Yesterday we reported about a massive Cyber attack on South Korea that was responsible for shutting down networks of South Korean banks and TV broadcasters. Police are still investigating the cyber attack but the country's Communications Commission has revealed that the hacking originated from a Chinese IP address.
Symantec Security team analyze the code used in the cyber attacks against South Korea and they discovered an additional component used in this attack that is capable of wiping Linux machines.
The malware, which it called Jokra, contains a module for wiping remote Linux machines. 'The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager.' Symantec said.
McAfee also published an analysis of the attack code, which wrote over a computer's master boot record, which is the first sector of the computer's hard drive that the computer checks before the operating system is booted. If the MBR is corrupted, the computer won't start.
'The malware specifically looks for login credentials saved by two specific SSH clients: mRemote and SecureCRT. It uses any stored root credentials to log into remote Linux servers: for AIX, HP-UX, and Solaris servers it deletes the MBR. If it is unable to delete the MBR, it instead deletes various important folders.' Trend Micro said in their report.
The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri.
The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.
A previous cyberattack on South Korea had been traced to North Korea using a Chinese IP address. At the time, North Korea blamed the US for the hacking. Officials stressed that the IP address did not reveal who was behind the attack, as hackers can route their attacks through addresses in other countries to obscure their identities.