South Korea was recently hit by a cyberattack and security vendors have been given the task of investigating. Vendors analyzing the code have begun to find some particularly dangerous components to the attack that were specifically designed to wreak complete and total havoc on the infected computers.
Deep inside the Windows malware that was used in the attack is a component that erases Linux machines according to analysis from Symantec. In addition to that, Symantec discovered that the malware, which goes by the name Jokra, is unique and different than any other type of malware.
According to a blog post by the company, “We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat.”
In addition to wiping Linux machines, Jokra also checks computers running Windows XP and 7 for a program known as mRemote. mRemote is a remote access tool that is capable of managing devices on different platforms, according to Symantec.
South Korea is also investigating the Wednesday attacks that disrupted three television stations and four banks (and probably more). Moreover, government officials also reportedly cautioned anybody against blaming North Korea in the attack. Relations between the two countries have been tense and it is obvious that South Korea doesn’t want things to get worse by throwing false accusations around until solid evidence is discovered.
Aside from Symantec, McAfee also published an analysis of the attack code which wrote over the master boot record of a computer. That is the first sector of the computer’s hard drive that the computer checks before the operating system is booted.
The computer’s master boot record is overwritten with one of two similar strings, “PRINCPES” or “PR!NCPES”. The worst part is that, according to McAfee, the damage can be permanent. According to the company, “If the MBR is corrupted, the computer won’t start.”
Jorge Arias and Guilherme Venere, malware analysts at McAfee, said, “The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable. So even if the MBR is recovered, the files on disk will be compromised too.”
The malware also attempts to shut down two South Korean antivirus products that were created by Ahnlab and Hauri. A BASH shell, which is yet another component of the malware, attempts to erase partitions Unix systems, including Linux and HP-UX.
Avast, a security vendor, wrote in a recent blog post that the attacks against South Korean banks originated from the website of the Korean Software Property Right Council. The site had been hacked in order to deliver an iframe that delivered an attack hosted on another website according to Avast. The actual attack code also exploits a vulnerability in Internet Explorer that dates back to July 2012, which Microsoft has already patched.
Source: Computer World – Symantec finds Linux wiper malware used in S. Korean attacks