- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Symantec's research on South Korean attacks, in more detail
Symantec sent us more details on the cyber attacks against South Korea.
In addition to the coverage we have today on the cyber attacks against South Korea, I want to use this space to show you some of the raw details Symantec sent me by email yesterday. Here it is:
Earlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.
Figure 1. Bash wiper script targeting remote Linux machines
The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager. The mRemote application keeps a configuration file for saved connections at the following path:
%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
Figure 2. Parsing mRemote path information
The dropper for Trojan.Jokra parses this XML file for any connection with root privileges using the SSH protocol. It then extracts the parameters used in the connection.
Figure 3. Parsing mRemote configuration file connection details
The dropper then spawns another thread, which drops a bash script to %Temp%\~pr1.tmp then uploads and executes this temporary file as /tmp/cups on the remote Linux computer with the connection information parsed from mRemote’s configuration file.
Figure 4. Remote command execution
The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.
Symantec is continuing to investigate this attack and will provide further updates as they become available.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Leveraging Managed Security Services to Fight Growing Cybersecurity Threats
- Global IT Trends: IT Outsourcing Fuels Business Growth
- Review: Box beats Dropbox - and all the rest - for business
- 3 Steps to Content Sharing and Collaboration ft. Forrester Research
- The Total Economic Impact Of NetApp's And Cisco's FlexPod Data Center Platform
- Top Seven Reasons to Implement Cloud Communications and Collaboration