South Korean Malware Infects, Wipes MBR

South Korean company NSHC have released more information about the software tools that have been used for attacks March 20, 2013 against banking systems and media in South Korea. The computer networks of three broadcasters and two banks froze at around 14:00 local time. Shinhan said its ATMs, payment terminals and mobile banking in the South were affected.

Windows computers that were infected erased boot record MBR and VBR, and on servers running Unix / Linux files deleted via the standard remote management, after receiving authorization data from infected Windows-machines.

This sophisticated malware verifies the system for any security software presence such as AhnLab Policy Agent or Hauri ViRobot and next it tries to kill their running services on the system. When this done it goes to overwrite the MBR data and shuts down the system.

All is automated to finally make the system unbootable. So the available information concludes that the malware objective is just to destroy production system and can be an effective way to take enemies computer resources out of service.

Major security software usually provides a good way to not allow disabling antimalware’s locally and this is very important to make killing security service by malwares impossible and protect local users so do not hesitate to enable this functionality.

Also as always make sure to keep you security software definition updated to have the protection against any new malware.

you find the NSHC report by following this Link:

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

[…] NSHC, sebuah perusahaan milik Korea Selatan merilis informasi mengenai software tools yang digunakan pada serangan 20 Maret 2013. Serangan tersebut digencarkan untuk melawan sistem perbankan dan media di Korea selatan. Jaringan komputer dari tiga broadcaster dan dua bank tidak berdaya pada pukul 14:00 waktu setempat. Shinhan mengatakan bahwa ATM, terminal pembayaran, dan mobile banking miliknya tekena dampak serangan tersebut. […]