Malware in Recent Korean DDoS Attacks Destroys Systems

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns. (Click on chart for details.)

This is further supported because the list of first-layer servers can be updated at any time.

The red code blocks deal with contacting the first-layer C&C server, the green code blocks retrieve the list of the second-layer servers, and the blue code blocks handle file downloads from the second-layer servers.

Botnets of infected computers usually receive commands directly and carry out the nefarious intent of their controllers. In this case, however, the C&C application behaves more like a downloader. Instead of directly interpreting commands, the application simply downloads files to the local hard disk. Secondary malware components that run independently of the main service find these files and then evaluate their contents to carry out an attack.

The two layers make it harder to analyze the malware because an analyst must understand many components and cannot simply follow the code flow within one malware binary. However, forensics are easier because in postmortem we can identify which task files have been created on an infected computer.

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The list of file extensions that will be overwritten is particularly interesting. It contains typical document data:

  • doc, docx, docm
  • xls, xlsx
  • pdf, eml (Outlook Email)

The list also contains some programming-language file extensions, such as c, cpp, h, and java. Wonder what they thought would be on the infected machines? Or did they already know?

One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier.


Our standalone malware-removal tool Stinger has been updated with a more generic detection of the malware involved in this attack. Stinger is available for download here.

Heroin, Cocaine & Rockets – But please don’t panic…

This little gem of a spam run was widely broadcast last night and caused some alarm. Take a look, I’m sure you’ll see why.

1. Heroin, in liquid and crystal form.
2. Rocket fuel and Tomohawk rockets (serious enquiries only).
4. New shipment of cocaine has arrived, buy 9 grams and get 10th for free.
Everyone is welcome, but not US citizens.
ATTENTION. Clearance offer. Buy 30 grams of heroin, get 5 free.
Prices upon reqeust:
Our email: <redacted>@<redacted>.COM
PHONE 0093 (0) 20 <redacted>
FAX 0093 (0) 70 <redacted>

This is actually a really old prank, originally targeted at the Dark Profits website in 2003. This is simply a prank twist of a traditional email Joe Job., designed to flood a mailbox/phone/fax with responses.

We saw a couple of different flavors of this campaign targeting different entities however all were appropriately caught.

Snopes have a great article in their archive if you’d like a refresher.

Don’t panic. Nothing to see here!

Security Researcher, Cybercrime Foe Goes Missing

A well-known security researcher and cybercrime foe appears to have gone missing in Bulgaria and is feared harmed, according to a news organization that hosts a blog the researcher co-writes.

Bulgarian researcher Dancho Danchev, who writes for ZDNet’s Zero Day blog, is an independent security consultant who’s garnered the enmity of cybercriminals for his work tracking and exposing their malicious activity. He has often provided insightful analysis of East European criminal activity and online scams.

His last blog entry was a compilation of his research into the cyberjihad activity of terrorist groups. He was also particularly focused on monitoring the group believed to be behind the Koobface worm, which targets users of Facebook and other social networking sites.

Danchev has reportedly been missing since at least September, when he sent a mysterious letter to a friend in the malware-research community revealing concerns that his apartment was being bugged by Bulgarian law enforcement and intelligence services.

The letter, sent to the friend as “insurance in case things get ugly, ” included photos that Danchev purportedly took of a device that he believed was planted in his bathroom by government agents to monitor him. The device appears to be a transformer.

The letter said:

I’m attaching you photos of the “current situation in my bathroom”, courtesy of Bulgarian Law enforcement+intell services who’ve been building a case trying to damage my reputation, for 1.5 years due to my clear pro-Western views+the fact that a few months ago, the FBI Attache in Sofia, Bulgaria recommended me as an expert to Bulgarian CERT -> clearly you can see how they say “You’re Welcome”.

ZDNet, which has been trying unsuccessfully to contact Danchev since August, published the letter and photos Friday in the hope that someone with information about Danchev’s whereabouts would come forward.

ZDNet blogger Ryan Naraine, who blogs at Zero Day with Danchev, reported that Danchev had contributed his last blog entry Aug. 18 and that his personal blog was last updated Sept. 11. The letter Danchev apparently sent to his friend about the surveillance on him was received Sept. 9.

Subsequent attempts to contact Danchev by phone, e-mail and postal mail have been unsuccessful, ZDNet reports. A knock on the door at his residence in Bulgaria also went unanswered.

“Last month, we finally got a mysterious message from a local source in Bulgaria that ‘Dancho’s alive but he’s in a lot of trouble,’” Naraine wrote. “We were told that he’s in the kind of trouble to keep him away from a computer and telephone, so it would be impossible to make contact with him.”

Naraine told Threat Level that Danchev was an active participant on a mailing list where ZDNet’s bloggers discuss their stories and would generally contact editors and fellow bloggers once a week to let them know what he was working on. That communication stopped in August. Naraine said that he also hasn’t seen Danchev logged into his Skype, Google Talk or instant messaging account for months.

“I’ve been hearing from a lot of people on private lists saying that Dancho is alive,” Naraine said. “But no one can say where he is or why he has disappeared off the grid. He was not the kind of guy to just disappear.”