PCs Used in Korean DDoS Attacks May Self Destruct

There are signs that the concerted cyber attacks targeting U.S. and Korean government and commercial Web sites this past week are beginning to wane. Yet, even if the assaults were to be completely blocked tomorrow, the attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive.

Update: This is already happening. Please be sure to read the updates at the end of this post.

Original post:

According to Joe Stewart, director of malware research at SecureWorks, the malware that powers this attack -- a version of the Mydoom worm -- is designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over every sector of every physical drive attached to the compromised system.

Stewart said he tested the self-destruct Trojan in his lab and found that it indeed erases the hard drive on the compromised system. For now, however, the Mydoom component isn't triggering that feature.

"One possibility is there's a bug in the code and it's supposed to run but it doesn't," Stewart said. "Or, there may be a time factor involved, where it's not supposed to erase the hard drive until a certain time."

Such an order would spell certain disaster for many tens of thousands of Microsoft Windows PCs. Several experts I spoke with yesterday and today estimated that between 60,000 and 100,000 systems may be infected with this potentially suicidal malware.

Windows users running current anti-virus software and being careful not to download and run e-mail attachments from random sources almost certainly have little to fear from this attacker. Mydoom is a well-known piece of malware that first surfaced in January 2004. At the time, it instructed compromised systems to launch an attack against Microsoft's Web site and the site of the SCO Group, a Lindon, Utah based software company. As a result, both companies have outstanding $250,000 reward offers for information leading to the arrest and conviction of the Mydoom author(s).

Meanwhile, the attacks that slowed washingtonpost.com and several other U.S.-based Web sites have since been focused almost exclusively on Korean Web sites. Alex Lanstein, senior security researcher at Fireeye, a Milpitas, Calif., based computer security firm, said the attackers dropped the U.S. government and commercial Web sites from their hit-list on Tuesday afternoon, after those sites began working with large Internet service providers to filter and block attack traffic.

Lanstein said the unknown attackers have since concentrated the attack on a handful of S. Korean government and commercial Web sites, such as egov.go.kr, Web portal daum.net, online auction house auction.go.kr, and Korean news site chosun.com.

Update, July 10, 12:25 a.m. ET: ChannelNewsAsia.com carries a story that cites S. Korean government officials warning about this self-destruct feature. The relevant bits from that piece:

"In a sign of further disruption to come, Yonhap quoted the Korea Communications Commission (KCC) as saying that tens of thousands of virus-contaminated personal computers "appear automatically programmed to destroy their own stored data starting Friday."

The KCC said the virus was set to destroy the data of at least 20,000 contaminated PCs across South Korea."

Update, July 10, 10:00 a.m. ET: South Korean anti-virus firm Hauri has published an exhaustive analysis of this malicious software, available at this link here (PDF). It states that when July 10, AM 00:00 comes, the malicious code deletes files with certain extensions, that the "operating system not found" error appears at the next boot, and that the system cannot then be started normally.

Meanwhile, SecureWorks' Stewart said it looks like it is only the first megabyte of the hard drive that is overwritten. "Still with the [Windows Master Boot Record] and partition table gone, it is enough to make it unbootable and unrecoverable for the normal user with only a Windows CD in recovery mode," Stewart said. "It has subroutines to delete or encrypt files after that, so even more advanced recovery techniques are made more difficult."

Update, July 10, 11:48 a.m. ET: South Korea's Computer Emergency Response Team (KR-CERT) has confirmed that machines which participated in this attack are now self-destructing.

var entrycat = 'Latest Warnings, Misc., U.S. Government' By Brian Krebs  |  July 9, 2009; 9:35 PM ET