Christy Chung Fortinet
Kyle Yang Fortinet
In the past four years, South Korea has been impacted by several major cyber attacks. In July 2009, a DDoS and disk-wiping attack was launched against South Korean and US government and financial websites. The hard drive was overwritten with the string 'Memory of the Independence Day'. On 4 March 2011, South Korean and US government websites faced another DDoS attack. In this case the hard drives of banks and broadcasters in South Korea were overwritten. On 25 June 2013, certain government and news websites in South Korea came under a third major DDoS attack. This was caused by a DDoS attack on the two major DNS servers (ns.gcc.go.kr and ns2.gcc.go.kr). This incident originally downloaded the auto-update installer SimDisk_setup.exe from the SimDisk website. However, this website was compromised with an infected installer named SimDiskup.exe, which connected to the malicious remote website, and downloaded another malicious file: c.jpg. The c.jpg malware connected to the Tor network and took its name from any process currently running on the system. It then used the Tor system to download another malicious file packed with Themida, which is the final DDoS payload. All these attacks on South Korean government websites had a similar ending: the contents of the hard drives were wiped out.
This devastating behaviour raises numerous questions: Why did the attackers want to wipe out the whole disk? Were they trying to destroy evidence that they had left on the compromised computers? What were the true purposes of these attacks? Where did the attacks come from? Are there any connections between the attacks? Answers to these questions will emerge after dissecting the most recent DDoS and wipe-out attack in South Korea in this presentation.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.