Attacks that have wreaked havoc on dozens of South Korean government websites over the past week have included another nasty surprise: a malicious payload the causes the infected machines recruited to carry out the assaults to spontaneously self-destruct. The DDoS, or distributed denial-of-service, attacks were first spotted on …
so this piece of malware, 10 days after infection breaks the computer? nice, then the sorts of users who have more malware than legitimate software will be forced to sort out their computer.
I wish all malware did this, but it's not really beneficial to the botnet owners to have their botnets clean up after themselves.
before you thumbs down because of the poor innocent users getting their computers destroyed, tough shit, it's time they took some of the damage they are normally so happy to dish out to others for a change.
The problem now is people buy computers in tesco and get offered Mcaffee and Norton, both of which are useless and spend more on advertising than actual research and updates.
These people may not care about their computers, but when they're used as botnets to attack others and national infastructure, they should be arrested as terrorists if it's obvious they haven't done anything to secure their computer.
Everyone should be required to do a basic ECDL course at school by law.
Sadly, I have to agree with you.
While I do feel sorry for the folks who will suffer from a dead PC, destroying the infected PC helps clean up the internet and hopefully will make the end use ask themselves some serious questions about how they, and the software vendors, considered security.
But I have a depressing feeling it will be to re-install a pirated copy of XP from an infected torrent though, rather than put in the money and/or effort to use a more secure option like a legitimate copy of Windows 7, or better still, Ubuntu. :(
Maybe mainstream news reports of infected PCs self-destructing, if widely circulated, might just get Joe Average to *do* something in their self-interest? And ours...
Er, I don't think so.
I read that as they *don't* self-destruct unless told to and there's a period of up to 10 days that the scumbag can declare as the grace period (and presumably reset within that 10 days).
It's another anti-takedown mechanism as in: "Get your white-hatted paws off my botnet or umpty-something-thousand users are getting fucked next week.".
No it isn't.
Once the infected bots reach the second stage, they receive the list of sites to attack. But they also receive commands to self-destruct by overwriting the master boot record of their primary hard drive.
“If you want to destroy all the data on a computer and potentially render it unusable, this is how you would do it,” Wicherski said.
The MBR is easy to restore with quite simple tools. You can even scan a disk to find file system boundaries and restore the partition table with that data, plug the drive in, see if the partitions mount read only, if not try again.
Yeah, but the yahoos that'd have malware in the first place probably won't have either the tools or the knowledge. Hopefully.
@Listen 2 Me: "The MBR is easy to restore with quite simple tools."
For us cybergeeks, maybe.
For the average user, however, a computer that absolutely will not boot with the possibility of seemingly permanent data loss can be a very frustrating (or frightening, depending on how much of your life is tied to your PC) experience.
The only way to combat this problem, in the long run, is user education:
-- -- 1. Stick to trusted web sites
-- -- 2. Backup your data
-- -- 3. Install OS patches
-- -- 4. Update anti-malware suite and scan for threats
-- -- 5. Reboot
-- -- 6. Repeat
Now, as a hard-core GNU/Linux enthusiast, one may expect individuals such as myself to say something like "Well, things would be a lot better if people didn't run Windows," or "You'd never see this kind of problem if everyone ran Linux." And for some persons, that would be a correct assessment.
However, there are very practical considerations as to why Joe Average User should NOT run Linux, mostly relating to Microsoft Office document compatibility, and availability of well-tested, high-performing device and printer drivers. Even the most user-friendly GNU/Linux distros, such as Ubuntu and/or Linux Mint, can take quite a bit of tweaking to get running smoothly on modern hardware. And many average computer users don't want to invest the time to work through the process of learning a "foreign" operating system.
An OS X machine may be a viable alternative for the general user population, but Apples are quite pricey compared to standard, work-a-day PCs, and are out of reach for many users on that basis alone.
1) Any Geek Squad / PC Doctor / Nerd nephew has OEM Windows install media, and booting to recovery console for fixboot and fixmbr is hardly going to cost hundreds of pounds. Failing that, slave the drive in another PC and BOOM data recovered.
2) I agree that education is the problem, however we have exploits running from compromised advertising servers or trusted sites, more and more authentic-looking phishing / spear phishing attacks (How long before spammers figure out that email@example.com Is probably for J. Bloggs and put that in the greeting? "Dear Customer" is a clear indication of SPAM / phishing, but "Dear J. Bloggs"?) You can't tell someone to stay clear of superhorridadultsite.com when yourfavouritefootballteam.com is using compromised advertising code from the same servers.
3) Windows and Linux are both secure when configured correctly. The fact that people CAN'T configure them correctly is what I call "Job Security". Go configure it for them. Install their printer, add their office software, show them how to get onto the internet, then leave them instructions for how to install patches. If all they can do is patch what's installed, they can't hose the system.
Re user education
I read that as user evolution, ie kind of natural selection process in which lusers are prevented from being a user. Ideally permanently.
Unfortunately, there are some dumbasses (like myself) around who in exchange for a smile [...] happily ignore the 'but I need this trojan because of that game...' again and fix the PC. Till next time.
What Goes Around, Comes Around...
Back in the old days, perhaps as an attempt to fill some mysterious void in its soul, the early VXer would code beasties that would kill MBRs and trash files just for kicks. The computer underground's version of feather-puffing, the VXer took delight in ruining peoples' days as a way of collecting bragging rights, to raise its status among others of its ilk.
Then the Internet came along, and seeing the potential provided by an untamed frontier of interlinked computers used by an unknowing and gullible public, the now grown-up VXer shifted focus, and decided that bending the hapless machines to its nefarious will was much more useful -- and lucrative -- than simply rendering them inoperable.
Now it seems that the VXer's interest has returned to the thrill of more youthful days, when dealing misery was done for fun. Bored with stealing credentials and draining bank accounts, the miscreant strikes out in anger, avenging some slight, unknown and unfathomable, brandishing its ego like a sword and cackling in mania.
One-shot botnets, eh?
Wonder whether that'd command a premium or would get a discount. It's certainly going to get a lot of people's attention. Or are they hoping people will "just" reinstall everything?
In ten days we might start to piece together how targeted this thing's infections were.
New business model?
Actually, this might enable a new business model where you sell small botnets, rather than renting out pieces of a single big one that you have to maintain and manage. This would move more of the work and especially the risk to the customer, while the self-destruct ensures you still get repeat business. This would make take-downs much harder and getting to the authors of the botnet harder still.
Re: One-shot botnets
> Or are they hoping people will "just" reinstall everything?
Interesting idea. A reinstall will certainly do another, more thorough pass at covering tracks. And outside the enterprise environment, it's likely to cause regression in security patches, making the box vulnerable to other/more herders -- more track covering?
Am I being a bit dumb here, why would anyone want to screw up the machines that are part of a bot-net if it's the bot-net that brings in the revenue?
It may be a strategic move to show the market that these guys are such badass coders they can easily create a new bot-net on demand.
Sounds like the Norks
Attacking South Korea with old skool virus techniques...
As a few people have already pointed out, fixing the MBR isn't a big deal, but if it's messing with applications and language run-times, then it will be very inconvenient, and possibly time consuming, to fully repair.
This is nasty.
Imagine a big corp getting such a trojan on their windows server with RAID... trojan strikes, server won't boot.
Is it possible to recover data in this instance?
That's what backups are for.
Security isn't a wall, it's a series of incremental measures that ultimately protect the business operation.
Probably. If the person knows what they are doing and they had good documentation on how it once was set up.
But really, any big corp or even small business should have a proper backup, and not one using on-line disks based on the same OS!
Repeat after me "RAID is not a BACKUP" 20 times...