New disk wiper malware linked to attacks in South Korea, researchers say

The malware is similar to the one used against South Korean banks and TV broadcasters in March, Symantec researchers said

By Lucian Constantin, IDG News Service |  Security

A new piece of malware designed to delete files from hard disk drives and render computers unable to boot targets South Korean users, according to researchers from security firm Symantec.

The malware is similar to the Jokra Trojan program that was used in March to wipe the hard drives of computers belonging to several banks and TV broadcasters in South Korea, leading to significant disruptions of their operations.

The attack in March was attributed by security experts to a hacker gang called "DarkSeoul" that's also believed to be responsible for the distributed denial-of-service attacks from Tuesday against South Korean websites, including that of South Korean President Park Guen-hye.

The new hard-drive wiper malware is called Trojan.Korhigh and was found by Symantec researchers during their investigations into cyberattacks in South Korea. "Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable," the Symantec researchers said Thursday in a blog post.

The Master Boot Record (MBR) resides at the beginning of a storage drive and contains information about how that drive is partitioned. It also includes boot code that runs before the operating system starts. If the MBR is missing, a computer will no longer be able to load the operating system.

In addition to overwriting the MBR on compromised computers, the Korhigh Trojan program can also wipe files with specific extensions, including executable files, libraries, Web pages, videos and images.

The malware can also be instructed to change the user passwords on the infected computers to highanon2013 and to replace the desktop wallpaper with an image that mentions a group called High Anonymous.

Korhigh gathers information such as the operating system version, the computer's name and the current date from infected computers and uploads the data to remote servers, the Symantec researchers said.

South Korean officials frequently blame North Korean hackers for cyberattacks against local organizations and websites. However, there is also technical evidence linking some computer attacks in South Korea to Chinese-speaking hacker groups.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness