Terrorist’s mainfesto used to spread disk-wiping malware

Be careful what you download...

New Zealand shooter's manifesto used to spread disk-wiping malware
The world was horrified earlier this month by the mass-shootings of worshippers at mosques in Christchurch, New Zealand.

The alleged culprit reportedly distributed a 73-page so-called manifesto entitled “The Great Replacement”, chockablock with white supremacist rhetoric.

The document was circulated on forums and social media websites, and - in an attempt to prevent its spread - New Zealand’s government classified it as “objectionable”, and made it a crime to possess or distribute it anywhere in the country.

Well, if you needed any other reason not to hunt the internet for a copy of “The Great Replacement” to download, here’s one from the research team at security firm Blue Hexagon.

As researcher Irfan Asrar describes, someone has taken a copy of shooter’s Word document and weaponised it to download malicious code from the internet.

Anyone opening the modified manifesto could find their computer’s Master Boot Record (MBR) destructively overwritten, and as their Windows computer reboots they’ll be faced with a message:

This is not us!

This is not us

In many ways it’s a throwback to the early days of malware, when some viruses would overwrite a PC’s boot-up code and display messages such as “Your computer is now stoned!”. And yes, virus historians, I’m well aware that the Stoned virus was also known as New Zealand…

This new malware hasn’t been created to grant remote hackers access to an infected PC, nor to steal files, or hold the victim to ransom. My guess is that whoever created the malware-laden version of the document was outraged by the horror of the shooting of innocent people, and simply wanted to bloody the nose of anyone showing an unhealthy interest in it.

Tags: , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

6 Responses

  1. Smashdamn

    March 29, 2019 at 9:48 pm #

    Lol thanks for the warning deleted the file and got the pastebin version instead.

  2. Drew Lewis

    March 30, 2019 at 3:00 pm #

    Wow, for a “security” website you sure have no idea what you are talking about. Just another garbage clickbait site to avoid.

    Disk-wiping? That’s not a stretch it’s a blatant lie or the ramblings of a confused old man.

    Either way it shows everything on this site is misinformation.

    • Graham Cluley in reply to Drew Lewis.

      March 30, 2019 at 3:23 pm #

      It overwrites the MBR. So yeah, it doesn’t wipe the entire hard drive.

      • Ian Moone in reply to Graham Cluley.

        March 31, 2019 at 8:34 am #

        MBR is only 512mb so far from an entire hard drive. Its like 1 grain of sand from a bag of sand. But a pain ont he bum for someone who’s not tech savyto fix.

        • Graham Cluley in reply to Ian Moone.

          April 3, 2019 at 7:06 pm #

          I remember in the old days some folks would reformat their hard drives when they discovered they had been infected by an MBR virus like Stoned - not realising that they had just wiped all of their hard drive, *apart* from the virus. Oops!

  3. Dave

    March 31, 2019 at 3:43 am #

    This is awesome, shame just wipes the MBR. As a previous cretin has pointed out, it won’t stop people reading it, but it might put a few people off.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.