Last week's attack on banks and media organisations in South Korea featured destructive malware that overwrote data on thousands of computer hard drives, an analysis shows.
Security vendor McAfee today published its finding on the malware used to attack six banks and broadcasters in Korea, saying the Internet-borne code overwrote the master boot record data, which is the first stage of bringing up the full operating system, on hard drives in the affected organistions.
The malware also overwrote random parts of the entire file system on drives, leaving many files unrecoverable, McAfee analysts say.
To ensure that it could carry on its destructive activities, the malware contained code to turn off two Korean antivirus programs, Ahnlab and Hauri.
Once the overwriting of the boot record and files had completed, the malware would forcibly reboot the computers which in turn would be unable to start up again as the hard drives were corrupt.
According to McAfee, there was no network component to the malware which appears to have been planted with the sole purpose of destroying data.
Some 32,000 computers were infected by the large scale attack in South Korea.
The perpetrator of the attack is not yet known, and reports that it was traced to a Chinese Internet Protocol address by South Korean investigators have now turned out to be incorrect, the BBC reports.
Instead, the vice-president of Korea's Internet Security Agency, Lee Jae-il told media that the IP address in question was assigned to a server at the Nonghyup Bank, which was hit in the attack.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
