Digital Kinetic Attacks: Botnets Have Self Destruct Sequence

Tuesday, March 08, 2011

Infosec Island Admin


At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time.

These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S.

Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns. (The rest of the McAfee article HERE).

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected.

It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

As you can see too, the malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data.

Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post Stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defenses.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak.

You hit the NASDAQ systems with the compromise and then burn their data


Interesting times….

Cross-posted from Krypt3ia

Possibly Related Articles:
Viruses & Malware
Denial of Service malware DDoS botnet Digital Kinetic Attacks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked