South Korean Banks, Media Companies Targeted by Destructive Malware

Mcafee Labs ^ | Wednesday, March 20, 2013 at 5:18pm | by Jorge Arias and Guilherme Venere

[Ernest_at_the_Beach]

A massive computer shutdown of two South Korean banks and media companies occurred Wednesday via an Internet malware attack. The malware wiped out the master boot records on the hard drives of the infected computers, overwriting the MBR with either one of these strings:

• PRINCPES
• PR!NCPES
• HASTATI.

Figure 1: Snapshot of MBR after infection.

The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable. So even if the MBR is recovered, the files on disk will be compromised too.

After that, the system is forced to reboot via the following command:

• shutdown -r -t 0

That action causes the computers to be unable to start because the MBR is corrupted.

[b4its2late]

Those nasties to the North got the code from China.....

[Ernest_at_the_Beach]

More than likely....and the Chinese have been probing our systems.

[driftdiver]

China is pretty good at it.

[Cicero]

Guess who?

[Ernest_at_the_Beach]

Doesn't detail how the malware got activated on the system.

[dennisw]

Was traced to a China IP I believe

[driftdiver]

China is doing more than probing. They are actively attacking personal, corporate, and govt computers on a daily basis.

They even hacked the New York Times and were inside for 42 days. They were trying to find out who the sources were for some stories critical of China.

[driftdiver]

NK probably gets its internet from China.

[Ernest_at_the_Beach]

These may have been servers....from the article:

**********************************EXCERPT**************************************

The malware then drops another file in %TEMP% named “pr1.tmp,” which is a BASH shell script that attempts to perform partition killing on three Unix types: Linux, HP-UX, and SunOS.

[Old Sarge]

Reuters is reporting that the attack originated from an IP address in China, and it matches the profile of previous attacks.

Reuters via Yahoo article here

[Old Sarge]

But... but... we were always told that Linux was immune, and was superior, and was... and was...

[Ernest_at_the_Beach]

Chinese internet address involved in S. Korea cyberattack

[Ernest_at_the_Beach]

Nothing is totally immune.,....but noting is as open to malware as Windows driven PC’s.

[Ernest_at_the_Beach]

And:

Mac-specific Trojan discovered, injects ads into webpages

[Carriage Hill]

Wonder if those guys ***beep*** going thru the detectors at the airport? Heh...

[b4its2late]

Red Chinese....