Hands on North Korea: Virus infections and IT security in the DPRK

At Kleissner & Associates we have the world’s largest sinkhole and passive virus detection system in place.

Based on our data we can confidently say that everyone is a target. With everyone we mean everyone – from private persons, over multi-national corporations and governments to the Central Intelligence Agency everyone features virus infections. On our systems we see ordinary threats such as banking trojans and password stealers, but also much more interesting threats such as targeted attacks (APTs). If you know the protocol the virus speaks (and have the encryption key if required) you can basically take over the infected machine – that’s one of the reasons why (even dead) virus infections pose a security risk.

Internet in North Korea

Internet is a very limited good in North Korea. Wikipedia states that they have only 1024 IPs (175.45.176.0 – 175.45.179.255) and use some ranges officially assigned to their partner China.

Within their IP range (on 175.45.176.67, that’s ASN AS131279 Ryugyong-dong) they have their weird propaganda website http://www.naenara.com.kp/ (which has sqli vulnerabilities) hosted. Some technical information and research about the internet status in North Korea is published here.

Virus infections in North Korea

As initial stated everyone is being targeted – including North Korea. In 2013, Kleissner & Associates discovered 4 IPs that showed virus network activity, making .4% of the North Korean internet space being “infected”. Below are the graphs from our VirusTracker system on the data that we have in 2013 on North Korea.

North Korea Viruses 2013

North Korea Virus Types

These are the infected IPs (and internal IPs):

175.45.176.140
175.45.176.144
175.45.176.145
175.45.177.144

192.168.0.4
192.168.0.6
192.168.100.6

These user agents were discovered, indicating at least 34 distinct infected machines (with are all running on Windows XP):

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AlexaToolbar/amzni-3.0; InfoPath.3; AlexaToolbar/amzni-3.0; .NET4.0C; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100200)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100200; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100425; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100499; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100499; InfoPath.3; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100501; InfoPath.2)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS100501; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99496; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99497)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99499)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS99499; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; InfoPath.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.3; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQPinyin 722)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS100021; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS100200; InfoPath.2; BRI/2)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS100991)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS98707)

It was an interesting discovery that there was one ZeroAccess 2 infection in North Korea which was actively participating in the ZeroAccess P2P network:

NK ZA