We browsed through wiper samples yesterday, and discovered a variant that contains a routine that searches for web documents (e.g. ".html", ".aspx", ".php", etc.) in an infected system. The malware overwrites these documents with a content that looks exactly like that seen in the video below:
We believe this sample is clearly related to the one used in the defacement of the LG Uplus website.
The sample has a timestamp that is similar to the other wiper samples.
However, this variant used a completely different approach to wipe the drives. It infected the MBR with the following code to wipe the disk during the next boot-up:
Also, unlike the other variants, this sample does not use the strings "HASTATI", "PRINCIPES", etc. when wiping the file system. This time it overwrites the files with zero's, rename them to a random filename before finally deleting them. It also avoids files found in Windows and Program Files directory. All this make sense because the attacker needed the infected webserver to continue hosting the defaced pages.
So do we think the attacks are related? Most probably they are. Only that this one was carried out by a different member.