Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Linux wiper malware used in S. Korean attacks

  1. #1
    Join Date
    Nov 2008
    Beans
    Hidden!

    Linux wiper malware used in S. Korean attacks


  2. #2
    Join Date
    Mar 2013
    Beans
    0

    Re: Linux wiper malware used in S. Korean attacks

    "Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX."

    Being a new linux user I am curious how and if this could be accomplished without "sudo" access.

    Could someone here with more knowledge on the subject go into the specifics and is this something an average user should be concerned about.

  3. #3
    Join Date
    Apr 2008
    Location
    Wisconsin
    Beans
    766
    Distro
    Ubuntu

    Re: Linux wiper malware used in S. Korean attacks

    no it'd prompt for super user access and ask for your password

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,036
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Linux wiper malware used in S. Korean attacks

    Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.

    Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.
    Of course the details are not actually described in much detail. It does sound like I'd have to be running a Windows computer that has mRemote installed, then mRemote would connect to some remote Linux box and, do what exactly? Prompt the Windows user for a login on the Linux box with root privileges? I never run servers that use sudo, so the Windows user would to explicitly log in as root with root's password.

    The article doesn't say anything about how these credentials would be obtained. Perhaps it also includes a keylogger? I doubt any of this would work on any network where the Linux administrator had even an inkling of security knowledge. If that's the standard for IT in South Korean banks, the banks deserve whatever problems they may have.

    Since the basic malware, "DarkSeoul," has been in the wild for over a year, the fact that it successfully infected banks would be a major worry to me if it were a depositor. Who's in charge of security at these banks?
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Mar 2013
    Beans
    0

    Re: Linux wiper malware used in S. Korean attacks

    Thanks for the info PrimeFalcon and SeijiSensei. I suspected as much but wanted to make sure.
    Last edited by Yedrin; March 21st, 2013 at 08:00 PM.

  6. #6
    Join Date
    Apr 2008
    Location
    Wisconsin
    Beans
    766
    Distro
    Ubuntu

    Re: Linux wiper malware used in S. Korean attacks

    the fact they said it runs a bash script means if your running a linux system, if your duelbooting it could access the hard drive from windows, and overwrite data at the metal level (below the partition).

    but for those running linux solely (it'd ask for the password) or running windows in a vm (it would only affect the vm), not that big of a deal unless you give permission to anything without wondering why its asking for a password

  7. #7
    Join Date
    Dec 2008
    Location
    England
    Beans
    131
    Distro
    Ubuntu Gnome

    Re: Linux wiper malware used in S. Korean attacks

    I'd be highly suspicious if asked for a password out of the blue but if it suggested there were something like updates
    and did i want to install them and then if yes to provide the password it would likely fool me if the request looked convincing.

  8. #8
    Join Date
    Dec 2009
    Location
    Vermont
    Beans
    853
    Distro
    Ubuntu

    Re: Linux wiper malware used in S. Korean attacks

    Here's somewhat more of an explanation:

    http://www.itworld.com/data-protecti...korean-attacks

    It doesn't sound as though a password was necessary?
    Linux: You reap what you tweak.

  9. #9
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by VTPoet View Post
    It doesn't sound as though a password was necessary?
    Password may not have been necessary to infect the Windows machine, but how can the bash script run without a password on the Linux end? It would either have to confine itself to files on the home directory of the unfortunate user (which is bad enough, I suppose), or use social engineering to look convincing enough to fool the user into entering password. That would be some script.

    More likely, it's just a piece of classical Windows malware with a quick-and-dirty Linux appendage that attacks new and unwary users. Symantec highlighted the relative novelty of a piece of multi-OS malware but expressed no opinion on its virulence or likelihood of success.

    It is possible for Windows malware to do limitless damage though, if the Linux OS resides on a dual boot or is a VM hosted by the infected Windows. But if so, why would the malware even need a Linux component? It could do all its dirty work from Windows.

    Note that its point of attack is again another unpatched browser hole.
    Newb: How far must I jump to clear the ledge halfway down?
    Guru: It's bad to jump off cliffs. Let's look at better options.
    Newb: Stop harping about "best practices" and just let me jump.


  10. #10
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,036
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Linux wiper malware used in S. Korean attacks

    Do we really think some functionary in a South Korean bank is running a dual-boot Windows/Linux machine? I'm sure we can all spin scenarios where some thing bad might happen, but we are talking about large corporations with, presumably, highly-managed networks. Not some guy sitting at home in Seoul playing on a dual-boot machine and being distracted while watching Girls Generation.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •