Symantec finds Linux wiper malware used in S. Korean attacks
The attacks also targeted Windows computers' master boot records
IDG News Service - Security vendors analyzing the code used in the cyberattacks against South Korea are finding nasty components designed to wreck infected computers.
Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.
"We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," the company said on its blog.
Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.
South Korea is investigating the Wednesday attacks that disrupted at least three television stations and four banks. Government officials reportedly cautioned against blaming North Korea.
McAfee also published an analysis of the attack code, which wrote over a computer's master boot record, which is the first sector of the computer's hard drive that the computer checks before the operating system is booted.
A computer's MBR is overwritten with either one of two similar strings: "PRINCPES" or "PR!NCPES." The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won't start.
"The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable," wrote Jorge Arias and Guilherme Venere, both malware analysts at McAfee. "So even if the MBR is recovered, the files on disk will be compromised too."
The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX.
The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Review: Box beats Dropbox - and all the rest - for business Box trumps Dropbox, Engyte, Citrix ShareFile, EMC Syncplicity, and OwnCloud with rich mix of file sync, file sharing, user management, deep reporting and...
- Analyst Report-Mixed All Flash Arrays Delivers Safer Higher Performance What is the impact of an all-flash array with enterprise features and reliability on the mainstream data center? In the mainstream environment, storage...
- Embracing Flash Storage Exec Brief Flash storage can deliver impressive performance, especially for random I/O, by eliminating rotational and seek latencies that are common in all hard disk...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Cybercrime and Hacking White Papers |