14 DAY TRIAL // The malware responsible for the recent denial of service attacks against many U.S. and South Korean government and commercial websites has received an update to damage the computers it infected. Starting with July 10, the worm began to rewrite HDD Master Boot Records (MBR), leaving the zombie computers unbootable.
Last week, we reported that serious distributed denial of service (DDoS) attacks had affected the stability of many websites operated by large organizations or the governments of United States and South Korea. Experts later concluded that a botnet of over 60,000 computers, infected with an updated Mydoom variant, had been used to launch the attacks.
Security researchers from FireEye warn that, even though the DDoS has stopped, the impact of this malware might prove to be a lot bigger. This is because the yet unidentified authors of this worm have suddenly decided to also destroy the compromised computers.
Everything started with a DDoS component being shipped to computers infected with a particular strain of Mydoom, a worm dating back to the beginning of 2004. The attackers planned for the DDoS to start on July 4 (Independence Day) and to end on July 10.
The worm drops a file called mstimer.dll and loads it as a windows service named "MS Timer Service." The purpose of this component is to check the date and if it matches July 10 to execute yet another file, called wversion.exe.
Originally, wversion.exe contained instructions to uninstall the timer service, suggesting that its authors intended for it to self-destroy. However, Atif Mushtaq, malware researcher at FireEye, explains that another, much more destructive version of wversion.exe was deployed shortly before July 10.
The new version features a three-step plan to destroy data on the infected computers. First, it rewrites 512 bytes of every hard disk in the system, not only the one used to boot from. The first 512 bytes of a hard disk are used to store the Master Boot Record and Volume Boot Record, which are employed to store information about the file system and partitions. The new data written over the MBR and VBR includes a string reading "Memory of the Independence Day."
The second destructive step targets the personal files and documents stored on the hard disks. The component searches for files with one of 37 extensions, including .pdf, .doc, .ppt, and proceeds to compressing and password-protecting every one of them. Finally, just for an extra kick, the component overwrites the first megabyte of each drive. "It's kind of like shooting a dead body," Mr. Mushtaq notes.
On the bright side, the malware authors might have inadvertently limited the capabilities of this malware by making it dependent on runtime libraries from Microsoft Visual Studio 2005. "These libraries do not come by default with the Windows installation but might be installed by third party applications. The absence of these libraries will fail the execution of wmcfg and hence mstimer.dll and the killer component," the FireEye researcher concludes.