Please wipe all our bank debts out!
Experts finger disk-wiping badness used in S Korea megahack
Antivirus firms have identified the main malware behind a major internet attack that hit corporate computer networks in South Korea on Wednesday afternoon. However the source and motives behind the attack remain a mystery. Researchers have dubbed it DarkSeoul. Computer networks at three South Korean TV stations and at least …
-
-
Friday 22nd March 2013 11:35 GMT Cipher
Re: Please someone officially attribute it to somewhere other than the NORKs
g e
"Please someone officially attribute it to somewhere other than the NORKs
If only to make FOX look like the utter twats they are."
So you want some network to report incorrect information just to sate your adolescent dislike of Fox?
Really?
-
-
Friday 22nd March 2013 10:33 GMT Michael H.F. Wilkinson
Long, Dark Teatime of the Seoul
It could be the South Koreans doing it to fellow South Koreans they happen to dislike, and give them a excuse to attack North Korea with similar means. This suggests they are in the third stage of warfare according to Douglas Adams:
1. Retribution: I am going to kill you because you killed my brother
2. Anticipation: I am going to kill you because I killed your brother
3. Diplomacy: I am going to kill my brother and then kill you on the pretext that your brother did it.
-
Friday 22nd March 2013 11:36 GMT Anonymous Coward
Best Korea...
... needs to learn to update it's AV and patch it's machines, and do perimeter scanning of inbound web browing and email.
FFS people - it's not bloody rocket science.
PS - yes, yes I know this doesn't stop 0day expoits, or malware coded to avoid AV signature - however, in this case, it would have stopped this attack dead.
-
-
Friday 22nd March 2013 13:19 GMT MacGyver
Re: Data delete?
I know, they make it sound like they lost something, other than the <10 minutes that it takes to boot from their PE or recovery CD/DVD and run the OS specific boot recovery command.
They should be thankful that it happened the way it did, they should take it for the wake-up call that it was. It also might be a good idea in the future to run one antivirus software on half of your infrastructure, and a competing antivirus of the the other half, that way, when this happens again, you won't be completely shutdown and sitting in the dark wondering what was going on.
-
Friday 22nd March 2013 22:33 GMT Anonymous Coward
Data-wiping malware?
"An analysis by South Korean antivirus firm AhnLab fails to mention this but does explain the data-wiping behaviour of the malware in some depth."
"Of each physical disk MBR and VBR, up to a maximum of 10 physical disk (\ \ PHYSICALDRIVE0 ~ \ \ PHYSICALDRIVE9) to open the string "PRINCPES" Repeat overwritten. Extend the system partition and extended partition if VBR for each partition until the destruction of the target." link
-
-
Saturday 23rd March 2013 05:19 GMT Grogan
Re: Data delete?
Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables.
If you were to know what happened and use a utility to reconstruct the partition tables exactly as they were (if you just have one partition on the disk it's easy) you could fix it good as new though. You could then use fixmbr (or in the more modern case "bootrec /fixmbr") to make the disk bootable again.
-
Saturday 23rd March 2013 05:29 GMT Grogan
Re: Data delete?
I said: "Unfortunately, when they say "the MBR" they mean the first sector of the disk (sector 0), that has the MBR (master boot record) and partition tables."
Actually, it does worse than that. It doesn't just delete the sector, it overwrites the MBR itself, then extends partitions and stuff to disconnect your data and make it difficult to recover any logical drives. (At least that's what I understood from it)
See a post further down by dgharmon that has a rough translation from Korean of what it does.
-
-
-
Sunday 24th March 2013 18:24 GMT tony trolle
key info on linux killing
http://blog.trendmicro.com/trendlabs-security-intelligence/how-deep-discovery-protected-against-the-korean-mbr-wiper/
It uses any stored root credentials to log into remote Linux servers: for AIS, HP-UX, and Solaris servers it wipes the MBR. If it is unable to wipe the MBR, it instead deletes the folders /kernel/, /usr/, /etc/, /home/.
-
Sunday 24th March 2013 19:24 GMT Ceiling Cat
AhnLab? Seriously?
I didn't know AhnLab even made an Antivirus program. I do know that they make anti-cheat software for K-MMORPGs. Their product, Hackshield, is absolutely BRILLIANT at stopping legit players from playing, while allowing the cheaters to get on with ruining the games that it is being used to protect.
Imagine that : It's OK to edit network packets so that you can do obscene amounts of damage, but it's absolutely not OK to monitor a temperature sensor on your motherboard.
Not that any other anticheat or antivirus is 100% effective, but AhnLab's offerings seem to be worse than many. Never had Avast block Speedfan from operating correctly. Some anticheat software does take exception to being run in a virtual environment, but some game companies REALLY don't want you multi-boxing*.
* - Once played a casual MMO hosted at Aeria games. Their reasoning behind not allowing multi-boxing at that time was that some people can barely afford the one computer they own, and that it's not polite to flaunt the fact that you can afford several machines. I've played other games where it was thought to just be too difficult to multi-box (Granado Espada, where you control 3 characters at once). On Granado, I managed to juggle 3 (!) teams of 3 characters, with at least one team farming on a different map (and therefore not able to benefit from the other two teams apart from a couple of bonuses based on how many faction-mates you had logged on at one time.