logo Welcome, Guest. Please Login or Register.
2023-03-22 12:07:45 CoV Wiki
Learn more about the Church of Virus
Home Help Search Login Register
News: Read the first edition of the Ideohazard

  Church of Virus BBS
  General
  Science & Technology

  destructive virus (since identified as DarkSeoul by Sophos)
previous next
Pages: [1] Reply Notify of replies Send the topic Print 
   Author  Topic: destructive virus (since identified as DarkSeoul by Sophos)  (Read 2935 times)
Fritz
Archon
*****

Gender: Male
Posts: 1746
Reputation: 8.87
Rate Fritz





View Profile WWW E-Mail
destructive virus (since identified as DarkSeoul by Sophos)
« on: 2013-03-25 16:03:00 »
Reply with quote

Seems not all our computer problems can be blamed on the Chinese; what would politicians do without bogey men to parade out for us to cower in fear over ... "Lookout behind you, a dwarf with a knife", "PLUGH"

Cheers

Fritz


Long dark teatime in Seoul saga continues to unfold

Source: The register
Author: John Leyden
Date: 2013.03.25



South Korea data-wipe malware spread by patching system

South Korea's data wiping malware that knocked out PCs at TV stations and banks earlier this week may have been introduced through compromised corporate patching systems.

Several South Korean financial institutions - Shinhan Bank, Nonghyup Bank and Jeju Bank - and TV broadcaster networks were impacted by a destructive virus (since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec), which wiped the hard drives of infected PCs, preventing them from booting up upon restart.

Initially it was thought that the malware spread through local telco LG U+ and may have came from a single Chinese IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-hack, The New York Times reports. The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault.

Late on Friday afternoon security appliance firm Fortinet claimed hackers broke into the servers of an (unnamed) but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet's Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news media about the apparent find. However late on Friday evening Guillaume Lovet of Fortinet called El Reg and stated that the security appliance firm no longer stood by its earlier pronouncement.

By Monday morning things had moved on again with South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the spread of the malware. It said its own security technology was not involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.

    Attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates. Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors' patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update. This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record (MBR) on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 14:00 hrs Korea time on the infected PCs, like a time bomb.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware's victims.

The prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened tension on the peninsula. However there's no hard evidence to support this conclusion.




Report to moderator   Logged

Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains -anon-
Pages: [1] Reply Notify of replies Send the topic Print 
Jump to:


Powered by MySQL Powered by PHP Church of Virus BBS | Powered by YaBB SE
© 2001-2002, YaBB SE Dev Team. All Rights Reserved.

Please support the CoV.
Valid HTML 4.01! Valid CSS! RSS feed