Network News

X My Profile
View More Activity

PCs Used in Korean DDoS Attacks May Self Destruct

There are signs that the concerted cyber attacks targeting U.S. and Korean government and commercial Web sites this past week are beginning to wane. Yet, even if the assaults were to be completely blocked tomorrow, the attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive.

Update: This is already happening. Please be sure to read the updates at the end of this post.

Original post:

According to Joe Stewart, director of malware research at SecureWorks, the malware that powers this attack -- a version of the Mydoom worm -- is designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over every sector of every physical drive attached to the compromised system.

Stewart said he tested the self-destruct Trojan in his lab and found that it indeed erases the hard drive on the compromised system. For now, however, the Mydoom component isn't triggering that feature.

"One possibility is there's a bug in the code and it's supposed to run but it doesn't," Stewart said. "Or, there may be a time factor involved, where it's not supposed to erase the hard drive until a certain time."

Such an order would spell certain disaster for many tens of thousands of Microsoft Windows PCs. Several experts I spoke with yesterday and today estimated that between 60,000 and 100,000 systems may be infected with this potentially suicidal malware.

Windows users running current anti-virus software and being careful not to download and run e-mail attachments from random sources almost certainly have little to fear from this attacker. Mydoom is a well-known piece of malware that first surfaced in January 2004. At the time, it instructed compromised systems to launch an attack against Microsoft's Web site and the site of the SCO Group, a Lindon, Utah based software company. As a result, both companies have outstanding $250,000 reward offers for information leading to the arrest and conviction of the Mydoom author(s).

Meanwhile, the attacks that slowed washingtonpost.com and several other U.S.-based Web sites have since been focused almost exclusively on Korean Web sites. Alex Lanstein, senior security researcher at Fireeye, a Milpitas, Calif., based computer security firm, said the attackers dropped the U.S. government and commercial Web sites from their hit-list on Tuesday afternoon, after those sites began working with large Internet service providers to filter and block attack traffic.

Lanstein said the unknown attackers have since concentrated the attack on a handful of S. Korean government and commercial Web sites, such as egov.go.kr, Web portal daum.net, online auction house auction.go.kr, and Korean news site chosun.com.

Update, July 10, 12:25 a.m. ET: ChannelNewsAsia.com carries a story that cites S. Korean government officials warning about this self-destruct feature. The relevant bits from that piece:

"In a sign of further disruption to come, Yonhap quoted the Korea Communications Commission (KCC) as saying that tens of thousands of virus-contaminated personal computers "appear automatically programmed to destroy their own stored data starting Friday."

The KCC said the virus was set to destroy the data of at least 20,000 contaminated PCs across South Korea."

Update, July 10, 10:00 a.m. ET: South Korean anti-virus firm Hauri has published an exhaustive analysis of this malicious software, available at this link here (PDF). It states that when July 10, AM 00:00 comes, the malicious code deletes files with certain extensions, that the "operating system not found" error appears at the next boot, and that the system cannot then be started normally.

ddosnoboot.JPG

Meanwhile, SecureWorks' Stewart said it looks like it is only the first megabyte of the hard drive that is overwritten. "Still with the [Windows Master Boot Record] and partition table gone, it is enough to make it unbootable and unrecoverable for the normal user with only a Windows CD in recovery mode," Stewart said. "It has subroutines to delete or encrypt files after that, so even more advanced recovery techniques are made more difficult."

Update, July 10, 11:48 a.m. ET: South Korea's Computer Emergency Response Team (KR-CERT) has confirmed that machines which participated in this attack are now self-destructing.

By Brian Krebs  |  July 9, 2009; 9:35 PM ET
Categories:  Latest Warnings , U.S. Government  | Tags: ddos, mydoom self-destruct  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Washington Post, White House, FAA, DoD, Others, Targeted in Online Attack
Next: Microsoft: Newly Discovered MS Office/IE Flaw

Comments

If this was of North Korean Origin, I would suspect that intercepted North Korean RF communications would show as much from traffic analysis patterns alone.

EXAMPLE

Russian ... Communication intercepts between Moscow & Cairo suddenly become active at an unscheduled time.

It is probable that one is either dealing with:

(1) a change in the schedule,

(2) an event of significant importance [are different codes also being used ???],

(3) an exercise [in most cases MAJOR exercises are disclosed diplomatically in advance], or

(4) neither Moscow nor Cairo got its shipment of Cocaine in the diplomatic pouch and they are comparing notes -- LOL.

There are obviously ways to rule either in or out the above possibilities, that are well beyond the scope of this comment including getting folks at the various embassies dealing with HUMIT engaged and that PRUDENCE [who me ???] suggest we not discuss further.

Since an attack now is [temporarily ???] only targeting South Korea, one is tempted to say, OH S..., it obviously North Korea, but what is supposedly obvious to the layman is almost never the case.

Posted by: brucerealtor@gmail.com | July 9, 2009 10:42 PM | Report abuse

We could be dealing with a major distraction form some other significant event that we may know about [China/Japan] or that we don't yet know about [China/Japan], Russian or even Eastern European.

Wonder what it might be ???

Posted by: brucerealtor@gmail.com | July 9, 2009 10:51 PM | Report abuse

Overwriting the hard drive is indeed catastrophic to those without backups but "self-destruct" as used in the headline is a bit over the top, what with its Mission Impossible "this tape will self-destruct in five seconds" connotations.

In a "silver lining" long-term sort of view, if indeed this virus overwrote the hard drive, it is one less malware-infected system out there, and perhaps, just perhaps, it will be replaced/reloaded with something less likely to be compromised...

Posted by: perfgeek | July 10, 2009 1:54 AM | Report abuse

In yesterdays article, Brian made reference to Shadowserver.org as the source of his 2 graphics, showing the intensity of the attack.

Shadowserver.org also maps out all DDoS attacks, which are updated on a daily basis in two seperate maps. The first shows the DDoS attacks with the paths of that attack and the second shows all COMMAND and CONTROL points and their targets without the paths.

The major attack was on Tuesday, with another slight peek around midnight Wed-Thrs and yet no activity is shown in Japan or in either North or South Korea.

Major map activity appears to be focused between what appears to be Beijing, Washington, DC, the Chicago area and 7 other target locations in the USA. There appears to be even more Command & Control points around the Chicago area targeting Beijing. No visible points are shown on the continent of Africa or South America, but there are multiple points thruout the east coast Pacific Rim being targeted by Beijing, along with multiple points thruout Europe and Russia.

Posted by: brucerealtor@gmail.com | July 10, 2009 3:23 AM | Report abuse

The Beijing attacks appear to be almost exclusively focused on US targets from the map, along with the East Coast Pacific rim targets.

It would appear from the maps that a slightly greater number of attacks are coming from Russia than Beijing.

Posted by: brucerealtor@gmail.com | July 10, 2009 3:34 AM | Report abuse

Actually, given the fact that most people will click on anything if the file is named "See Paris Naked.exe" they'll click. They'll click like there's no tomorrow. They'll click, their computer will be destroyed and they'll mainly be angry that they didn't get to see Paris naked.

Take work for instance. Back in the early days of the internet, there was an email that went around that said "if you forward this to 10 people, Bill Gates will send you money". Seriously. And at work, last week, some guy found that 15 year old email and forwarded it to all 25,000 people at work. Pretty stupid, right? But it gets worse, about 100-200 people responded with the *REPLY ALL* to say "Take me off this list". Which doesn't make sense on about 3 different levels. People are failing basic intelligence and common-sense test here.

My point... a serious minority of people by and large are stupid with computers. It's not Microsoft's fault, it's not AV maker's fault, it's not anybody's fault but the idiot staring at the monitor. China/Russia/N. Korea is doing us a favor by wiping out these computers because it will at least get rid of heavily infected PCs for a few weeks.

Posted by: Ombudsman1 | July 10, 2009 5:13 AM | Report abuse

Perhaps people should have to take a test to get online. Better yet take one to have kids. Heck you have to do one for a drivers license, but I digress.

Posted by: dhengste | July 10, 2009 5:50 AM | Report abuse

I'm one who thinks virus infected machines should be erased so I'm not really that upset by the fact several thousand machines will soon be off the net permanently.

Posted by: idiparker | July 10, 2009 6:21 AM | Report abuse

What do you expect from McdonaldSoft?

This is why I cannot trust my computers security to the Mcdonalds of the Software world,

Sure kids love them, they just have no idea about the hidden dangers of using their products ....

When the company can do more that flip CD's and say 'Have a nice day' I may be interested.

I bet Google would not allow such a serious long term vulnerability in their ChromeOS....

Posted by: yossarianuk | July 10, 2009 8:01 AM | Report abuse

idiparker - I agree with you. The only way for people to learn is to get their nose whacked with a rolled up newspaper. Once you're hacked you need to reformat, anyways.

Posted by: keepandbear | July 10, 2009 8:08 AM | Report abuse

so, lets attack back? come on, with all the bandwidth in this nation. Slap them silly. Pound on the Korean routers. F. them. Let them see what we can do in retaliation. Lets line up our major isp's. ATT, Comcast, Road runner... Shut down everything but essential services for a day. And just pound the living crap out of north Korean government web sites for a day. no mercy, everything that can be directed at them should be. Then do it to Russia.

Why nobody is willing to do this is beyond me.

Oh, never mind. The politically correct liberals would never think of even the playing field. To use the same techniques that is used against them. They save all their retaliation for the republicans. To hell with the people that are trying to bring down this nation. Democrats just focus on republicans.

Posted by: LiberalBasher | July 10, 2009 10:05 AM | Report abuse

FTA:
"Several experts I spoke with yesterday and today estimated that between 60,000 and 100,000 systems may be infected with this potentially suicidal malware."

I hope it does trash all those drives.
Maybe then the stupid fzucks will get a clue and keep their OS updated and install antivirus software. There are several companies that provide free antivirus and firewall programs that update automatically. What's the problem?

Posted by: spamsux1 | July 10, 2009 10:21 AM | Report abuse

Wouldn't it be really, really stupid to make your Malware designed for DOS attacks destroy the unprotected systems? There are at least 3 reasons that is beyond stupid.
1. Obviously, you can not use the same system, with the same infection again.
2. Having your hard drive over written might actually make the irresponsible users protect their rebuilt systems.
3. If a few 100k systems are trashed, Congress might actually pass laws to force PC owners to protect their systems, and even fund reasonable defenses for the country in this area.

It seems to be a lose-lose game for the DOS attackers.

Posted by: Muddy_Buddy_2000 | July 10, 2009 10:35 AM | Report abuse


>> Several experts ... estimated that between
>> 60,000 and 100,000 systems may be infected
>> with this potentially suicidal malware.

Wake-up calls are usually painful. Unfortunately the depth of our collective sloth and ignorance seems to require something like this. Might get people to actually pay attention and point the finger at the true enabler of such attacks on our machines, namely Microsoft, and get some positive changes made too. Better we should have an Internet 9-11 before we have an all out military attack on our Internet.

Posted by: JeffBbiz | July 10, 2009 10:41 AM | Report abuse

LiberalBasher,
Two wrongs don't make a right, if people would pay attention to keeping their computers secure (and stop treating the computer like a toasters), the problem would be a non problem.
Don't blame Micro$oft, blame the users. I look forward to the 20,000 hard drives getting wiped.
That's 20,000 less infected computers on the internet.

Posted by: n3ujj | July 10, 2009 10:41 AM | Report abuse

@muddy_buddy -- not necessarily. the attackers may have (correctly) figured that at some point this week the defenders would have figured out enough about the command and control networks for this ddos botnet and what the attack traffic looks like to start successfully blocking it. if so, this last attack would just be like twisting the knife once it's already plunged into its target.

Posted by: BTKrebs | July 10, 2009 10:43 AM | Report abuse

Also, when a computer virus, in effect, kills its host, it's acting just like a real virus which makes its human host so sick it dies. Not real cool evolutionary behavior. Of course, most viruses, computer and otherwise, replicate there genes by infecting others first.

Posted by: peterpallesen | July 10, 2009 11:04 AM | Report abuse

@ spamsux1

Never mind free AV - how about an OS that doesn't get any virus and that doesn't hold a monopoly - I know a good free one .... (waddle waddle)

Posted by: yossarianuk | July 10, 2009 11:12 AM | Report abuse

I think that instead of building a goliath DDoS machine (as the Air Force is proposing) we should instead hack the infected machines to do our own bidding. Imagine if everytime an infect machine did a port scan of your computer you had the ability to reroute that traffic to an 'inoculation server' that would repair the infected machine (or take control of it for our own purposes). It would be like herd immunity--eventually an infected machine would come in contact with an inoculation server and wham--fixed.

Posted by: idiparker | July 10, 2009 11:30 AM | Report abuse

Liberalbasher: So you have some huge piece of concrete evidence this originates from North Korea that NO ONE else has?? I'm not saying it's not them as it's very likely, but again, where's the irrefutable proof it in fact is of North Korean origin?

It's not leveling the playing field for our nation to start a cyber war with another country because we THINK they did this. We've got a real war started for basically because we were "sure" of something that was proven wrong--and the last thing we need is to do a virtual version of that with North Korea. Particularly when most of the soldiers on our side of the virtual army would be too busy opening attachments unwittingly, most of which I have no doubt WOULD be from NK and WOULD be pretty sneaky and destructive without question.

The authors should be punished if caught, but the ultimate responsibility for security lies with the individual--and if all users exercised simple basic common sense precautions when computing, this mess would not have happened. Period.

Posted by: Cubby_Michael | July 10, 2009 11:57 AM | Report abuse

Why exactly is an attack by a foreign government on the computers of our national defense system not considered an act of war? Most of the press seems to be treating this as a either a typical computer crime or on the level of a prank.

Posted by: rayfil | July 10, 2009 11:58 AM | Report abuse

Maybe the whole thing is really being done by Microsoft. I mean, how else are you going to get people to buy Windows 7?

Posted by: hairguy01 | July 10, 2009 12:04 PM | Report abuse

SKYNET!

Posted by: kulwicki7 | July 10, 2009 12:08 PM | Report abuse

@perfgeek I have to agree with your summation that 60,000 to 100,000 fewer poorly administered PCs out there might not be the worst thing in the world.

Sadly, the owners will probably just go to the store and buy another PC and not change their online habits one bit. Their now dead machines will be disposed of improperly and add to global contamination by heavy metals and the like.

Buy some stock Korean PC makers ...

Posted by: Annorax | July 10, 2009 12:12 PM | Report abuse

@yossarianuk

You say:

"Never mind free AV - how about an OS that doesn't get any virus and that doesn't hold a monopoly - I know a good free one .... (waddle waddle)"

I say:
Riiight penguin boy.

Load up all your joe-sixpack friend's new (or old) computers with the latest Ubuntu and the world will live happily ever after, right?

They would show up at your house with torches and pitchforks demanding that you fix/install all the various games/apps/whatever that no longer work.

Your mom would make you move out of the basement.

Posted by: spamsux1 | July 10, 2009 12:29 PM | Report abuse

Keep your eyes on ChromaOS

Posted by: SecurityPlusPro | July 10, 2009 12:41 PM | Report abuse

If there's one thing I detest even more than Microsoft it is the geeks who think that every individual computer user is obligated to be obsessed with the workings of his machine, to the point of them taking the side of hackers against victims.

Hey nerds, want to know why normal people hate you? Look at the comments in this threaqd.

Posted by: MagicDog1 | July 10, 2009 2:30 PM | Report abuse

Maybe self-destructing viruses are being sent out by people who want people to go out and buy new computers and software.

Posted by: cmecyclist | July 10, 2009 3:13 PM | Report abuse

The government should NOT - repeat, NOT - make laws forcing individuals to be responsible computer owners. Such laws would be unenforceable. How about the government makes a law forcing Microsoft to produce products that work and are secure (if Apple can do it, so should Microsoft be able to do it), with a penalty that if there is a cyberattack on a Microsoft system, Microsoft gets to pay to have the system recovery work done - or the system reformatted and all the owner's software replaced.

Posted by: Kaelinda1 | July 10, 2009 6:07 PM | Report abuse

I agree that "self destruct" is hyperbole. Do the editors not understand technology?

Posted by: Bitter_Bill | July 10, 2009 6:21 PM | Report abuse

As for downloading infected e-mail to your system... I use my Treo 755P to pre-read my email throughout the day, deleting those containing obvious problems (I can even follow links to see if they lead somewhere interesting). With a click of the "Empty Trash" button the deleted ones are also removed from the mail server. Once home I can download the remaining mail to my home PC - less to download, less to read, fewer problems.

Posted by: Sadler | July 10, 2009 7:33 PM | Report abuse

I see a lot of people blaming the victims here. People SHOULD be able to use their computers as if they were toasters and assume that they are safe and secure without having to worry about contantly updating antivirus software. If certain operating systems and other software were designed correctly and securely in the first place this would not be a major problem.

I say this as one who has been a system administrator and programmer for over 20 years, and who remembers what the 'net was like when it was just a network of a few hundred universities, technology companies and the government -- years before there was a World Wide Web. I never thought things would turn out this way.

Posted by: pjs1965 | July 10, 2009 7:58 PM | Report abuse

I'm glad they didn't get my computer, I wouldn't want mine to self de

Posted by: mcswell | July 10, 2009 9:25 PM | Report abuse

WHY WOULD THIS NOT BE CONSIDERED AN ACT OF WAR

1. Black's law dictionary defines war as Hostile conflict by means of ARMED forces, carried on between nations, states or rulers, or sometimes between parties within the same nation or state; a period of such conflict

Under that definition there are 7 subsets, namely [1] civil war, [2] imperfect war, [3] mixed war, [4] perfect war -- war between an entire nation against another, [5] private war, [6]public war, [7] solemn war.

Additionally, war between competitors, or a struggle to solve a pervasive problem,
which for things like pot, some view as a war on the American people. {After everyone gets bailed out, pot will probably need to be taxed to prevent insolvency.)

Posted by: brucerealtor@gmail.com | July 11, 2009 11:05 PM | Report abuse

@Brucerealtor:

1) The non-virtual war between Russia and Georgia last year included a simultaneous cyber-war.

2)The Russian attack on Estonia several years ago (too lazy to look up exact date) was, at the least, extreme 'cyber-aggression.'

3) High-level Japanese execs, and many others, read Sun Tzu's "Art of War."

4) "The Art of War" achieved popularity after its numerous citations in James Clavell's "Noble House." The story of a business conflict. But not a WAR!! (-;

5) What was it Ralph Waldo Emerson said?

Posted by: featheredge99 | July 12, 2009 6:27 PM | Report abuse

This is obviously an extension of Apple's "Switch" campaign morphed into "Switch OR DIE!".

Posted by: cdeleo | July 12, 2009 8:35 PM | Report abuse

Here's one scenario for controlling the great unwashed on the internet:

1) Require basic proficiency testing (such a testing service already exists for amateur radio operators)
2) Assign licenses with 'call signs' to licensed internet users.
3) Require ISPs to check whether the person requesting internet service has a license before providing internet access.
4) If Licensed user of an ISP service allows non-licensed use of their service by others or they themselves are caught performing illegal acts, yank their internet service.

Quite easy.

Restricting access to the internet is a heck of a lot easier that restricting access to the radio spectrum. If the FCC can do a satisfactory job of licensing, controlling, and monitoring access to the radio spectrum, you can bet that some government agency can do at least -- probably better -- job of controlling access to the internet.

Posted by: Annorax | July 13, 2009 8:41 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company