back to article DDoS malware comes with self-destruct payload

Attacks that have wreaked havoc on dozens of South Korean government websites over the past week have included another nasty surprise: a malicious payload the causes the infected machines recruited to carry out the assaults to spontaneously self-destruct. The DDoS, or distributed denial-of-service, attacks were first spotted on …

COMMENTS

This topic is closed for new posts.
  1. Mike007 Bronze badge
    Thumb Up

    nice

    so this piece of malware, 10 days after infection breaks the computer? nice, then the sorts of users who have more malware than legitimate software will be forced to sort out their computer.

    I wish all malware did this, but it's not really beneficial to the botnet owners to have their botnets clean up after themselves.

    before you thumbs down because of the poor innocent users getting their computers destroyed, tough shit, it's time they took some of the damage they are normally so happy to dish out to others for a change.

    1. Paul Crawford Silver badge

      @nice

      Sadly, I have to agree with you.

      While I do feel sorry for the folks who will suffer from a dead PC, destroying the infected PC helps clean up the internet and hopefully will make the end use ask themselves some serious questions about how they, and the software vendors, considered security.

      But I have a depressing feeling it will be to re-install a pirated copy of XP from an infected torrent though, rather than put in the money and/or effort to use a more secure option like a legitimate copy of Windows 7, or better still, Ubuntu. :(

      Maybe mainstream news reports of infected PCs self-destructing, if widely circulated, might just get Joe Average to *do* something in their self-interest? And ours...

    2. Tigra 07
      Go

      RE: Mike007

      Agree completely.

      The problem now is people buy computers in tesco and get offered Mcaffee and Norton, both of which are useless and spend more on advertising than actual research and updates.

      These people may not care about their computers, but when they're used as botnets to attack others and national infastructure, they should be arrested as terrorists if it's obvious they haven't done anything to secure their computer.

      Everyone should be required to do a basic ECDL course at school by law.

    3. TeeCee Gold badge
      Thumb Down

      Re: nice

      Er, I don't think so.

      I read that as they *don't* self-destruct unless told to and there's a period of up to 10 days that the scumbag can declare as the grace period (and presumably reset within that 10 days).

      It's another anti-takedown mechanism as in: "Get your white-hatted paws off my botnet or umpty-something-thousand users are getting fucked next week.".

  2. Anonymous Coward
    FAIL

    No it isn't.

    Once the infected bots reach the second stage, they receive the list of sites to attack. But they also receive commands to self-destruct by overwriting the master boot record of their primary hard drive.

    “If you want to destroy all the data on a computer and potentially render it unusable, this is how you would do it,” Wicherski said.

    The MBR is easy to restore with quite simple tools. You can even scan a disk to find file system boundaries and restore the partition table with that data, plug the drive in, see if the partitions mount read only, if not try again.

    1. K. Adams
      Stop

      @Listen 2 Me: "The MBR is easy to restore with quite simple tools."

      For us cybergeeks, maybe.

      For the average user, however, a computer that absolutely will not boot with the possibility of seemingly permanent data loss can be a very frustrating (or frightening, depending on how much of your life is tied to your PC) experience.

      The only way to combat this problem, in the long run, is user education:

      -- -- 1. Stick to trusted web sites

      -- -- 2. Backup your data

      -- -- 3. Install OS patches

      -- -- 4. Update anti-malware suite and scan for threats

      -- -- 5. Reboot

      -- -- 6. Repeat

      Now, as a hard-core GNU/Linux enthusiast, one may expect individuals such as myself to say something like "Well, things would be a lot better if people didn't run Windows," or "You'd never see this kind of problem if everyone ran Linux." And for some persons, that would be a correct assessment.

      However, there are very practical considerations as to why Joe Average User should NOT run Linux, mostly relating to Microsoft Office document compatibility, and availability of well-tested, high-performing device and printer drivers. Even the most user-friendly GNU/Linux distros, such as Ubuntu and/or Linux Mint, can take quite a bit of tweaking to get running smoothly on modern hardware. And many average computer users don't want to invest the time to work through the process of learning a "foreign" operating system.

      An OS X machine may be a viable alternative for the general user population, but Apples are quite pricey compared to standard, work-a-day PCs, and are out of reach for many users on that basis alone.

      1. The Original Ash

        @K. Adams

        1) Any Geek Squad / PC Doctor / Nerd nephew has OEM Windows install media, and booting to recovery console for fixboot and fixmbr is hardly going to cost hundreds of pounds. Failing that, slave the drive in another PC and BOOM data recovered.

        2) I agree that education is the problem, however we have exploits running from compromised advertising servers or trusted sites, more and more authentic-looking phishing / spear phishing attacks (How long before spammers figure out that j.bloggs@emailaddress.com Is probably for J. Bloggs and put that in the greeting? "Dear Customer" is a clear indication of SPAM / phishing, but "Dear J. Bloggs"?) You can't tell someone to stay clear of superhorridadultsite.com when yourfavouritefootballteam.com is using compromised advertising code from the same servers.

        3) Windows and Linux are both secure when configured correctly. The fact that people CAN'T configure them correctly is what I call "Job Security". Go configure it for them. Install their printer, add their office software, show them how to get onto the internet, then leave them instructions for how to install patches. If all they can do is patch what's installed, they can't hose the system.

      2. Evil Auditor Silver badge

        Re user education

        I read that as user evolution, ie kind of natural selection process in which lusers are prevented from being a user. Ideally permanently.

        Unfortunately, there are some dumbasses (like myself) around who in exchange for a smile [...] happily ignore the 'but I need this trojan because of that game...' again and fix the PC. Till next time.

    2. Gene Cash Silver badge
      Thumb Up

      Simple tools

      Yeah, but the yahoos that'd have malware in the first place probably won't have either the tools or the knowledge. Hopefully.

  3. K. Adams
    Black Helicopters

    What Goes Around, Comes Around...

    Back in the old days, perhaps as an attempt to fill some mysterious void in its soul, the early VXer would code beasties that would kill MBRs and trash files just for kicks. The computer underground's version of feather-puffing, the VXer took delight in ruining peoples' days as a way of collecting bragging rights, to raise its status among others of its ilk.

    Then the Internet came along, and seeing the potential provided by an untamed frontier of interlinked computers used by an unknowing and gullible public, the now grown-up VXer shifted focus, and decided that bending the hapless machines to its nefarious will was much more useful -- and lucrative -- than simply rendering them inoperable.

    Now it seems that the VXer's interest has returned to the thrill of more youthful days, when dealing misery was done for fun. Bored with stealing credentials and draining bank accounts, the miscreant strikes out in anger, avenging some slight, unknown and unfathomable, brandishing its ego like a sword and cackling in mania.

    1. BraveOak

      a

      lol wot?

  4. Anonymous Coward
    Anonymous Coward

    One-shot botnets, eh?

    Wonder whether that'd command a premium or would get a discount. It's certainly going to get a lot of people's attention. Or are they hoping people will "just" reinstall everything?

    In ten days we might start to piece together how targeted this thing's infections were.

    1. Rob Carriere

      New business model?

      Actually, this might enable a new business model where you sell small botnets, rather than renting out pieces of a single big one that you have to maintain and manage. This would move more of the work and especially the risk to the customer, while the self-destruct ensures you still get repeat business. This would make take-downs much harder and getting to the authors of the botnet harder still.

  5. Rippy

    Re: One-shot botnets

    > Or are they hoping people will "just" reinstall everything?

    Interesting idea. A reinstall will certainly do another, more thorough pass at covering tracks. And outside the enterprise environment, it's likely to cause regression in security patches, making the box vulnerable to other/more herders -- more track covering?

    G.

  6. Elmer Phud
    IT Angle

    Eh?

    Am I being a bit dumb here, why would anyone want to screw up the machines that are part of a bot-net if it's the bot-net that brings in the revenue?

    1. Evil Auditor Silver badge

      @Elmer Phud

      It may be a strategic move to show the market that these guys are such badass coders they can easily create a new bot-net on demand.

  7. Anonymous Coward
    Grenade

    Sounds like the Norks

    Attacking South Korea with old skool virus techniques...

    As a few people have already pointed out, fixing the MBR isn't a big deal, but if it's messing with applications and language run-times, then it will be very inconvenient, and possibly time consuming, to fully repair.

  8. Anonymous South African Coward Bronze badge
    Thumb Down

    nasty

    This is nasty.

    Imagine a big corp getting such a trojan on their windows server with RAID... trojan strikes, server won't boot.

    Is it possible to recover data in this instance?

    1. Tom 13

      @nasty

      That's what backups are for.

      Security isn't a wall, it's a series of incremental measures that ultimately protect the business operation.

    2. Paul Crawford Silver badge

      @nasty

      Probably. If the person knows what they are doing and they had good documentation on how it once was set up.

      But really, any big corp or even small business should have a proper backup, and not one using on-line disks based on the same OS!

      Repeat after me "RAID is not a BACKUP" 20 times...

This topic is closed for new posts.

Other stories you might like