In addition to the coverage we have today on the cyber attacks against South Korea, I want to use this space to show you some of the raw details Symantec sent me by email yesterday. Here it is:\t\t\tEarlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.\t\t\u00a0\t\t\tThe dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager. The mRemote application keeps a configuration file for saved connections at the following path:\t\t%UserProfile%Local SettingsApplication DataFelix_DeimelmRemoteconfCons.xml\t\t\tFigure 2. Parsing mRemote path information\t\t\u00a0\t\t\tThe dropper for Trojan.Jokra parses this XML file for any connection with root privileges using the SSH protocol. It then extracts the parameters used in the connection.\t\t\u00a0\t\t\t\tFigure 3. Parsing mRemote configuration file connection details\t\t\u00a0\t\t\tThe dropper then spawns another thread, which drops a bash script to %Temp%~pr1.tmp then uploads and executes this temporary file as \/tmp\/cups on the remote Linux computer with the connection information parsed from mRemote\u2019s configuration file.\t\t\u00a0\t\t\t\tFigure 4. Remote command execution\t\t\u00a0\t\t\tThe bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the \/kernel, \/usr, \/etc, and \/home directories.\t\tSymantec is continuing to investigate this attack and will provide further updates as they become available.