<<<
NEWS FROM THE LAB - Tuesday, March 26, 2013
>>>
 

 
Whois behind South Korean wiper attacks? Posted by Brod @ 15:19 GMT

Last week, when "wiper" malware hit South Korean companies, the website of LG Uplus was reportedly defaced as well.

From The Register:

The Register Report

Due to the proximity of the incidents, the "Whois Team" is being suspected as the perpetrators of the wiper attacks. However this is still being debated.

From Ars Technica:

Ars Technica Report

We browsed through wiper samples yesterday, and discovered a variant that contains a routine that searches for web documents (e.g. ".html", ".aspx", ".php", etc.) in an infected system. The malware overwrites these documents with a content that looks exactly like that seen in the video below:



We believe this sample is clearly related to the one used in the defacement of the LG Uplus website.

The sample has a timestamp that is similar to the other wiper samples.

The timestamp of the DLL-wiper sample from yesterday's post:

DLL Wiper Timestamp

Timestamp of the defacer-wiper sample:

Defacer-wiper Timestamp

However, this variant used a completely different approach to wipe the drives. It infected the MBR with the following code to wipe the disk during the next boot-up:

Bootstrap Wiper

Also, unlike the other variants, this sample does not use the strings "HASTATI", "PRINCIPES", etc. when wiping the file system. This time it overwrites the files with zero's, rename them to a random filename before finally deleting them. It also avoids files found in Windows and Program Files directory. All this make sense because the attacker needed the infected webserver to continue hosting the defaced pages.

So do we think the attacks are related? Most probably they are. Only that this one was carried out by a different member.