December 23, 2024

MBR Wiper Attacks Hit Korean Power Plant: Trend Micro

Posted on December 24, 2014 by in Security

Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

US Lawmakers Say Snowden Was ‘Helped’ by Foreign Power

Posted on January 20, 2014 by in Security

WASHINGTON – Edward Snowden may have acted in concert with a foreign power in exposing US surveillance programs, two Republican lawmakers suggested Sunday.

“I think there are some interesting questions we have to answer that certainly would lend one to believe that the Russians had at least in some part something to do” with the affair, House Intelligence Committee chairman Mike Rogers told CBS’s “Face the Nation.”

Rogers, a Republican, said “everything from how he prepared to leave, his route of departure and how he quickly ended up in Moscow” put Snowden’s ties at question.

Edward Snowden
Fugitive NSA Leaker Edward Snowden

The “vast majority” of the information leaked by Snowden, Rogers said “had nothing to do with the NSA program and everything to do with our military capabilities, army, navy, air force, marines.”

Rogers, appearing in a second interview on NBC’s “Meet the Press,” said he didn’t think “it was a gee-whiz luck event that he ended up in Moscow under the handling of the FSB” state security agency in Russia.

Michael McCaul, chairman of the House Homeland Security Committee, told ABC’s “This Week” that he didn’t believe “Mr Snowden was capable of doing everything himself.

“I believe he was helped by others,” the congressman said in an interview from Moscow.

McCaul, a Republican, said he could not say “definitively” that Russia was involved, “but I believe he was cultivated.”

US President Barack Obama curtailed the reach of massive US National Security Agency phone surveillance sweeps Friday, in a long-awaited speech designed to quell a furor over the programs exposed by Snowden.

The president, however, also said bulk data collection must go on to protect America from terrorists.

© AFP 2013


SecurityWeek RSS Feed