South Korean Malware Infects, Wipes MBR

securitymalware

South Korean company NSHC have released more information about the software tools that have been used for attacks March 20, 2013 against banking systems and media in South Korea. The computer networks of three broadcasters and two banks froze at around 14:00 local time. Shinhan said its ATMs, payment terminals and mobile banking in the South were affected.

Windows computers that were infected erased boot record MBR and VBR, and on servers running Unix / Linux files deleted via the standard remote management, after receiving authorization data from infected Windows-machines.

This sophisticated malware verifies the system for any security software presence such as AhnLab Policy Agent or Hauri ViRobot and next it tries to kill their running services on the system. When this done it goes to overwrite the MBR data and shuts down the system.

All is automated to finally make the system unbootable. So the available information concludes that the malware objective is just to destroy production system and can be an effective way to take enemies computer resources out of service.

Major security software usually provides a good way to not allow disabling antimalware’s locally and this is very important to make killing security service by malwares impossible and protect local users so do not hesitate to enable this functionality.

Also as always make sure to keep you security software definition updated to have the protection against any new malware.

you find the NSHC report by following this Link: http://training.nshc.net/KOR/Document/virus/5-20130322_320CyberTerrorIncidentResponseReportbyRedAlert.pdf

Share
You can leave a response, or trackback from your own site.
  • Pingback: Infeksi Malware Hapus MBR dan VBR - CISO Magazine | CISO Magazine