The Latest in IT Security

Whois behind South Korean wiper attacks?

26
Mar
2013

Last week, when “wiper” malware hit South Korean companies, the website of LG Uplus was reportedly defaced as well.

From The Register:

The Register Report

Due to the proximity of the incidents, the “Whois Team” is being suspected as the perpetrators of the wiper attacks. However this is still being debated.

From Ars Technica:

Ars Technica Report

We browsed through wiper samples yesterday, and discovered a variant that contains a routine that searches for web documents (e.g. “.html”, “.aspx”, “.php”, etc.) in an infected system. The malware overwrites these documents with a content that looks exactly like that seen in the video below:

We believe this sample is clearly related to the one used in the defacement of the LG Uplus website.

The sample has a timestamp that is similar to the other wiper samples.

The timestamp of the DLL-wiper sample from yesterday’s post:

DLL Wiper Timestamp

Timestamp of the defacer-wiper sample:

Defacer-wiper Timestamp

However, this variant used a completely different approach to wipe the drives. It infected the MBR with the following code to wipe the disk during the next boot-up:

Bootstrap Wiper

Also, unlike the other variants, this sample does not use the strings “HASTATI”, “PRINCIPES”, etc. when wiping the file system. This time it overwrites the files with zero’s, rename them to a random filename before finally deleting them. It also avoids files found in Windows and Program Files directory. All this make sense because the attacker needed the infected webserver to continue hosting the defaced pages.

So do we think the attacks are related? Most probably they are. Only that this one was carried out by a different member.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments