[FSec] Whois behind South Korean wiper attacks?

Newsfeed

Nachrichtenbote
Last week, when "wiper" malware hit South Korean companies, the website of LG Uplus was reportedly defaced as well.

From The Register:

whois_theregister.png


Due to the proximity of the incidents, the "Whois Team" is being suspected as the perpetrators of the wiper attacks. However this is still being debated.

From Ars Technica:

whois_arstechnica.png


We browsed through wiper samples yesterday, and discovered a variant that contains a routine that searches for web documents (e.g. ".html", ".aspx", ".php", etc.) in an infected system. The malware overwrites these documents with a content that looks exactly like that seen in the video below:



We believe this sample is clearly related to the one used in the defacement of the LG Uplus website.

The sample has a timestamp that is similar to the other wiper samples.

The timestamp of the DLL-wiper sample from yesterday's post:

whois_time_dll.png


Timestamp of the defacer-wiper sample:

whois_time_defacer.png


However, this variant used a completely different approach to wipe the drives. It infected the MBR with the following code to wipe the disk during the next boot-up:

whois_mbr.png


Also, unlike the other variants, this sample does not use the strings "HASTATI", "PRINCIPES", etc. when wiping the file system. This time it overwrites the files with zero's, rename them to a random filename before finally deleting them. It also avoids files found in Windows and Program Files directory. All this make sense because the attacker needed the infected webserver to continue hosting the defaced pages.

So do we think the attacks are related? Most probably they are. Only that this one was carried out by a different member.
On 26/03/13 At 03:19 PM

Weiterlesen...
 
Zurück
Oben