Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI: Wiper Malware Has Korean Language Packs, Hard Coded Targets

Posted by Soulskill on from the brace-for-cyber-impact dept.

chicksdaddy sends news that the FBI has issued a warning to U.S. businesses over a "destructive" malware campaign using advanced tools. They don't name specific targets, but the information fits with the details from last week's attack on Sony Pictures, which led to the leak of several unreleased movies. A copy of the FBI's recent five-page FLASH alert reveals that the malware alleged to have wiped out systems at Sony Pictures Entertainment deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI were also found to contain configuration files created on systems configured with Korean language packs. The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names.

41 of 81 comments (clear)

  1. How by fnj · · Score: 4, Funny

    WTF, overwrites the MBR? What half assed OS does this attack? Windows?

    1. Re:How by GameboyRMH · · Score: 4, Insightful

      I think any OS will do it once the attacking program can gain root access, unless MBR protection is enabled in the BIOS.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:How by fisted · · Score: 2

      I think any OS will do it once the attacking program can gain root access

      Nope, I don't think so. (see securelevel 2)
      (and nope, you can't defeat it *that* way. (see RB_HALT)).
      It's kind of notable that neither Free- nor OpenBSD seem to support an equivalent to the latter (all three do have the securelevel mechanism, though).

      unless MBR protection is enabled in the BIOS

      Are you living in a distant past where disk i/o still goes via BIOS?

      --
      CLI paste? paste.pr0.tips!
    3. Re:How by knorthern+knight · · Score: 2

      > WTF, overwrites the MBR? What half assed OS does this attack? Windows?

      I'm a linux user, not a Microsoft fanboi, but... have you ever heard of fdisk? Or for that matter...

      dd if=/dev/zero of=/dev/hda bs=446 count=1

      to wipe the MBR. If you want to take out the entire hard drive, it's

      dd if=/dev/zero of=/dev/sda bs=1M

      Any OS that can be installed from USB key or a CD can do the equivalant of this.

      --

      I'm not repeating myself
      I'm an X window user; I'm an ex-Windows user
  2. Korea? by TechyImmigrant · · Score: 4, Insightful

    "Yes Sergey, I have this brilliant plan to compile the production malware on a Korean build of Windows. They'll never suspect it was us."
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. As a malware analyst... by xxxJonBoyxxx · · Score: 1, Informative

    >> The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea

    Are you f***ing kidding me? It's just as likely that it was written by an English-speaking American using a pirated copy of Windows he got from a SOUTH Korean warez site.

    1. Re:As a malware analyst... by amicusNYCL · · Score: 3, Insightful

      "Just as likely"? I would imagine that, among all of the versions of Windows that have the Korean language installed, the vast majority of them are being used by Koreans rather than English-speaking Americans.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:As a malware analyst... by kruach+aum · · Score: 4, Interesting

      I would also imagine that the kind of person involved in this sort of attack is aware of the capabilities of the people investigating the attack, and that such a person would be interested in confounding that investigation by, say, pretending to be someone he's not, like a Korean language user.

    3. Re:As a malware analyst... by Spy+Handler · · Score: 2

      If you're saying it was a false flag operation (trying to make it look like it came from Koreans), it's possible. But who would do that? Normally hackers like to brag and build up their rep. It could be state-sponsored hackers from another country, but then why would China or Iran specifically target Sony Pictures? AFAIK only N. Korea has a beef with Sony.

      It's possible but not likely.

    4. Re:As a malware analyst... by Spy+Handler · · Score: 1

      Yep. Nobody accidentally downloads and installs Korean Windows. It's a fucking nightmare to install unless you speak the language. It's not like a European language where you can guess the meaning, like "oh installaciÃn must mean installation."

    5. Re:As a malware analyst... by kruach+aum · · Score: 1

      It takes like a half hour to learn to read Hangul, and then you can instantly pick out the loan words. Sopeuteuweuh for software, etc.

    6. Re:As a malware analyst... by omnichad · · Score: 1

      Normally hackers like to brag and build up their rep.

      And nobody likes to brag more than North Korea. Even if they weren't at fault, I'm surprised they haven't taken credit for it yet. I can't really account for that.

    7. Re:As a malware analyst... by Fire_Wraith · · Score: 1

      North Korea doesn't always brag about its provocations. Consider the sinking of the South Korean warship Cheonan, which was sunk by a mysterious explosion that was later assessed to have been a torpedo, while off a South Korean island within spitting distance of North Korean waters. North Korea denied any involvement (http://en.wikipedia.org/wiki/ROKS_Cheonan_sinking). Also, while hacker and hacktivist groups tend to be quite open about claiming credit, nation-state hackers tend to be very quiet about it (I don't think any country anywhere has officially claimed credit for hacking, offhand). Given what I've read on various sites, I certainly think it's a credible theory that North Korea was behind it (Motive, Means, and it matches their style), though I certainly don't think I'd rule out other possibilities completely.

    8. Re:As a malware analyst... by dunkindave · · Score: 4, Interesting

      I like to apply Occam's Razor. Having dealt with a variety of hackers ranging from newbies up to APT, I have found almost all of them make stupid mistakes and do things like this that leak info. I have yet to see a convincing false-flag since attackers would rather hide their origin than fake it, meaning they try to remove all such info instead of putting in fake info. Given my experience I have no trouble whatsoever believing the indicators of the Korean language pack presence on the origination computers is a strong lead for where it came from. The current beef that NK has against Sony due to the upcoming film, along with they specific threats, just adds to it as corresponding motive, like the cherry on top of the sundae.

    9. Re:As a malware analyst... by gstoddart · · Score: 1

      Well, North Korea has officially said "Wait and See".

      The film, due for release on Christmas, has drawn criticism from the North Korean government, which called it an "evil act of provocation" and an "undisguised sponsoring of terrorism" and asked the United Nations to block its release. A government website also threatened the filmmakers with "stern punishment."

      Apparently the supreme, glorious little runt doesn't like being teased, and seems to think his delusional self is exempt from parody.

      If so, this would be kind of hilarious, and kind of scary ... a nation state doing this stuff because their leader tender ego is feeling bruised.

      If this is North Korea, this is all about waving around the collective penis, and posturing that he has any influence on the rest of the world.

      --
      Lost at C:>. Found at C.
    10. Re:As a malware analyst... by Registered+Coward+v2 · · Score: 1

      Well, North Korea has officially said "Wait and See".

      The film, due for release on Christmas, has drawn criticism from the North Korean government, which called it an "evil act of provocation" and an "undisguised sponsoring of terrorism" and asked the United Nations to block its release. A government website also threatened the filmmakers with "stern punishment."

      Apparently the supreme, glorious little runt doesn't like being teased, and seems to think his delusional self is exempt from parody.

      If so, this would be kind of hilarious, and kind of scary ... a nation state doing this stuff because their leader tender ego is feeling bruised.

      If this is North Korea, this is all about waving around the collective penis, and posturing that he has any influence on the rest of the world.

      Hey, Kim was named the sexiest man alive recently so maybe they have something to be proud of waving...

      --
      I'm a consultant - I convert gibberish into cash-flow.
    11. Re:As a malware analyst... by bluefoxlucid · · Score: 1

      Not so sure...

      --
      Support my political activism on Patreon.
    12. Re:As a malware analyst... by kruach+aum · · Score: 1

      That's because you can't read Hangul, and are therefore missing two pieces of key information: it doesn't have the letter f, so they use a p instead, and because of the way the symbols are constructed t becomes teu and p becomes peu. From the hangul, you can also see the syllables, so what you're actually reading is so-f-t-weh-uh, which is a pretty obvious phonetic rendering of software.

    13. Re:As a malware analyst... by AmiMoJo · · Score: 1

      After the US got caught deploying malware in Iran maybe whoever made this learned from their mistakes and made an effort to disguise the source. If the target wasn't Sony I'd be wondering if it wasn't the US.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re:As a malware analyst... by rHBa · · Score: 1

      But I thought Team America was produced by Paramount!

      /Joke

  4. Malware? Sony? by TechyImmigrant · · Score: 5, Informative

    Is the irony of Sony being hit by malware lost on people?

    http://en.wikipedia.org/wiki/S...

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Malware? Sony? by xxxJonBoyxxx · · Score: 5, Funny

      >> Is the irony of Sony being hit by malware lost on people?

      At Sony, we just call it "software."

    2. Re:Malware? Sony? by Anonymous Coward · · Score: 1

      What goes around comes around.

    3. Re:Malware? Sony? by Ice+Tiger · · Score: 1

      You win the thread

      --
      "Because we are not employing at entry level, offshoring will kill our industry stone dead."
  5. Re:And it was signed Kim Jong Un by DougOtto · · Score: 5, Informative

    The analysis doesn't blame Korea or anyone else, it's the media taking that route. The analysis just lists the file targets and the information you'd want to see if you have a match; e.g.

    File: igfxtrayex.exe
    Size: 249856 bytes (244.0 KB)
    MD5: 760c35a80d758f032d02cf4db12d3e55
    PE Compile Time: 2014-11-24 04:11:08
    Language pack of resource section: Korean
    It seems sans-bullshit to me.

    --
    Solving Unix problems since 1989...
  6. Ha, NORTH Korea? by Anonymous Coward · · Score: 2, Informative

    They have threatened repercussions if Sony releases "The Interview." https://en.wikipedia.org/wiki/The_Interview_(2014_film)

  7. Re:Ha, NORTH Korea? by DigiShaman · · Score: 1

    Rootkits are an act of war. I had no idea North Korean's are such die-hard gamers.

    Encore! Encore!!

    --
    Life is not for the lazy.
  8. If this is about "The Interview" .. by Rinikusu · · Score: 1

    I'm going to laugh my ass off and for SURE go see the movie. Maybe even twice. And buy the DVD.

    --
    If you were me, you'd be good lookin'. - six string samurai
    1. Re:If this is about "The Interview" .. by Anonymous Coward · · Score: 1

      It's made by Sony, so I'd get it off BitTorrent. It's the right thing to do.

  9. Re:Corporate by TechyImmigrant · · Score: 4, Funny

    Who said Russian? I know an Israeli called Sergey.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  10. Re:Corporate by TechyImmigrant · · Score: 1

    There's also a certain founder of Google called Sergey.

    You could substitute any name common in the country of your choice to point a finger. I used Sergey only as an example.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  11. Re:Corporate by Anonymous Coward · · Score: 1

    Who said Russian or Israeli? I know a NSA agent named Sergey.

  12. Re:Ha, NORTH Korea? by aevan · · Score: 1

    Not sure about SeeU, but I know a few years ago I got a DMCA from 'Original Creator' with regards to vocaloid videos.

    They are part of Crypton Future Media though, the actual Vocaloid maker. Seems they have automated DMCA 'protect their customers from getting copied and denied their due profit'.

  13. Especially troubling as we enter winter by SuperKendall · · Score: 1

    As winter hits the nation, more and more people will be activating wipers to clear off road spray... if "they" manage to get this virus into the mag-chloride solution it could mean millions are impacted.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  14. None of these are exclusive by Imazalil · · Score: 2

    Could be half Russian half Israeli NSA contractor working in Korea.

  15. Are we sure this was an attack? by HiThereImBob · · Score: 1

    Isn't it possibly someone at sony accidentally inserted one of their CD's?

  16. Re:Corporate by xaotikdesigns · · Score: 1

    You know what I want. I want someone to go after Topher Grace so we can see his cut of Star Wars. Or maybe hit Jerry Lewis so I can watch The CLown that Cried

    --
    XDInd
  17. Re:Sony chose to wage war against North Korea by TrollingForHostFiles · · Score: 2

    Japan has been a servant state to Israel and the USA since their defeat in WW2.

    Yeah, that was pretty clever of the Israelis, taking control of Japan some years before Israel even existed as a state.

    --
    cat /dev/random
  18. Re:Finally by AqD · · Score: 1

    when they eventually land NK they'd realize there is no PC capable of running Windows.

  19. Re:Corporate by aaaaaaargh! · · Score: 1

    The N. Koreans are all pissed off at Sony

    Not just the North Koreans, though ... also about half of all people who ever had the misfortune of owning a Sony device. Or wait, make it 2/3 ...

  20. Re:Corporate by ub3r+n3u7r4l1st · · Score: 1

    And that Sergey you have mentioned may be the greatest threat to Security & Privacy of common citizens.

    --
    New Economic Perspectives