Friday, July 10, 2009

PCs Used in Korean DDoS Attacks May Self Destruct

Via Washington Post -

There are signs that the concerted cyber attacks targeting U.S. and Korean government and commercial Web sites this past week are beginning to wane. Yet, even if the assaults were to be completely blocked tomorrow, the attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive.

According to Joe Stewart, director of malware research at SecureWorks, the malware that powers this attack -- a version of the Mydoom worm -- is designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over every sector of every physical drive attached to the compromised system.

Stewart said he tested the self-destruct Trojan in his lab and found that it indeed erases the hard drive on the compromised system. For now, however, the Mydoom component isn't triggering that feature.

"One possibility is there's a bug in the code and it's supposed to run but it doesn't," Stewart said. "Or, there may be a time factor involved, where it's not supposed to erase the hard drive until a certain time."

Such an order would spell certain disaster for many tens of thousands of Microsoft Windows PCs. Several experts I spoke with yesterday and today estimated that between 60,000 and 100,000 systems may be infected with this potentially suicidal malware.

[...]

Meanwhile, the attacks that slowed washingtonpost.com and several other U.S.-based Web sites have since been focused almost exclusively on Korean Web sites. Alex Lanstein, senior security researcher at Fireeye, a Milpitas, Calif., based computer security firm, said the attackers dropped the U.S. government and commercial Web sites from their hit-list on Tuesday afternoon, after those sites began working with large Internet service providers to filter and block attack traffic.

Lanstein said the unknown attackers have since concentrated the attack on a handful of S. Korean government and commercial Web sites, such as egov.go.kr, Web portal daum.net, online auction house auction.go.kr, and Korean news site chosun.com.

[...]

Update, July 10, 10:00 a.m. ET: South Korean anti-virus firm Hauri has published an exhaustive analysis of this malicious software, available at this link here (PDF). It states that when July 10, AM 00:00 comes, the malicious code deletes files with certain extensions, that the "operating system not found" error appears at the next boot, and that the system cannot then be started normally.

Meanwhile, SecureWorks' Stewart said it looks like it is only the first megabyte of the hard drive that is overwritten. "Still with the [Windows Master Boot Record] and partition table gone, it is enough to make it unbootable and unrecoverable for the normal user with only a Windows CD in recovery mode," Stewart said. "It has subroutines to delete or encrypt files after that, so even more advanced recovery techniques are made more difficult."

No comments:

Post a Comment