Due to the proximity of the
incidents, the "Whois Team" is being suspected as
the perpetrators of the wiper attacks. However
this is still being debated.
We browsed through wiper samples
yesterday, and discovered a
variant
that contains a routine that searches for web
documents (e.g. ".html", ".aspx", ".php", etc.) in
an infected system. The malware overwrites these
documents with a content that looks exactly like
that seen in the video below:
We believe this sample is clearly
related to the one used in the defacement of the
LG Uplus website.
The sample has a
timestamp that is similar to the other wiper
samples.
However, this variant used a
completely different approach to wipe the drives.
It infected the MBR with the following code to
wipe the disk during the next boot-up:
Also, unlike the other variants,
this sample does not use the strings "HASTATI",
"PRINCIPES", etc. when wiping the file system.
This time it overwrites the files with zero's,
rename them to a random filename before finally
deleting them. It also avoids files found in
Windows and Program Files directory. All this make
sense because the attacker needed the infected
webserver to continue hosting the defaced
pages.
So do we think the attacks are
related? Most probably they are. Only that this
one was carried out by a different member.