[Manila, Philippines March 22, 2013] — Trend Micro Incorporated announced today that customers using its Deep Discovery advanced threat protection product were able to discover and react to the recent cyber-attack before damage could be done. These attacks paralyzed several major banking and media companies, leaving many South Koreans unable to withdraw money from ATMs and news broadcasting crews cut off from their resources.
Deep Discovery network detection and custom sandbox analysis were able to detect the spear phishing email, identify the malware it contained, and discover the external command-and-control sites that the attackers used. With this actionable intelligence in hand, customers were able to immediately stop or remedy any effect and to block all malicious communication sources. This detection and swift response saved Deep Discovery customers from an attack that appears aimed to disrupt normal business processing by disabling critical endpoints and resources.
Cyber-attacks have been a fact of life for some time in South Korea and many enterprise and government agencies have implemented proactive threat detection and response measures. Trend Micro is a leading provider of these security intelligence solutions and services, with three of the six top banks and over 80 government agencies using Deep Discovery to protect themselves from such attacks.
Anatomy of the Attack
According to reports, several computer screens at major South Korean banks and three top TV companies went blank on Wednesday (local time), March 20, 2013. Some screens were even showing an image of a skull and a warning from the “WhoIs” team.
This attack is one of several independent, concurrent attacks plaguing South Korea. Trend Micro research has shown that this is the result of a malware attack that began with the delivery of a spear phishing email spoofed to look like a credit card history for the month of March. The malware attached to these phishing emails that brought these systems down overwrites the Master Boot Record (MBR), and was set to run on March 20 2013. If the malware was installed before March 20, it remains dormant and activates only on this day. Once it runs, it completely cripples the system usually requiring it be rebuilt. Wiping the MBR in this fashion can sometimes be the last step in a targeted attack meant to make investigation and recovery of these systems more difficult. Trend Micro research has shown that attackers targeted for destruction not only systems running Microsoft Windows but also those running Linux, IBM AIX, Oracle Solaris and Hewlett-Packard HP-UX versions of UNIX.
Deep Discovery customers concerned they may also be targets of this attack can examine their Deep Discovery logs for instances of “HEUR_NAMETRICK.B.”
Deep Discovery and Trend Micro Custom Defense
Trend Micro Deep Discovery provides the custom detection, intelligence and response capabilities to protect customers from targeted attacks and Advanced Persistent Threads (APTs). Its detection engines and custom sandboxing identify and analyze malware, malicious communications and attacker behavior invisible to standard security solutions.
Deep Discovery enables a full Detect – Analyze – Adapt – Respond lifecycle to these attacks, augmenting and integrating with existing security investments to create a full Custom Defense solution tailored to the specific environment of the customer. Deep Discovery integration and security update sharing with network, gateway and endpoint security improve protection and defense against attack at all points. And Deep Discovery custom threat intelligence and security event analysis enable the rapid containment and remediation of an attack. Only Trend Micro Deep Discovery and Custom Defense solution offer this breadth and depth of protection
More detailed information about this can be found on Trend Micro’s Security Intelligence blog posting: http://blog.trendmicro.com/trendlabs-security-intelligence/how-deep-discovery-protected-against-the-korean-mbr-wiper/.