Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    On March 20, several attacks hit various South Korean government agencies and corporations, resulting in major disruptions to their operations. The incident started when several of their computer screens went black, while others were showing images of a skull and a “warning”.

    However, Trend Micro was able to protect our enterprise users in Korea against this threat. We have determined two separate scenarios that are related to this event and how our solutions averted and can help customers prevent the said threat.

    Two of our threat discovery solutions – Deep Discovery Inspector and Deep Discovery Advisor – heuristically detected and reported malicious traffic and messages sent to two Trend Micro customers, which we later determined to be related to this attack. Because our solutions were able to detect this attack, this gave customers actionable intelligence (information such as malware’s dropped files, malicious URL, to name a few) that enabled them to take appropriate actions and mitigate the risk of the attack. Our threat discovery solutions detected this threat as HEUR_NAMETRICK.B in ATSE 9.740.1012.

    In a different scenario, we have acquired several samples (detected as TROJ_KILLMBR.SM), which we believe were responsible for the reported blank computer screens that occured in certain South Korean entities. This malware overwrites the Master Boot Record (MBR), with a series of the words HASTATI. and PRINCPES. In normal usage, the MBR contains information necessary for any operating system to boot correctly. It then automatically restarts the system. When the system restarts, due to the damaged MBR, the system is unable to boot.

    Though this routine of targeting the MBR is not new (this is not unusual in ransomware, which locks systems until users make payments to cybercrime gangs), this makes system cleanup more difficult and time consuming.

    Other attacks have also hit South Korean targets at this time. The website of a major electronics conglomerate was defaced. In addition, the websites of several banks may have been compromised and exploits used to plant backdoors on the systems of visitors. At this point, there is no evidence that these attacks were coordinated or connected in any manner; the timing may have been purely coincidental or opportunistic.

    In addition, the malicious files involved in the attacks above are detected by other Trend Micro products and solutions using Official Pattern Release 9.801.00 or later. Our investigation into these attacks are still in progress, and we will release more details at a further time as necessary.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • MKSZ

      Looks like North Korea just declared a “State of War” with South Korea. Guess the cyber attacks were linked to this.

    • dianeh

      my computer was hit with the “department of homeland security” virus on 3/20. The screen went black and contained only a message from department of homeland security to send money. Is it related? Titanium Anti-virus seems to be protecting against the threat (TROJ_SIREFEF.ACY) because I can gain control over the computer but the dohs page still opens when I boot up the computer but not full screen; it can be closed via the task bar at the bottom of the screen. How can I completely get rid of this, since it seems to be contained, but not removed by Titanium Anti-virus?

      • TrendLabs

        Hi dianeh, our technical support team will contact you directly (via email) about this concern.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice