back to article Experts finger disk-wiping badness used in S Korea megahack

Antivirus firms have identified the main malware behind a major internet attack that hit corporate computer networks in South Korea on Wednesday afternoon. However the source and motives behind the attack remain a mystery. Researchers have dubbed it DarkSeoul. Computer networks at three South Korean TV stations and at least two …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Please wipe all our bank debts out!

1
0
Silver badge
Holmes

That's just a political decision that can be made tomorrow.

I'm sure some people would be very relieved.

"Donald Trump comes out of Trump Tower and sees a beggar hanging around on the sidewalk. He turns to his valet and says 'Why is this man begging? He has three billion USD more than me!"

1
0
Thumb Up

Ace

OK that was easily the best punning subline ever on Reg. Insightful political comment, too!

9
0
Silver badge
Thumb Up

Re: Ace

havent read the article yet - came straight in to upvote the subheading.

1
0
g e
Silver badge
Terminator

Please someone officially attribute it to somewhere other than the NORKs

If only to make FOX look like the utter twats they are.

0
2
Bronze badge
FAIL

Re: Please someone officially attribute it to somewhere other than the NORKs

g e

"Please someone officially attribute it to somewhere other than the NORKs

If only to make FOX look like the utter twats they are."

So you want some network to report incorrect information just to sate your adolescent dislike of Fox?

Really?

1
0
ql
Bronze badge
Happy

Bravo, Sir

"The long, dark teatime of the Seoul" Just wondering about how many journalist-hours of waiting it took for an opportunity to use that subline. Perhaps the less pure "The long, dark boot-time of the Seoul" may have offended St Douglas less? ;-)

2
0
Silver badge
Joke

Long, Dark Teatime of the Seoul

It could be the South Koreans doing it to fellow South Koreans they happen to dislike, and give them a excuse to attack North Korea with similar means. This suggests they are in the third stage of warfare according to Douglas Adams:

1. Retribution: I am going to kill you because you killed my brother

2. Anticipation: I am going to kill you because I killed your brother

3. Diplomacy: I am going to kill my brother and then kill you on the pretext that your brother did it.

2
0
FAIL

BBC: Pointing finger at China was a mistake

http://www.bbc.co.uk/news/world-asia-21891617

Apparently, the "Chinese" IP was used internally by one of the bank servers that had been compromised in the attack.

Muppets. Couldn't they just use RFC1918 for internal addresses?!

1
0
Anonymous Coward

Best Korea...

... needs to learn to update it's AV and patch it's machines, and do perimeter scanning of inbound web browing and email.

FFS people - it's not bloody rocket science.

PS - yes, yes I know this doesn't stop 0day expoits, or malware coded to avoid AV signature - however, in this case, it would have stopped this attack dead.

0
0
Anonymous Coward

Data delete?

fixmbr and back to normal. I thought they deleted data?

1
0
Facepalm

Re: Data delete?

I know, they make it sound like they lost something, other than the <10 minutes that it takes to boot from their PE or recovery CD/DVD and run the OS specific boot recovery command.

They should be thankful that it happened the way it did, they should take it for the wake-up call that it was. It also might be a good idea in the future to run one antivirus software on half of your infrastructure, and a competing antivirus of the the other half, that way, when this happens again, you won't be completely shutdown and sitting in the dark wondering what was going on.

0
0
IT Angle

Data-wiping malware?

"An analysis by South Korean antivirus firm AhnLab fails to mention this but does explain the data-wiping behaviour of the malware in some depth."

"Of each physical disk MBR and VBR, up to a maximum of 10 physical disk (\ \ PHYSICALDRIVE0 ~ \ \ PHYSICALDRIVE9) to open the string "PRINCPES" Repeat overwritten. Extend the system partition and extended partition if VBR for each partition until the destruction of the target." link

0
0

Re: Data delete?

Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables.

If you were to know what happened and use a utility to reconstruct the partition tables exactly as they were (if you just have one partition on the disk it's easy) you could fix it good as new though. You could then use fixmbr (or in the more modern case "bootrec /fixmbr") to make the disk bootable again.

1
0

Re: Data delete?

I said: "Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables."

Actually, it does worse than that. It doesn't just delete the sector, it overwrites the MBR itself, then extends partitions and stuff to disconnect your data and make it difficult to recover any logical drives. (At least that's what I understood from it)

See a post further down by dgharmon that has a rough translation from Korean of what it does.

0
0
Vic
Silver badge

Re: Data delete?

> extends partitions and stuff to disconnect your data and make it difficult to recover

Testdisk will get it all back. it always does.

Vic.

0
0

key info on linux killing

http://blog.trendmicro.com/trendlabs-security-intelligence/how-deep-discovery-protected-against-the-korean-mbr-wiper/

It uses any stored root credentials to log into remote Linux servers: for AIS, HP-UX, and Solaris servers it wipes the MBR. If it is unable to wipe the MBR, it instead deletes the folders /kernel/, /usr/, /etc/, /home/.

0
0

AhnLab? Seriously?

I didn't know AhnLab even made an Antivirus program. I do know that they make anti-cheat software for K-MMORPGs. Their product, Hackshield, is absolutely BRILLIANT at stopping legit players from playing, while allowing the cheaters to get on with ruining the games that it is being used to protect.

Imagine that : It's OK to edit network packets so that you can do obscene amounts of damage, but it's absolutely not OK to monitor a temperature sensor on your motherboard.

Not that any other anticheat or antivirus is 100% effective, but AhnLab's offerings seem to be worse than many. Never had Avast block Speedfan from operating correctly. Some anticheat software does take exception to being run in a virtual environment, but some game companies REALLY don't want you multi-boxing*.

* - Once played a casual MMO hosted at Aeria games. Their reasoning behind not allowing multi-boxing at that time was that some people can barely afford the one computer they own, and that it's not polite to flaunt the fact that you can afford several machines. I've played other games where it was thought to just be too difficult to multi-box (Granado Espada, where you control 3 characters at once). On Granado, I managed to juggle 3 (!) teams of 3 characters, with at least one team farming on a different map (and therefore not able to benefit from the other two teams apart from a couple of bonuses based on how many faction-mates you had logged on at one time.

0
0
This topic is closed for new posts.

Forums