South Korea/U.S. Attack’s Nasty Aftermath: Suicide Bots
by Blight Crusader
Last week, there was a massive distributed denial of service (DDoS) attack on government sites in both South Korea and the United States. But these attacks have left a nasty aftermath in their wake: automated bots which completely overwrite the unsuspecting user’s hard drive. These have already started happening, apparently triggered to begin last Friday. Unfortunately, there’s not much anyone can do about it.
From WashingtonPost.com’s “Security Fix” column, comes the full story:
According to Joe Stewart, director of malware research at SecureWorks, the malware that powers this attack — a version of the Mydoom worm — is designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads “memory of the independence day,” followed by as many “u” characters as it takes to write over every sector of every physical drive attached to the compromised system.
Stewart said he tested the self-destruct Trojan in his lab and found that it indeed erases the hard drive on the compromised system. For now, however, the Mydoom component isn’t triggering that feature.
“One possibility is there’s a bug in the code and it’s supposed to run but it doesn’t,” Stewart said. “Or, there may be a time factor involved, where it’s not supposed to erase the hard drive until a certain time.”
Such an order would spell certain disaster for many tens of thousands of Microsoft Windows PCs. Several experts I spoke with yesterday and today estimated that between 60,000 and 100,000 systems may be infected with this potentially suicidal malware.
Windows users running current anti-virus software and being careful not to download and run e-mail attachments from random sources almost certainly have little to fear from this attacker. Mydoom is a well-known piece of malware that first surfaced in January 2004. At the time, it instructed compromised systems to launch an attack against Microsoft’s Web site and the site of the SCO Group, a Lindon, Utah based software company. As a result, both companies have outstanding $250,000 reward offers for information leading to the arrest and conviction of the Mydoom author(s).
Meanwhile, the attacks that slowed washingtonpost.com and several other U.S.-based Web sites have since been focused almost exclusively on Korean Web sites. Alex Lanstein, senior security researcher at Fireeye, a Milpitas, Calif., based computer security firm, said the attackers dropped the U.S. government and commercial Web sites from their hit-list on Tuesday afternoon, after those sites began working with large Internet service providers to filter and block attack traffic.
Lanstein said the unknown attackers have since concentrated the attack on a handful of S. Korean government and commercial Web sites, such as egov.go.kr, Web portal daum.net, online auction house auction.go.kr, and Korean news site chosun.com.
The blog post has updates, which report that (beginning last Friday) the code has indeed been triggered, and hard drives are being wiped out of existence. More on this story as it develops…
Tags: DDoS, denial of service, Korea, South Korea
