Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI: Wiper Malware Has Korean Language Packs, Hard Coded Targets

Posted by Soulskill on from the brace-for-cyber-impact dept.

chicksdaddy sends news that the FBI has issued a warning to U.S. businesses over a "destructive" malware campaign using advanced tools. They don't name specific targets, but the information fits with the details from last week's attack on Sony Pictures, which led to the leak of several unreleased movies. A copy of the FBI's recent five-page FLASH alert reveals that the malware alleged to have wiped out systems at Sony Pictures Entertainment deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI were also found to contain configuration files created on systems configured with Korean language packs. The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names.

9 of 81 comments (clear)

  1. How by fnj · · Score: 4, Funny

    WTF, overwrites the MBR? What half assed OS does this attack? Windows?

    1. Re:How by GameboyRMH · · Score: 4, Insightful

      I think any OS will do it once the attacking program can gain root access, unless MBR protection is enabled in the BIOS.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Korea? by TechyImmigrant · · Score: 4, Insightful

    "Yes Sergey, I have this brilliant plan to compile the production malware on a Korean build of Windows. They'll never suspect it was us."
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Re:As a malware analyst... by kruach+aum · · Score: 4, Interesting

    I would also imagine that the kind of person involved in this sort of attack is aware of the capabilities of the people investigating the attack, and that such a person would be interested in confounding that investigation by, say, pretending to be someone he's not, like a Korean language user.

  4. Malware? Sony? by TechyImmigrant · · Score: 5, Informative

    Is the irony of Sony being hit by malware lost on people?

    http://en.wikipedia.org/wiki/S...

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Malware? Sony? by xxxJonBoyxxx · · Score: 5, Funny

      >> Is the irony of Sony being hit by malware lost on people?

      At Sony, we just call it "software."

  5. Re:And it was signed Kim Jong Un by DougOtto · · Score: 5, Informative

    The analysis doesn't blame Korea or anyone else, it's the media taking that route. The analysis just lists the file targets and the information you'd want to see if you have a match; e.g.

    File: igfxtrayex.exe
    Size: 249856 bytes (244.0 KB)
    MD5: 760c35a80d758f032d02cf4db12d3e55
    PE Compile Time: 2014-11-24 04:11:08
    Language pack of resource section: Korean
    It seems sans-bullshit to me.

    --
    Solving Unix problems since 1989...
  6. Re:Corporate by TechyImmigrant · · Score: 4, Funny

    Who said Russian? I know an Israeli called Sergey.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  7. Re:As a malware analyst... by dunkindave · · Score: 4, Interesting

    I like to apply Occam's Razor. Having dealt with a variety of hackers ranging from newbies up to APT, I have found almost all of them make stupid mistakes and do things like this that leak info. I have yet to see a convincing false-flag since attackers would rather hide their origin than fake it, meaning they try to remove all such info instead of putting in fake info. Given my experience I have no trouble whatsoever believing the indicators of the Korean language pack presence on the origination computers is a strong lead for where it came from. The current beef that NK has against Sony due to the upcoming film, along with they specific threats, just adds to it as corresponding motive, like the cherry on top of the sundae.