FBI: Wiper Malware Has Korean Language Packs, Hard Coded Targets 81
chicksdaddy sends news that the FBI has issued a warning to U.S. businesses over a "destructive" malware campaign using advanced tools. They don't name specific targets, but the information fits with the details from last week's attack on Sony Pictures, which led to the leak of several unreleased movies.
A copy of the FBI's recent five-page FLASH alert reveals that the malware alleged to have wiped out systems at Sony Pictures Entertainment deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI were also found to contain configuration files created on systems configured with Korean language packs. The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names.
How (Score:5, Funny)
WTF, overwrites the MBR? What half assed OS does this attack? Windows?
Re:How (Score:5, Insightful)
I think any OS will do it once the attacking program can gain root access, unless MBR protection is enabled in the BIOS.
Re: (Score:3)
I think any OS will do it once the attacking program can gain root access
Nope, I don't think so. [gw.com] (see securelevel 2)
(and nope, you can't defeat it *that* way. [gw.com] (see RB_HALT)).
It's kind of notable that neither Free- nor OpenBSD seem to support an equivalent to the latter (all three do have the securelevel mechanism, though).
unless MBR protection is enabled in the BIOS
Are you living in a distant past where disk i/o still goes via BIOS?
Re: (Score:3)
> WTF, overwrites the MBR? What half assed OS does this attack? Windows?
I'm a linux user, not a Microsoft fanboi, but... have you ever heard of fdisk? Or for that matter...
dd if=/dev/zero of=/dev/hda bs=446 count=1
to wipe the MBR. If you want to take out the entire hard drive, it's
dd if=/dev/zero of=/dev/sda bs=1M
Any OS that can be installed from USB key or a CD can do the equivalant of this.
Korea? (Score:5, Insightful)
"Yes Sergey, I have this brilliant plan to compile the production malware on a Korean build of Windows. They'll never suspect it was us."
Re:Corporate (Score:5, Funny)
Who said Russian? I know an Israeli called Sergey.
Re: (Score:2)
There's also a certain founder of Google called Sergey.
You could substitute any name common in the country of your choice to point a finger. I used Sergey only as an example.
Re: (Score:2)
And that Sergey you have mentioned may be the greatest threat to Security & Privacy of common citizens.
Re: (Score:1)
Who said Russian or Israeli? I know a NSA agent named Sergey.
None of these are exclusive (Score:2)
Could be half Russian half Israeli NSA contractor working in Korea.
Re: (Score:2)
Re: (Score:2)
The N. Koreans are all pissed off at Sony
Not just the North Koreans, though ... also about half of all people who ever had the misfortune of owning a Sony device. Or wait, make it 2/3 ...
As a malware analyst... (Score:2, Informative)
>> The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea
Are you f***ing kidding me? It's just as likely that it was written by an English-speaking American using a pirated copy of Windows he got from a SOUTH Korean warez site.
Re:As a malware analyst... (Score:4, Insightful)
"Just as likely"? I would imagine that, among all of the versions of Windows that have the Korean language installed, the vast majority of them are being used by Koreans rather than English-speaking Americans.
Re:As a malware analyst... (Score:5, Interesting)
I would also imagine that the kind of person involved in this sort of attack is aware of the capabilities of the people investigating the attack, and that such a person would be interested in confounding that investigation by, say, pretending to be someone he's not, like a Korean language user.
Re: (Score:2)
Yep. Nobody accidentally downloads and installs Korean Windows. It's a fucking nightmare to install unless you speak the language. It's not like a European language where you can guess the meaning, like "oh installaciÃn must mean installation."
Re: (Score:2)
It takes like a half hour to learn to read Hangul, and then you can instantly pick out the loan words. Sopeuteuweuh for software, etc.
Re: (Score:2)
That's because you can't read Hangul, and are therefore missing two pieces of key information: it doesn't have the letter f, so they use a p instead, and because of the way the symbols are constructed t becomes teu and p becomes peu. From the hangul, you can also see the syllables, so what you're actually reading is so-f-t-weh-uh, which is a pretty obvious phonetic rendering of software.
Re:And it was signed Kim Jong Un (Score:5, Informative)
File: igfxtrayex.exe
Size: 249856 bytes (244.0 KB)
MD5: 760c35a80d758f032d02cf4db12d3e55
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean
It seems sans-bullshit to me.
Re: (Score:3)
If you're saying it was a false flag operation (trying to make it look like it came from Koreans), it's possible. But who would do that? Normally hackers like to brag and build up their rep. It could be state-sponsored hackers from another country, but then why would China or Iran specifically target Sony Pictures? AFAIK only N. Korea has a beef with Sony.
It's possible but not likely.
Re: (Score:2)
Normally hackers like to brag and build up their rep.
And nobody likes to brag more than North Korea. Even if they weren't at fault, I'm surprised they haven't taken credit for it yet. I can't really account for that.
Re: (Score:1)
Re: (Score:2)
Well, North Korea has officially said "Wait and See [hollywoodreporter.com]".
Apparently the supreme, glorious little runt doesn't like being teased, and seems to think his delusional self is exempt from parody.
If so, this wou
Re: (Score:2)
Well, North Korea has officially said "Wait and See [hollywoodreporter.com]".
Apparently the supreme, glorious little runt doesn't like being teased, and seems to think his delusional self is exempt from parody.
If so, this would be kind of hilarious, and kind of scary ... a nation state doing this stuff because their leader tender ego is feeling bruised.
If this is North Korea, this is all about waving around the collective penis, and posturing that he has any influence on the rest of the world.
Hey, Kim was named the sexiest man alive [theonion.com] recently so maybe they have something to be proud of waving...
Re:As a malware analyst... (Score:5, Interesting)
Re: (Score:2)
After the US got caught deploying malware in Iran maybe whoever made this learned from their mistakes and made an effort to disguise the source. If the target wasn't Sony I'd be wondering if it wasn't the US.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
when they eventually land NK they'd realize there is no PC capable of running Windows.
Ha, NORTH Korea? (Score:2, Informative)
They have threatened repercussions if Sony releases "The Interview." https://en.wikipedia.org/wiki/The_Interview_(2014_film)
Re: (Score:2)
Re: (Score:2)
They are part of Crypton Future Media though, the actual Vocaloid maker. Seems they have automated DMCA 'protect their customers from getting copied and denied their due profit'.
Malware? Sony? (Score:5, Informative)
Is the irony of Sony being hit by malware lost on people?
http://en.wikipedia.org/wiki/S... [wikipedia.org]
Re:Malware? Sony? (Score:5, Funny)
>> Is the irony of Sony being hit by malware lost on people?
At Sony, we just call it "software."
Re: (Score:1)
What goes around comes around.
Re: (Score:2)
If this is about "The Interview" .. (Score:2)
I'm going to laugh my ass off and for SURE go see the movie. Maybe even twice. And buy the DVD.
Re: (Score:1)
It's made by Sony, so I'd get it off BitTorrent. It's the right thing to do.
Re: (Score:1)
... well-known Hollywood UBER-zionist specifically designed as a psy-op against North Korea and its leadership. ... Sony was ONLY allowed to buy its way into Hollywood when its Japanese supremo's agreed to allow Israel-friendly managers ... their desired propaganda directions ... Japan has been a servant state to Israel ... was FORCED to introduce sanctions ... Saudi Arabia and Egypt (powers in the US sphere of control) ... Sony's vicious attack against North Korea ... serve their zionist masters on their knees. ... Sony is still loathed for daring to think it has a place in Hollywood. ... Most first class cyber-attacks emanate from Israel ... What you 'earn' while you remain ON YOUR KNEES is worthless- a lesson Japan is going to learn the hard way
You started the troll so well with your first paragraph.
At least the remaining portion was fun to read. I'm not quite sure how Sony would need to sell out to Isreal before joining Hollywood, that one is confusing. The claims that the NSA is secretly beholden to Israeli Military was fun. The claim that Saudi Arabia and Egypt are under US control made me especially laugh.
Thanks for the entertainment.
Re: (Score:2)
Japan has been a servant state to Israel and the USA since their defeat in WW2.
Yeah, that was pretty clever of the Israelis, taking control of Japan some years before Israel even existed as a state.
Especially troubling as we enter winter (Score:2)
As winter hits the nation, more and more people will be activating wipers to clear off road spray... if "they" manage to get this virus into the mag-chloride solution it could mean millions are impacted.
Are we sure this was an attack? (Score:1)