Antivirus firms have identified the main malware behind a major internet attack that hit corporate computer networks in South Korea on Wednesday afternoon. However the source and motives behind the attack remain a mystery. Researchers have dubbed it DarkSeoul. Computer networks at three South Korean TV stations and at least two …
Please wipe all our bank debts out!
That's just a political decision that can be made tomorrow.
I'm sure some people would be very relieved.
"Donald Trump comes out of Trump Tower and sees a beggar hanging around on the sidewalk. He turns to his valet and says 'Why is this man begging? He has three billion USD more than me!"
OK that was easily the best punning subline ever on Reg. Insightful political comment, too!
havent read the article yet - came straight in to upvote the subheading.
Please someone officially attribute it to somewhere other than the NORKs
If only to make FOX look like the utter twats they are.
Re: Please someone officially attribute it to somewhere other than the NORKs
"Please someone officially attribute it to somewhere other than the NORKs
If only to make FOX look like the utter twats they are."
So you want some network to report incorrect information just to sate your adolescent dislike of Fox?
"The long, dark teatime of the Seoul" Just wondering about how many journalist-hours of waiting it took for an opportunity to use that subline. Perhaps the less pure "The long, dark boot-time of the Seoul" may have offended St Douglas less? ;-)
Long, Dark Teatime of the Seoul
It could be the South Koreans doing it to fellow South Koreans they happen to dislike, and give them a excuse to attack North Korea with similar means. This suggests they are in the third stage of warfare according to Douglas Adams:
1. Retribution: I am going to kill you because you killed my brother
2. Anticipation: I am going to kill you because I killed your brother
3. Diplomacy: I am going to kill my brother and then kill you on the pretext that your brother did it.
BBC: Pointing finger at China was a mistake
Apparently, the "Chinese" IP was used internally by one of the bank servers that had been compromised in the attack.
Muppets. Couldn't they just use RFC1918 for internal addresses?!
... needs to learn to update it's AV and patch it's machines, and do perimeter scanning of inbound web browing and email.
FFS people - it's not bloody rocket science.
PS - yes, yes I know this doesn't stop 0day expoits, or malware coded to avoid AV signature - however, in this case, it would have stopped this attack dead.
fixmbr and back to normal. I thought they deleted data?
Re: Data delete?
I know, they make it sound like they lost something, other than the <10 minutes that it takes to boot from their PE or recovery CD/DVD and run the OS specific boot recovery command.
They should be thankful that it happened the way it did, they should take it for the wake-up call that it was. It also might be a good idea in the future to run one antivirus software on half of your infrastructure, and a competing antivirus of the the other half, that way, when this happens again, you won't be completely shutdown and sitting in the dark wondering what was going on.
"An analysis by South Korean antivirus firm AhnLab fails to mention this but does explain the data-wiping behaviour of the malware in some depth."
"Of each physical disk MBR and VBR, up to a maximum of 10 physical disk (\ \ PHYSICALDRIVE0 ~ \ \ PHYSICALDRIVE9) to open the string "PRINCPES" Repeat overwritten. Extend the system partition and extended partition if VBR for each partition until the destruction of the target." link
Re: Data delete?
Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables.
If you were to know what happened and use a utility to reconstruct the partition tables exactly as they were (if you just have one partition on the disk it's easy) you could fix it good as new though. You could then use fixmbr (or in the more modern case "bootrec /fixmbr") to make the disk bootable again.
Re: Data delete?
I said: "Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables."
Actually, it does worse than that. It doesn't just delete the sector, it overwrites the MBR itself, then extends partitions and stuff to disconnect your data and make it difficult to recover any logical drives. (At least that's what I understood from it)
See a post further down by dgharmon that has a rough translation from Korean of what it does.
Re: Data delete?
> extends partitions and stuff to disconnect your data and make it difficult to recover
Testdisk will get it all back. it always does.
key info on linux killing
It uses any stored root credentials to log into remote Linux servers: for AIS, HP-UX, and Solaris servers it wipes the MBR. If it is unable to wipe the MBR, it instead deletes the folders /kernel/, /usr/, /etc/, /home/.
I didn't know AhnLab even made an Antivirus program. I do know that they make anti-cheat software for K-MMORPGs. Their product, Hackshield, is absolutely BRILLIANT at stopping legit players from playing, while allowing the cheaters to get on with ruining the games that it is being used to protect.
Imagine that : It's OK to edit network packets so that you can do obscene amounts of damage, but it's absolutely not OK to monitor a temperature sensor on your motherboard.
Not that any other anticheat or antivirus is 100% effective, but AhnLab's offerings seem to be worse than many. Never had Avast block Speedfan from operating correctly. Some anticheat software does take exception to being run in a virtual environment, but some game companies REALLY don't want you multi-boxing*.
* - Once played a casual MMO hosted at Aeria games. Their reasoning behind not allowing multi-boxing at that time was that some people can barely afford the one computer they own, and that it's not polite to flaunt the fact that you can afford several machines. I've played other games where it was thought to just be too difficult to multi-box (Granado Espada, where you control 3 characters at once). On Granado, I managed to juggle 3 (!) teams of 3 characters, with at least one team farming on a different map (and therefore not able to benefit from the other two teams apart from a couple of bonuses based on how many faction-mates you had logged on at one time.