Linux wiper used in South Korean attacks, Symantec
21 March 2013 | 0
Security vendors analysing the code used in the cyberattacks against South Korea are finding nasty components designed to wreck infected computers.
Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.
"We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," the company said on its blog.
Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.
South Korea is investigating the Wednesday attacks that disrupted at least three television stations, four banks and the website of a group that monitors human rights abuses in North Korea. Government officials reportedly cautioned against blaming North Korea, having traced the IP address used in the attacks to China.
McAfee also published an analysis of the attack code, which wrote over a computer’s master boot record, which is the first sector of the computer’s hard drive that the computer checks before the operating system is booted.
A computer’s MBR is overwritten with either one of two similar strings: ‘PRINCPES’ or ‘PR!NCPES’. The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won’t start.
"The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable," wrote Jorge Arias and Guilherme Venere, both malware analysts at McAfee. "So even if the MBR is recovered, the files on disk will be compromised too."
The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX.
Security vendor Avast wrote on its blog that the attacks against South Korean banks originated from the website of the Korean Software Property Right Council.
The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.
IDG News Service