Three banks and three broadcast networks in South Korea were hit Wednesday by a virus that froze their computers and shut down a related website.
Seoul is looking into the attacks, but has declined to blame North Korea until investigations prove otherwise. It has boosted vigilance in the public and private sector, as well as in the military, against possible future cyberattacks.
Symantec identified the malware as Trojan.Jokra and WS.Reputation.1. It said the malware wipes the hard disks of infected computers and reboots them, rendering them unusable.
“This particular attack … checks for Korean antivirus products in the code, so it was clearly written with Korea in mind and was certainly targeted at Korea,” Liam O’Murchu, manager of operations at Symantec Security Response, told TechNewsWorld.
The Hack’s Impact
The attack was first noticed when customers of several banks couldn’t access their online accounts, Symantec said. Reports soon trickled in that other sites had been affected.
A Korean Internet service provider had its website defaced; it displayed an animated Web page with sound effects, three skulls, and a message from the Whois team, which claimed they were the attackers, Symantec said.
Shinhan Bank, South Korea’s fourth-largest lender, reportedly had its Internet banking servers temporarily blocked, but service was later restored. Operations at two other banks, NongHyup and Jeju, were apparently paralyzed after their computers’ files were erased by the virus. They reportedly restored normal service two hours later.
A fourth bank, Woori, apparently was also attacked, but did not suffer any damage.
South Korea’s two leading TV stations, KBS and MBC, continued broadcasting although their computers were reportedly frozen by the malware. The cable channel YTN also reported computer problems.
KBS, which is partly funded by the South Korean government, apparently had its website shut down by the malware.
Inside the Malware
Symantec said the Trojan.Jokra malware kills two processes relating to Korean antivirus product vendors. The malware enumerates all drives and begins to overwrite the master boot record and any data stored on it. This wipes the hard drive’s content.
The malware then forces the computer to reboot. This will render the computer unusable as the master boot record and the contents of the drive are missing.
“We’re not sure how the targets were chosen or if the malware was just generally being spread to targets in Korea,” O’Murchu said. “There is no information being stolen, and the real benefit is to be destructive and to take computers offline.”
However, the impact of the malware can be reduced if IT has implemented good practices, said Randy Abrams, a research director at NSS Labs.
“In organizations with good backup routines, this is a pretty big nuisance, not really a catastrophe,” Abrams told TechNewsWorld. “This is minor compared to the SQL Slammer worm that pretty much isolated Korea from the rest of the Internet in a very short period of time.”
That attack occurred in 2003.
“Cyber attacks are the new normal, and people have to come up to speed to protect themselves,” Marty Meyer, president of Corero Network Security, told TechNewsWorld. The attackers “have just shown the world that today’s organizations are not prepared for (cyberattacks).”
The current security infrastructure for the U.S. “won’t cut it, and that’s a hard lesson people will have to learn,” Meyer said.
Much of the critical infrastructure in the U.S. relies on supervisory control and data acquisition (SCADA) systems, which “are 20 years out of date from firewalls and are even more susceptible than bank networks,” he noted. “It’s time for organizations, whether commercial, federal or municipal, to catch up.”