back to article Experts finger disk-wiping badness used in S Korea megahack

Antivirus firms have identified the main malware behind a major internet attack that hit corporate computer networks in South Korea on Wednesday afternoon. However the source and motives behind the attack remain a mystery. Researchers have dubbed it DarkSeoul. Computer networks at three South Korean TV stations and at least …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Please wipe all our bank debts out!

    1. Destroy All Monsters Silver badge
      Holmes

      That's just a political decision that can be made tomorrow.

      I'm sure some people would be very relieved.

      "Donald Trump comes out of Trump Tower and sees a beggar hanging around on the sidewalk. He turns to his valet and says 'Why is this man begging? He has three billion USD more than me!"

  2. Eenymeeny
    Thumb Up

    Ace

    OK that was easily the best punning subline ever on Reg. Insightful political comment, too!

    1. Gordon 10
      Thumb Up

      Re: Ace

      havent read the article yet - came straight in to upvote the subheading.

  3. g e
    Terminator

    Please someone officially attribute it to somewhere other than the NORKs

    If only to make FOX look like the utter twats they are.

    1. Cipher
      FAIL

      Re: Please someone officially attribute it to somewhere other than the NORKs

      g e

      "Please someone officially attribute it to somewhere other than the NORKs

      If only to make FOX look like the utter twats they are."

      So you want some network to report incorrect information just to sate your adolescent dislike of Fox?

      Really?

  4. Anonymous Coward
    Happy

    Bravo, Sir

    "The long, dark teatime of the Seoul" Just wondering about how many journalist-hours of waiting it took for an opportunity to use that subline. Perhaps the less pure "The long, dark boot-time of the Seoul" may have offended St Douglas less? ;-)

  5. Michael H.F. Wilkinson Silver badge
    Joke

    Long, Dark Teatime of the Seoul

    It could be the South Koreans doing it to fellow South Koreans they happen to dislike, and give them a excuse to attack North Korea with similar means. This suggests they are in the third stage of warfare according to Douglas Adams:

    1. Retribution: I am going to kill you because you killed my brother

    2. Anticipation: I am going to kill you because I killed your brother

    3. Diplomacy: I am going to kill my brother and then kill you on the pretext that your brother did it.

  6. Soruk
    FAIL

    BBC: Pointing finger at China was a mistake

    http://www.bbc.co.uk/news/world-asia-21891617

    Apparently, the "Chinese" IP was used internally by one of the bank servers that had been compromised in the attack.

    Muppets. Couldn't they just use RFC1918 for internal addresses?!

  7. Anonymous Coward
    Anonymous Coward

    Best Korea...

    ... needs to learn to update it's AV and patch it's machines, and do perimeter scanning of inbound web browing and email.

    FFS people - it's not bloody rocket science.

    PS - yes, yes I know this doesn't stop 0day expoits, or malware coded to avoid AV signature - however, in this case, it would have stopped this attack dead.

  8. Anonymous Coward
    Anonymous Coward

    Data delete?

    fixmbr and back to normal. I thought they deleted data?

    1. MacGyver
      Facepalm

      Re: Data delete?

      I know, they make it sound like they lost something, other than the <10 minutes that it takes to boot from their PE or recovery CD/DVD and run the OS specific boot recovery command.

      They should be thankful that it happened the way it did, they should take it for the wake-up call that it was. It also might be a good idea in the future to run one antivirus software on half of your infrastructure, and a competing antivirus of the the other half, that way, when this happens again, you won't be completely shutdown and sitting in the dark wondering what was going on.

      1. Anonymous Coward
        IT Angle

        Data-wiping malware?

        "An analysis by South Korean antivirus firm AhnLab fails to mention this but does explain the data-wiping behaviour of the malware in some depth."

        "Of each physical disk MBR and VBR, up to a maximum of 10 physical disk (\ \ PHYSICALDRIVE0 ~ \ \ PHYSICALDRIVE9) to open the string "PRINCPES" Repeat overwritten. Extend the system partition and extended partition if VBR for each partition until the destruction of the target." link

    2. Grogan Silver badge

      Re: Data delete?

      Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables.

      If you were to know what happened and use a utility to reconstruct the partition tables exactly as they were (if you just have one partition on the disk it's easy) you could fix it good as new though. You could then use fixmbr (or in the more modern case "bootrec /fixmbr") to make the disk bootable again.

      1. Grogan Silver badge

        Re: Data delete?

        I said: "Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables."

        Actually, it does worse than that. It doesn't just delete the sector, it overwrites the MBR itself, then extends partitions and stuff to disconnect your data and make it difficult to recover any logical drives. (At least that's what I understood from it)

        See a post further down by dgharmon that has a rough translation from Korean of what it does.

        1. Vic

          Re: Data delete?

          > extends partitions and stuff to disconnect your data and make it difficult to recover

          Testdisk will get it all back. it always does.

          Vic.

  9. tony trolle

    key info on linux killing

    http://blog.trendmicro.com/trendlabs-security-intelligence/how-deep-discovery-protected-against-the-korean-mbr-wiper/

    It uses any stored root credentials to log into remote Linux servers: for AIS, HP-UX, and Solaris servers it wipes the MBR. If it is unable to wipe the MBR, it instead deletes the folders /kernel/, /usr/, /etc/, /home/.

  10. Ceiling Cat

    AhnLab? Seriously?

    I didn't know AhnLab even made an Antivirus program. I do know that they make anti-cheat software for K-MMORPGs. Their product, Hackshield, is absolutely BRILLIANT at stopping legit players from playing, while allowing the cheaters to get on with ruining the games that it is being used to protect.

    Imagine that : It's OK to edit network packets so that you can do obscene amounts of damage, but it's absolutely not OK to monitor a temperature sensor on your motherboard.

    Not that any other anticheat or antivirus is 100% effective, but AhnLab's offerings seem to be worse than many. Never had Avast block Speedfan from operating correctly. Some anticheat software does take exception to being run in a virtual environment, but some game companies REALLY don't want you multi-boxing*.

    * - Once played a casual MMO hosted at Aeria games. Their reasoning behind not allowing multi-boxing at that time was that some people can barely afford the one computer they own, and that it's not polite to flaunt the fact that you can afford several machines. I've played other games where it was thought to just be too difficult to multi-box (Granado Espada, where you control 3 characters at once). On Granado, I managed to juggle 3 (!) teams of 3 characters, with at least one team farming on a different map (and therefore not able to benefit from the other two teams apart from a couple of bonuses based on how many faction-mates you had logged on at one time.

This topic is closed for new posts.

Other stories you might like