Symantec finds Linux wiper malware used in S. Korean attacks

The attacks also targeted Windows computers' master boot records

Security vendors analyzing the code used in the cyberattacks against South Korea are finding nasty components designed to wreck infected computers.

Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.

"We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," the company said on its blog.

Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.

South Korea is investigating the Wednesday attacks that disrupted at least three television stations and four banks. Government officials reportedly cautioned against blaming North Korea.

McAfee also published an analysis of the attack code, which wrote over a computer's master boot record, which is the first sector of the computer's hard drive that the computer checks before the operating system is booted.

A computer's MBR is overwritten with either one of two similar strings: "PRINCPES" or "PR!NCPES." The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won't start.

"The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable," wrote Jorge Arias and Guilherme Venere, both malware analysts at McAfee. "So even if the MBR is recovered, the files on disk will be compromised too."

The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX.

Security vendor Avast wrote on its blog that the attacks against South Korean banks originated from the website of the Korean Software Property Right Council.

The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecuritydata breachdata protectionmalware

More about AhnlabAvastHPLinuxMcAfee AustraliaMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place