Korean DDoS bots "will wipe PCs" today

The bots running the recent Korean DDoS attacks are predicted to wipe their host PCs' hard drives today. In IT Blogwatch, bloggers and Slashdotters point fingers.

By Richi Jennings: your humble blogwatcher, who selected these bloggy morsels for your enjoyment. Not to mention an Easter egg in Donkey Kong undiscovered for 25 years...

Martyn Williams brings us up to speed:

They say what goes around comes around and on Friday owners of bot-infested PCs in South Korea will discover that's true. The owners of tens of thousands of bot-infested PCs in the county -- who've resisted calls all week to update or install anti-virus software -- will likely switch on their PCs on Friday to find their data gone


The virus, which has been attacking prominent U.S. and South Korean government and commercial Web sites all week, has been programmed to encrypt user data or reformat the hard drive of the PC. ... Little is known about the person or persons controlling the virus although computer security experts say the attack itself is not particularly sophisticated.


The attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive. ... The malware that powers this attack -- a version of the Mydoom worm -- is designed to download ... a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over every sector of every physical drive.


Between 60,000 and 100,000 systems may be infected with this potentially suicidal malware. ... Windows users running current anti-virus software and being careful not to download and run e-mail attachments from random sources almost certainly have little to fear from this attacker. Mydoom is a well-known piece of malware that first surfaced in January 2004.

Immostlyharmless is actually quite pleased:

You have to imagine if these computers are all infected with this one trojan, they are probably infected with god only knows how much other spyware, malware, backdoors, and spambots. This might just be a GOOD thing; when these compromised twits wake up to a completely wiped drive, it might be the thing that drives them to read up on computer security a little bit, perhaps switch to a more secure browser, buy a router with a hardware firewall, etc.

evilviper smells a conspiracy:

It CLEARLY is a plot. It should be pretty obvious to everyone... It was designed to attack less important government websites, while keeping collateral damage to a minimum... No attempts on the power grid, FAA, etc., and no private companies affected.


Plus, it launched on July 4th, not a particularly significant day for North Koreans. ... And now, it's doing exactly what good worms NEVER do... Killing their hosts, and themselves, suddenly, flagrantly, and unnecessarily. ... It seems pretty damn likely it was ... some misguided white-hat who thinks drawing attention and cause a small bit of undeniable pain is the only way to make things get better. Frankly, it sounds like the ideal NSA fund raiser.

But this S. Korean Anonymous Coward doesn't like that thought:

In fact the S. Korean government is publically saying that North Korea is to suspect, along with some "pro-North" factions in South Korea. Or, in terms you are more familiar with: "OMG! TEH TERRORISTS! WHERE IS NATIONAL SECURITY?"

This will be an opportunity for the current government to distract people from their having put our nation into a pile of horse****, and to round up some anti-government people for being "pro-North" and "hating freedom." Well, yes, *some* of them may be crazy enough to be pro-North, but many will be just innocent citizens who just can't stand any more **** from our current president. Sounds familiar?.

But why 'U'? broken_chaos knows:

I wouldn't expect either of the linked articles to know binary. It probably is "U", meaning just a repeating 010101010101010101........ Makes the most sense given the structure of hard drives and the fact that a repeated sequence of "u" after "memory of the independence day" (assuming that comma is also not part of it) makes no sense from any point of view.

So what's your take?
Get involved: leave a comment.

Previously in IT Blogwatch:

Don't miss out on IT Blogwatch:

And finally...

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon