Risk
7/10/2009
05:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Cyber Attack Code Starts Killing Infected PCs

Infected computers participating in the distributed denial of service attack on U.S. government and South Korean Web sites are set to destroy their own data.

The botnet-driven cyber attack on government, financial, and media sites in the U.S and South Korea includes a newly discovered danger: The malicious code responsible for driving the distributed denial of service attack, known as W32.Dozer, is designed to delete data on infected computers and to prevent the computers from being rebooted.

"Your machine is completely hosed at this stage," said Vincent Weafer, VP at Symantec Security Response.

The malicious code includes instructions to start deleting files when the infected computer's internal clock reaches July 10, 2009. That's today.

According to Weafer, the malicious code will attempt to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copy the data to an encrypted file that's inaccessible to the user, and then overwrite the data in the original files. It targets files associated with office, business, and development applications.

The malicious code is also programmed to modify infected computers' Master Boot Records. The change renders computers inoperable following any attempt to reboot.

The impact of this self-destruct sequence should be minimal, however. Weafer said that he expects only a few thousand machines will be damaged. "I don't expect this to be a major issue, except perhaps in South Korea," he said.

The cyber attack against sites in the U.S. and South Korea began on July 4 and temporarily interfered with access to the Web sites of the Treasury Department, the Transportation Department and the Federal Trade Commission.

The South Korean Intelligence Service estimated that about 20,000 compromised computers -- mostly in South Korea -- had been ordered to conduct a Distributed Denial of Service (DDoS) attack on U.S. and South Korean sites.

Given the timing, which coincided with a North Korean missile test, suspicions have been raised about the involvement of hackers in North Korea or possibly China.

In a press briefing yesterday, State Department spokesman Ian Kelly said, "[The attacks] are continuing, and we are taking measures to deal with this and any potential new attacks." He said he had no information about whether North Korea was involved.

It is possible to direct an attack of this sort from anywhere. According to Alan Paller, research director at The SANS Institute, the compromised computers participating in this attack are located all over the world, including the U.S. The bots that participate also vary over time, so that the source of the attack is constantly changing.

"The attacks have become increasingly sophisticated since the end of last week -- it started as a flood that was easy for network service providers to filter and then went through at least two increases in sophistication so that the flood looks more and more like legitimate traffic," said Paller in an e-mail. "Network providers have to work much harder to filter out malicious traffic that resembles legitimate traffic."

But with W32.Dozer already deleting files and crippling its hosts, the attacks should soon subside.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.