Symantec’s research on South Korean attacks, in more detail

In addition to the coverage we have today on the cyber attacks against South Korea, I want to use this space to show you some of the raw details Symantec sent me by email yesterday. Here it is:

Earlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.  

The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager. The mRemote application keeps a configuration file for saved connections at the following path:

%UserProfile%Local SettingsApplication DataFelix_DeimelmRemoteconfCons.xml

Figure 2. Parsing mRemote path information   The dropper for Trojan.Jokra parses this XML file for any connection with root privileges using the SSH protocol. It then extracts the parameters used in the connection.  

Figure 3. Parsing mRemote configuration file connection details   The dropper then spawns another thread, which drops a bash script to %Temp%~pr1.tmp then uploads and executes this temporary file as /tmp/cups on the remote Linux computer with the connection information parsed from mRemote’s configuration file.  

Figure 4. Remote command execution  

The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.

Symantec is continuing to investigate this attack and will provide further updates as they become available.