Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>MALWARE</strong> ARCHEOLOGY<br />
As research into this case progressed, it became obvious that we were tracing malware relationships back in time.<br />
In fact, the earliest indicators we’ve found go all the way back to at least 2009.<br />
Around this time a malware development project started that would become the backbone of intrusions and<br />
destructive attacks against mainly South Korean targets for years to come. In fact, modern-day malware from the<br />
same threat actor still contains traces of this first eo-malware. The initial starting points were likely publicly<br />
available source codes for Rbot and Mydoom, found on Chinese code sharing sites like Programmers United<br />
Develop Net (PUDN).<br />
There is no universally adopted naming for the early generations of this family in the AV industry. Usually they are<br />
detected as Dllbot or Npkon, but these names can also cover other families, thus our use of a different name in this<br />
paper - KorDllbot.<br />
We will cover the evolution of KorDllbots and related malware, and how these came to be involved in various<br />
intrusion cases.