Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks Using Malicious Hangul Word Processor Documents Jaebyung KrCERT/CC.

Published byGordon Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "Attacks Using Malicious Hangul Word Processor Documents Jaebyung KrCERT/CC."— Presentation transcript:

1

2 Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC

3 Introduction of HWP Hangul( 한 / 글 ) : Word Processor of Hancom Inc. HWP is a filename extension and abbreviation of Hangul Word Processor The latest version is Hangul 2014 for Windows, Hangul 2008 for Linux, and Hangul 2006 for Mac OS X The first version is 0.9 in 1989

4 2 byte language Word Processor Other Asian Word Processors Ichitaro – Japanese Word ProcessorNJStar – Chinese Word Processor

5 First Generation (~1999, HWP 3.0) Second Generation (2000~, HWP 5.0) History of Hangul

6 Save a Local SW Maker (The New York Times, 1999) History of Hangul

7 Hangul Sales Composition Hancom sales composition Office S/W Market Share

8 Hangul supports the special needs of Korean written language especially government’s needs. De facto format especially in Korean government, military and public education. Government officer receives a lot of e-mails attached HWP file EVERYDAY. Attackers also knew this circumstance so they has researched the HWP document format as well as software vulnerabilities for a long time. Stature of Hangul in Korea

9 Can not tell malicious or not before open The contents of malicious document is related with recipient’s business. Malicious HWP Composed of vulnerability part, exploit part, malware part and normal document part. Malicious HWP Document

10 Composition of malicious document ④ Malware part ① Vulnerability part ② Exploit Part MALWARE.exe

11 OLE (Object Linking and Embedding) HWP Document Format

12 Streams of Bodytext storage are loaded File structure and memory layout – Exploit tremendous size in document Heap Spray EB 08 = jmp (here+0x08)

13 Normal case (two tmp files) Malicious case (normal document(hwp.hwp), ~AB.tmp, msloger.exe, tmp.dat) On document loading (tmp files)

14 Hwp.exe process is not opened by user but ~AB.tmp. ~AB.tmp Malware Action 1

15 System information leakage from compromised PC Malware Action 2

16 Use of Malware Information leakage Document leakage Security bypass Remote desktop Key logger, System information HWP, DOCX Vaccine, firewall Team Viewer

17 Document Content and social issue CONTEN TS ISSUE

18 Keyword of Document Korean War National Security Defense Policy Korea Air force Future War territorial dispute Dokdo Peace of Korean peninsula Armistice 60 years Military New product research Wage Contract Personal Information Protection Act Energy forum Enterprise leadership contacts SAMSUNG Tax audit Movie news The public North Korea and China Kim Jong-un reunification Ministry of unification Nuclear Unification forum North Korea Strategies refugees North Korea Foreign policy Asia issue Park Geun-hye East Asia Ministry Key pledge Unified Progressive Party Policy foreign News China visit economic union Next government Policy recommen dation Gov’t How to be loved by wife election pledge Takeshima LG

19 Scenario of malicious document attack Government. Military Organization ① Spear phishing mail ② Open document ③ Information leakage ④ Information gathering Attacker Compromised E-mail account

20 Attack feature Use Email account like C&C Use document as decoy Use normal program as malware to avoid detection Use Zero-day Vulnerability Persistent Attack

21 Use email as command and control Attack feature Mail address & account info. example.com bb@example.com aa@example.com id : name pw : pass bb@example.com aa@example.com id : name pw : pass example.com Malware delivery & info. leakage Final destination - attacker’s account Sign in send malware from to Hardcoded in malware

22 Information flow through email Attack feature Sent Leaked Information from compromised PC

23 Use zero-day vulnerability About 15% of malicious documents use zero-day vulnerability. Finding zero-day and making exploit are not easy. Must understand HWP document format Own tools to exploit → They have researched the document format and software Only Korea Unlike doc & pdf, HWP is used in Korea only It means opportunity cost is very high Attack feature

24 A team not a person - guessing Attack feature Issue & Target Monitoring Team Social issue monitoring Document Contents search Gathering target person email Vulnerability Research Team Document Format Research Software Vulnerability Research Malware Team Making malware Manage C&C Manage email account

25 Since Oct. 2012 Hancom office, Gom player, NateON Vulnerability (2013, 179 cases) Especially HWP zero-day Response - KrCERT/CC Vulnerability Reward Program

26 Secure Coding in software design step Detect Abnormal section data and don’t load to memory Response - Vendor (Hancom) New version of Hancom office (2014) -Detect and protect of malicious document -Enhanced Secure coding

27 Software User MUST Update ALL software MUST use Vaccine Take care before opening attached file in email Vendor Introduce secure coding Rapid respond for vulnerability Effort to make users update CERT or security company Make pattern to detect malicious document Share the vulnerability information Response - Conclusion

28 Thank you jbyoon@krcert.or.kr

Download ppt "Attacks Using Malicious Hangul Word Processor Documents Jaebyung KrCERT/CC."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Student Name: Group.  Developed by Microsoft  Alliance with Nokia in 2011  4 main functions:  Outlook Mobile  Windows Media Player for Windows Mobile.

Student Name: Group.  Developed by Microsoft  Alliance with Nokia in 2011  4 main functions:  Outlook Mobile  Windows Media Player for Windows Mobile.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
China’s Changing Role In Asia by Wang Jisi,2004 Wu-Chia-Jung r93341052.

China’s Changing Role In Asia by Wang Jisi,2004 Wu-Chia-Jung r
Introduction to windows operating system i

Introduction to windows operating system i
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Advanced Workgroup System. RED Advanced Workgroup Systems: Scan Features Copy Print Scan DNSG Software Our Customers Documents Our Customers Documents.

Advanced Workgroup System. RED Advanced Workgroup Systems: Scan Features Copy Print Scan DNSG Software Our Customers Documents Our Customers Documents.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

Similar presentations

Ads by Google