I hadn't chimed in at all yet this week about the botnet-delivered denial-of-service attacks — which many have said are coming from North Korea or groups sympathetic to North Korea - which have affected many different US and South Korean web sites this week. The event was very widely covered and I didn't have any special insights to share.

However, today there are a couple of pretty interesting developments in this situation:

First off, PC World reports that Korean security software vendor AhnLab, which has been providing free cleaning tools for the virus, says that PCs infected with the virus are at risk of having their computers essentially wiped clean of data. Says the article:

From midnight local time (3 p.m. GMT Thursday) the virus, which has been attacking prominent U.S. and South Korean government and commercial Web sites all week, has been programmed to encrypt user data or reformat the hard drive of the PC.

There are still ways to save an infected PC, although if the owners have ignored security requests so far they might be unlikely to follow AhnLab's recommendations. These involve starting Windows in safe-mode by using the boot menu accessed through the F8 key at start-up, setting the clock to before July 10 and then rebooting the PC normally and updating anti-virus software or performing a free scan to erase the virus.

Wow! Talk about a blast from the past. Recent viruses have been all about stealth - "taking over" a machine, making it a part of a botnet and using it to send spam, distribute malware, launch DDOS attacks, etc. without the end-user knowing that this is even happening. The last thing most viruses want to do is "destroy" a machine because the whole idea is to "steal" that machine's computing power and use it for illegal commercial gain.

But back in the early days of malware, before it essentially became a tool for organized crime, viruses that would cause great inconvenience or attempt to wipe an infected machine's disk clean were pretty common. 

I checked with Patrik Runald, Chief Security Advisor at F-Secure, who confirmed AhnLab's claim. He says the virus gzips the contents of the machine's drive, puts a passwork on the gzip and makes the system unusable.

I guess the data is being held hostage? Interesting stuff... and yet another reminder to always have those desktop systems protected by a good A/V system (personally, I use F-Secure for my home machines)...

Secondly, analyst firm Gartner has a free research note out today titled 'North Korean' Attacks Show Lack of Basic Internet Protections, by analyst John Pescatore. He advises enterprises and government agencies to requre DDoS protection for all internet connections that require reliable connectivity, and notes that:

The targets of these attacks, and the differences in their ability to protect themselves, are actually much more interesting than the attacks themselves. The malicious code used appears not to be very sophisticated, and the scope of the attack — with approximately 50,000 PCs apparently compromised — is not very large, compared with many other DDoS attacks in recent years.