Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed “DarkSeoul” against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.
Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to “highanon2013” or executing specific wipe instructions related to the following file types:
asp
aspx
avi
bmp
dll
do
exe
flv
gif
htm
html
jpeg
jpg
jsp
mp4
mpeg
mpg
nms
ocx
php
php3
png
sys
wmv
The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.
Figure. Trojan.Korhigh wallpaper
The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:
112.217.190.218:8080
210.127.39.29:80
Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.
Contributor: Avdhoot Patil
As usual, phishers continue to focus on social networking as a platform for their phishing activities. Fake social networking applications on phishing sites are not uncommon. Phishers continue to come up with new fake applica…
Today we released a new version of Norton Mobile Security for Android devices that contains our new Norton Mobile Insight technology. Mobile Insight has analyzed over 4 million Android applications and processes tens of thousands of new applications ev…
Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DD…
Google has started to scan newly uploaded applications and extensions in its Chrome Web Store, similar to what they already do in the Android Play Market.
We have written about quite a few cases where malicious extensions were pushed on social network …
The federal Office for Information Security in Germany (BSI) together with the “Fraunhofer SIT” and “]init[ AG” released a study on the risk with common content management systems (CMS) for websites. A CMS is typically used to a…
Contributor: Avdhoot Patil
Digital currency, a form of electronic money, is a relatively new concept to the world. Many of these currencies have arisen during the past decade and digital currency in general has always been a subject of controversy. In …
In late January of this year, Twitter released Vine, a social video-sharing service that it acquired in late 2012. Initially launched on iOS, Vine has similar characteristics to Twitter as videos are intentionally short (users are only allowed six seco…
Last week a purple unicorn (a stuffed one, not a real one) generated some confusion at a border station in Turkey. According to this article, a family including their nine year old daughter, travelling across the Turkish border accidentally used the stuffed unicorn’s toy passport instead of the daughter’s real passport. The officer checked the passport, officially stamped it, and then let them through. At this point, the story deviates based on the source. Immigration said that the officer just wanted to be kind to the girl and forgot to stamp the real passport too. The family reports that there was no hesitation and that their daughter may have just have slipped through.
This story serves as a good reminder that security measures are only as good as their implementation. From crypto-graphical functions implemented with static initialization vectors, to passwords that are derived from public MAC addresses, to Web applications with poor session management that can be bypassed by calling the API directly. There are many examples throughout history of secure technology that actually had large, gaping security holes once they had been implemented. These examples do not even consider products that are implemented properly, but are not configured correctly or suitably integrated into the process so that the log files are never read.
If you are implementing security functions, ensure that you do it properly. Follow coding standards and play the attack scenario through. If you install security products, make sure that you configure them to your needs. Take note, if you do not pay attention to the details, you might be overrun by purple unicorns.