.188.169.202])
by imr-da03.mx.aol.com (8.14.1/8.14.1) with ESMTP id o367KUP1027363
for <nkeconwatch@gmail.com>; Tue, 6 Apr 2010 03:20:30 -0400
Received: from Ichikwa.hayami@asia.com
by imo-da04.mx.aol.com  (mail_out_v42.9.) id o.c35.7794a375 (44225)
for <nkeconwatch@gmail.com>; Tue, 6 Apr 2010 03:20:25 -0400 (EDT)
Received: from smtprly-mb03.mx.aol.com (smtprly-mb03.mx.aol.com [64.12.207.150]) by cia-dd08.mx.aol.com (v127_r1.2) with ESMTP id MAILCIADD083-5c6c4bbae0b8112; Tue, 06 Apr 2010 03:20:25 -0400
Received: from web-mmc-d04 (web-mmc-d04.sim.aol.com [205.188.103.94]) by smtprly-mb03.mx.aol.com (v127_r1.2) with ESMTP id MAILSMTPRLYMB032-5c6c4bbae0b8112; Tue, 06 Apr 2010 03:20:24 -0400
To: nkeconwatch@gmail.com
Subject: interview request
Date: Tue, 06 Apr 2010 03:20:24 -0400
X-MB-Message-Source: WebUI
X-AOL-IP: 211.103.134.39
X-MB-Message-Type: User
MIME-Version: 1.0
From: ichikwa.hayami@asia.com
Content-Type: multipart/alternative;
boundary=”——–MB_8CCA370C27E93F1_136C_1AF_web-mmc-d04.sysops.aol.com”
X-Mailer: Mail.com Webmail 31226-STANDARD
Received: from 211.103.134.39 by web-mmc-d04.sysops.aol.com (205.188.103.94) with HTTP (WebMailUI); Tue, 06 Apr 2010 03:20:24 -0400
Message-Id: <8CCA370C27C3290-136C-D4@web-mmc-d04.sysops.aol.com>
X-Spam-Flag:NO
X-AOL-SENDER: Ichikwa.hayami@asia.com

ORIGINAL POST: A week ago I received a personal email from someone requesting an interview.  However, this person was not who he/she claimed.  This person (unsuccessfully) tried to hack into my computer.  Details below:

——————————————————
From: greg.fayle@asia.com
To:
Date: Wed, Mar 10, 2010 at 2:05 AM
Subject: interview request

Dear Curtis Melvin,

My name is Greg Fayle, from SBS Radio
Australia’s program World View.
Would you have some time to do a short
interview on the latest developments regarding
Northeast asia and NK situation please?

I’m looking forward to hearing from you

Paper for Interview

Warm
regards,
Greg Fayle

Greg Fayle
Producer
SBS Radio World View
PO Box 290
South Melbourne VIC 3211
Tel: (03) 9749 2421
——————————————————

The “Paper for interview” was an attached PDF document that hid a virus.  Luckily it did not infect my computer.

Here is what  my friend tells me about the email itself — it did not come from Australia:

inetnum:      222.96.0.0 – 222.122.255.255
netname:      KORNET
descr:        KOREA TELECOM
descr:        Network Management Center
country:      KR
admin-c:      DL248-AP
tech-c:       GK40-AP
remarks:      ***********************************************
remarks:      KRNIC of NIDA is the National Internet Registry
remarks:      in Korea under APNIC. If you would like to
remarks:      find assignment information in detail
remarks:      please refer to the NIDA Whois DB
remarks:      http://whois.nida.or.kr/english/index.html
remarks:      ***********************************************
status:       Allocated Portable
mnt-by:       MNT-KRNIC-AP
changed:      hm-changed@apnic.net 20031027
changed:      hm-changed@apnic.net 20041007
source:       APNIC
person:       Dong-Joo Lee
address:      128-9 Yeong-Dong Jongro-Ku Seoul
address:      Network Management Center
country:      KR
phone:        +82-2-766-1407
fax-no:       +82-2-766-6008
e-mail:       ip@krnic.kornet.net
e-mail:       abuse@kornet.net
nic-hdl:      DL248-AP
mnt-by:       MAINT-NEW
changed:      hostmaster@nic.or.kr 20061010
source:       APNIC
person:       Gyung-Jun Kim
address:      KORNET
address:      128-9, Yeong-Dong, Jongro-Ku
address:      SEOUL
address:      110-763
country:      KR
phone:        +82-2-747-9213
fax-no:       +82-2-3673-5452
e-mail:       ip@krnic.kornet.net
e-mail:       abuse@kornet.net
nic-hdl:      GK40-AP
mnt-by:       MNT-KRNIC-AP
changed:      hostmaster@nic.or.kr 20061009
source:       APNIC
inetnum:        222.96.0.0 – 222.122.255.255
netname:        KORNET-KR
descr:          Korea Telecom
country:        KR
admin-c:        IA9-KR
tech-c:         IM9-KR
status:         ALLOCATED PORTABLE
mnt-by:         MNT-KRNIC-AP
remarks:        This information has been partially mirrored by APNIC from
remarks:        KRNIC. To obtain more specific information, please use the
remarks:        KRNIC whois server at whois.krnic.net.
changed:        hostmaster@nic.or.kr
source:         KRNIC
person:         ijeksolrusyun a
descr:         aijeksolrusyun
descr:         4cheung jaehyunbilding 230beonji jongro6ka jongroku
descr:         110-126
country:        KR
phone:         +82-2-3676-7100
e-mail:         kimyg09@kt.co.kr
nic-hdl:        IA9-KR
mnt-by:         MNT-KRNIC-AP
changed:        hostmaster@nic.or.kr
source:         KRNIC
person:         IP Manager
descr:         DACOM Corporation
descr:         Hangangno1Ga, Yongsan-gu, Seoul
descr:         65-228DACOM Bldg.
descr:         135-987
country:        KR
phone:         +82-2-2089-7755
fax-no:         +82-505-888-0706
e-mail:         ipadm@nic.bora.net
nic-hdl:        IM9-KR
mnt-by:         MNT-KRNIC-AP
changed:        hostmaster@nic.or.kr
source:         KRNIC

Here is what my friend tells me about the virus–it was pretty sophisticated:

To analyze the PDF  file (which contained the virus), we used scripts to parse through and pick out sections of the code that had Javascript (the virus) embedded in it.  We received an error parsing the /FlateDecode filter sections of the PDF. This section of the document is where the compressed Javascript (virus) and other embedded objects would live, and it has different object and reference pointers. We found that the text section of the code instead of starting with /FlateDecode started with [null character] latedecode. We believe this was done intentionally to make de-obfuscation and analysis by a novice more difficult. We used a Hex Editor to correct the null character byte and make it an ASCII F. Once this was done we were able to see heavily obfuscated javascript and pull it out of the document.

The javascript code contained two well known PDF exploits, one for Reader version 8 and another for Reader version 9. The virus was structured this way because most people use one of these versions of Reader to view PDF documents. One other interesting thing to note was that the PDF document itself was blank.

Here is what we know about the payload from behavioral analysis. Once the PDF runs, it will execute the payload and instruct Adobe’s internal updater (update.exe) to download a file from a non-Adobe owned DNS name which resolves to an IP address in Malaysia. All of the attacking code references the same DNS names. Once downloaded this file will sit on the system and acts as a second stage (or stager) for the additional files to be downloaded. So in summary, the first stage was the initial payload in the PDF shellcode.  This first stage downloads a secod stage program which in turn downloads (we believe) a ‘rootkit’ before deleting itself. This leftover ‘rootkit’ is how the attackers would maintain full command and control of the system.

We visited the website from which the files were to come and found a default instance of Apache and cPanel–so we can assume one of two things: First, whoever administers this server probably doesn’t realize it is being used in this fashion (it was probably compromised by the attackers). Second, perhaps this is the attacker’s server and they want to throw us off by throwing up a cPanel install so we’ll think it’s a compromised host. We think the first scenario is more likely.

The files themselves that come after do behave in a ‘rootkit’ like fashion. What we have observed is that they install themselves in the %WINDOWS%\System32 directory. They modify the registry to allow themselves to be used as a system service (this is done through the second stage payload); they hide their existence from view once they are installed (total rootkit behavior); and they start to call out to the server for additional commands. We noticed that these additional commands were not actually coming back as 200 OK status messages, but instead where coming back as 404 NOT FOUND HTTP messages. This could mean that the reference files have been removed, or it could mean that the 404’s are acting as a beacon.  We are not sure which scenario is the case here at this time.

Also worth noting, the second stage payload prevented hooking with a debugger for analysis during runtime and also prevented analysis through virtual machines. The file also leveraged potential DLL Injection to make other executables run commands on its behalf. This means that it would be obscured from routine detection.  We ran the final rootkit executable through a debugger for static analysis and noticed code sections that contained messages within the application stack like “installation as a system service”, “calls to winspool (which is the library for printing and potentially document creation?)”, “calls to imm32.dll (which could be used for keylogging)”, and some very interesting UNICODE characters that we are still deciphering.

As you can tell, we are still conducting additional research and do not want to reveal the exact location of where we have seen this code before. What we can say is that a quick Google search for this code snippet revealed few results with the same region of the world.  In conclusion, I must say that this was not an amateuristic attack–these people were good. But certain things don’t make sense and we are still looking at the file.

Share
  • Alascom

    The HTTP 404 is likely intentional, and is used by some malware as a beacon since the webserver can note the incoming connection and examines the HTTP request sent to determine if this is an infected system reporting in or just a random request from a crawler or other curious party.

  • Chris B

    The web server is probably the method used to gain info. Credential and other info will probably get inserted into the HTTP get request and then they can parse the logs and piece everything together nicely from there.

    it would also be a good idea to run suspicious attachments through virustotal.com before you open it. It’s picked up some items that most of the mainstream AV software tends to miss.

  • QR

    Interesting! I heard it was a good idea to turn off javascript in the Adobe Reader preferences. Is that how you prevented infection?

  • ross

    awesome. Just another thing to prove you’re kinda a big deal.

  • um…thanks but no.

  • danielle

    wow, nasty. did you by any chance alert sbs worldview to this?

  • Lee

    Fascinating. Using the guise of SBS radio Australia is thoughtful because it’s obscure enough to not question its authenticity. The sophisticated intrusion attempt also seems to be more than your average malware package. You cannot help but wonder about the source. Chinese, Korean or Japanese elements sympathetic to the NK regime is my bet.

    And what did they want to do? I hope you’ve notified the relevant authorities.

  • Thomas

    I was hacked by a similar virus a couple of years ago. However, the one I received was received in an eMail from Korea, traced back to a server in China and thought to have ended up sending information (thought, but not 100% confirmed) to North Korea. My virus was received in an eMailed purchase order unknowingly by a Korean customer. The malware I received actually re-wrote a part of our boot record and we eventually ended up just trashing the computers and rebuilding all of our financial data, etc. that was stored on the computer. It was “non-repairable”.

    After receiving the malware, I did a lot of research (this was in 2007/2008) and found that a group in China, tied to the military and NK was involved in sending out 5000 “viruses” worldwide in December 2007 and by June 2008 the virus had been replicated onto more than 20,000,000 computers in the USA alone. In the article I found at the time (I can’t find it now, sorry), they mentioned that the FBI and other agencies were baffled by the virus as it appears to just sit on many computers as if it is waiting to be triggered at some point in the future. They believe it might be activated in time of a world-wide financial crisis to disrupt global financial markets. There was one case I know of in Taiwan where a guy’s Citibank account was hacked in this manner and more than $2.5 million was “stolen” from his account.

    In my case, while we suspected we had a virus, we couldn’t locate it using any of the available stand-alone or online virus programs as the virus would replicate programs and always show you were clean by only showing the program they could run from their side. When we would try to go to Panda, TrendMicro, etc. sites to run online scans, we would be redirected and reach a page that was an obvious “fake”.

    We finally were notified by our bank that there were multiple attempts to transfer money from our business accounts and they were trying to verify it was us as the attempts were originating from Asia and not the USA where we are based.

    Apparently what they do is copy data from your computer and sift through it. If anything interests them, then they monitor your system more closely and they do this on a random basis. It isn’t like we were specifically targeted. However, at some point they found something in our data that stoked their interest and from that point on we had a difficult time until we scrapped our windows based computers, changed our DNS servers and went 100% MAC.

    Our company is small, but we deal with Korea’s defense industry and I can only surmise that our business with Korea’s agencies is what stoked their interest. Internet security is important and I never realized how important until our own encounter. Be thankful you weren’t completely hacked!

  • Last year I had someone hack my blog and even infect my computer with a virus, which I had to pay about $250 to get my computer repaired. I have noticed this happening to other K-blog sites as well getting hit by hackers and viruses.

  • Thomas

    We moved our ISP out of Korea and back to the US due to the number of viruses, spam messages, etc. that we were receiving. Korea’s ISP’s do nothing to prevent exploitation of the domains they host and have a bad reputation worldwide for participating in spamming.

  • Lee

    I may be over-analysing this a little too much, but it’s occupying my thoughts and I don’t have anything better to do.
    I feel that the format of the email, althought brief, gives away some interesting information about the sender. The fact that they addressed you by your full name, kept the content brief and used the phrase “I’m looking forward to hearing from you”, shows us that the sender has researched you well and is highly experienced with western email etiquette. I have yet to see anything of that standard from even my best ESL students. The postcode and telephone are also accurate for southern Australia. As far as I can tell (and I’ve just emailed SBS), there is nobody by the name of Greg Fayle working there. This makes sense, because if there really was a Greg Fayle, then it would be much easier to verify that the email was not sent by him. Greg Fayle is an entirely believable name for an Australian. They’ve also correctly capitalized every appropriate letter in the email, but not the email subject line, which is common for native English speakers. But what gives them away is a single subtle grammatical error. In the line: “Would you have some time to do a short
    interview on the latest developments regarding
    Northeast asia and NK situation please?” they should have really said Northeast asia and ‘THE’ NK situation please?”
    This is a rather insignificant error, but to me it shows that the sender is not a truly native English speaker, and they are posing as one. The email is entirely believable, except for this one small problem that gives it away.

    The choice of SBS radio, the style of the email and the fact that the pdf file is completely blank tells me that the sender is highly intelligent and well educated in the art of coersive manipulation. I also believe that such a person would also follow up and actually read this comment. What makes me wonder, is why such an intelligent person would use their abilities to benefit a clearly selfish and unreasonable dictatorship that has minimal interest in the welfare of its people.

  • Thomas

    As mentioned, it is probably state sponsored and probably from China. Love of country (actually, in Asia it’s more appropriate to say, love of Race) will make one do much for a tyrant. Especially when your pride and arrogance won’t get out of the way. As is often the case within the Asian culture (broad brush I know – sorry!)

  • Pingback: Another Interesting China Hack Attempt | Adam Daniel Mezei()

  • Pingback: One Free Korea » Sophisticated Hacker Tries to Plant Virus on Curtis Melvin’s Computer()

  • Douglas

    Gotta agree with Ross on this one…take it as a point of pride. You’re in the big leagues and you’ve the attention of the DPRK, their southern fan-boys, Chinese operatives or all of the above.

  • Lee

    Yes, I think the Chinese government would have strong motives to do this. First and foremost to crack down on contacts near the NK-Chinese border. By removing such people, Beijing asserts greater influence over the North. The consequences of a successful security breach of the DailyNK’s data could be disastrous (has someone notified them?).

  • Pingback: ROK Drop Weekly Linklets – March 21, 2010 | ROK Drop()

  • I have not drawn any conclusions about who is responsible for this because there is just not enough information right now. I could speculate all day but that would not get me anywhere. However, I do want all my friends and other readers out there to know that this stuff is going on and to exercise caution when dealing with emails from strangers. Hopefully this will be the last time we will see these kinds of tricks.

  • Neil (Cogsinister)

    Just use a Mac instead of a PC………like me 🙂

  • Nathan Scott

    Neil, this is social engineering, plain and simple. Even on 9+ year old Windows XP (fully patched and secured), the most successful way for malicious software to get installed is through fooling the user. Besides, this particular instance was exploiting 3rd party software, so what you really should be saying is: don’t use Adobe.

    Oh, try Googling “Charlie Miller Engadget” and reading the appropriate article regarding the safety of Mac OS X…

  • ken

    Be warned, I think this is also the same person (received 9 March). The “NK human rights” part is a link to I guess the same thing.

    “I wish you a happy new year.
    North KOREA Reform Radio analyzed North KOREA New Year’s Joint Doctrine published on 1st January 2010.
    Because the title of this year’s joint Doctrine differs from the previous doctrines, we expect a change in
    North KOREA, I hope this analysis could be useful to you.

    NK human right analysis

    I very much appreciate your concern.
    Yours Sincerely,

    NK Communication
    (North KOREA Reform Organization)
    Greg Fillman”

  • R. Elgin

    One should turn off Java (not javascript) in their browsers and use a non-Adobe PDF reader that does not have javascript or Java in it, unless one turns it off in Adobe Reader.

    Using a Mac would be another good way to avoid much but one would still need to turn of Java in their browsers and not use Adobe Acrobat Reader. I use “skim” on the Mac and it works better than Adobe’s Reader.

  • I’m the main publisher of a Polish Website focussed on NK, and I’ve been also attacked but by NK diplomats

  • Steven Perlman

    Neil,

    It’s obvious that in your efforts to provide solid coverage of NK issues you may have struck a nerve with someone. This is unavoidable, and I commend your efforts. I track issues such as those described in your article, and in the spirit of full disclosure, would you be willing to share the Malaysian IP address? and the DNS names referenced? It might help protect others in the future.

  • Joanna

    Hi, I’ve got the same email. I’m working for an NGO targeting North Korean human rights issues. The link was attached as well.

    Dear Joanna,

    My name is Greg Fayle, from SBS Radio
    Australia’s program World View.
    I heard that you were an expert on NK human right
    Would you have some time to do a short
    interview on the latest situation regarding
    North Korean Human right?

    I’m looking forward to hearing from you

    Paper for interview

    Warm
    regards,
    Greg Fayle

    Greg Fayle
    Producer
    SBS Radio World View
    PO Box 290
    South Melbourne VIC 3211
    Tel: (03) 9749 2421

  • Joanna

    I’ve noticed that there were some mistakes, although I’m not native speaker myself. And so, I asked him whether he could send me the file instead, this is what, whoever that person is, replied:

    greg.fayle@asia.com to me

    I’m sorry I don’t have a attach file

    It’s the news link

    Then could you send me your short opinion about Emperor Kim and hungry NK

  • hamel

    Brian Myers just called today and told me he got one of these emails too.

  • Pingback: North Korean Economy Watch » Blog Archive » Be careful out there()

  • Steph Haggard

    I got one of these about a month ago; not clear about technical details, but not simply hostile server but malware aimed at gaining access to the machine.

  • ALee

    I see this is an old post, but I just received the same email today.  We are a NK tourism company.  This is the email:
    ———
    Dear Ms. Lee

    Hello. 
    My name is Greg Fayle, from SBS Radio, Australia program World View.
    I have a plan to introduce North Korea Trip as a feature story.
    Uri Tours is known as a pioneer in the area of tourism in North Korea.
    I would like to ask for an interview with you, on behalf of the Uri Tours.
    Could you find time in your busy schedule to interview?
    You can review the interview topics on the link below.

     Interview Topics

    Please let me know whether you will accept this request after reading topics.I’m looking forward to getting your reply.Thanks.Warm regards,Greg Fayle


An affiliate of 38 North