On Wednesday, South Korea’s government said a malicious code from unknown hackers caused “massive” computer network failures at several banks, the police and TV stations. ATM machines ceased to function. The South Koreans seemed fairly quick to blame it all on the nasty people from the North.
This morning I woke up to the news that the attacks originated from an IP address in China; “apparently” it’s a favourite tactic of the North Koreans to work indirectly through Chinese IP addresses to cover their tracks.
The whole story is starting to pong.
Facts are scarce, but the suspicion is that that this malware was distributed by email in the traditional manner, using files called ‘KBS.EXE’ and ‘MBC.EXE’ (Page in Korean but you can get Google to translate). This doesn’t sound like a targeted attack on critical infrastructure, it sounds like a standard malware delivery to PCs. It’s claimed that the malware activated on Wednesday and wiped the hard disks, displayed skulls and so on. It possible, but another explanation is that malware often attempts to install itself on the boot partition and sometimes goes wrong, leading the luser to believe the disk has been maliciously wiped when in fact it’s just been made inaccessible accidentally, and it won’t boot. The synchronised timing could be accounted for by a botnet software upgrade that didn’t work as expected.
Now let’s consider the “plot”: To knock out critical South Korean infrastructure. If you wished to disrupt the Internet, that’s what you’d have to attack; not the endpoint PCs. Attacking PCs simply inconveniences individual users rather than taking down an organisation. The suggestion that an email virus could take down the ATM network is, frankly, ridiculous. How do you kill an ATM machine by emailing it? Or the bank’s mainframe? If there was ATM disruption, it could have been a side-effect of botnet traffic gone wild, but to say it was targeting the ATM network needs evidence to back it up before I’d take it remotely seriously. A DDoS attack may be possible if it’s not isolated from the Internet, but if that were true they were being very lax about things, and reports are talking about PC malware, NOT a DDoS attack.
And what of the attacking IP address traced back to China? No surprise there. China is botnet central. To be blunt, a lot of the software used on private computers in China is bootleg, which means it’s either supplied with botnet software pre-loaded, or isn’t able to receive security updates from Microsoft making it easy prey. It’s no coincidence that the incidence of zombie computers is higher in countries where interlectual property rights are less vigorously enforced, and that part of the world is a case in point. So, whilst it’s true that North Koreans would use botnets based in China, it also a meaningless statement. Everyone uses botnets based in China and the Far East.
Reports could be wrong, of course. This could be a DDoS attack against the South Korean Internet in general, and specific high profile targets. However, this does not square with the malware reports of computers not booting, and “skulls appearing on screens”.
The whole thing pongs. Here’s my theory: Social engineering emails were used to distribute malware in South Korea. Because the criminals were using emails in Korean, only Korea was affected. Either maliciously, or more likely through incompetence, the malware tried to install some botnet software and broke a number of PCs. The news media in Korea has been quick to blame this on a sinister North Korean plot, and the world’s media has picked this up as a story without enough people sanity-checking the whole scenario.