"Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX."
Being a new linux user I am curious how and if this could be accomplished without "sudo" access.
Could someone here with more knowledge on the subject go into the specifics and is this something an average user should be concerned about.
no it'd prompt for super user access and ask for your password
Of course the details are not actually described in much detail. It does sound like I'd have to be running a Windows computer that has mRemote installed, then mRemote would connect to some remote Linux box and, do what exactly? Prompt the Windows user for a login on the Linux box with root privileges? I never run servers that use sudo, so the Windows user would to explicitly log in as root with root's password.Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.
Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.
The article doesn't say anything about how these credentials would be obtained. Perhaps it also includes a keylogger? I doubt any of this would work on any network where the Linux administrator had even an inkling of security knowledge. If that's the standard for IT in South Korean banks, the banks deserve whatever problems they may have.
Since the basic malware, "DarkSeoul," has been in the wild for over a year, the fact that it successfully infected banks would be a major worry to me if it were a depositor. Who's in charge of security at these banks?
Thanks for the info PrimeFalcon and SeijiSensei. I suspected as much but wanted to make sure.
Last edited by Yedrin; March 21st, 2013 at 08:00 PM.
the fact they said it runs a bash script means if your running a linux system, if your duelbooting it could access the hard drive from windows, and overwrite data at the metal level (below the partition).
but for those running linux solely (it'd ask for the password) or running windows in a vm (it would only affect the vm), not that big of a deal unless you give permission to anything without wondering why its asking for a password
I'd be highly suspicious if asked for a password out of the blue but if it suggested there were something like updates
and did i want to install them and then if yes to provide the password it would likely fool me if the request looked convincing.
Here's somewhat more of an explanation:
It doesn't sound as though a password was necessary?
Linux: You reap what you tweak.
More likely, it's just a piece of classical Windows malware with a quick-and-dirty Linux appendage that attacks new and unwary users. Symantec highlighted the relative novelty of a piece of multi-OS malware but expressed no opinion on its virulence or likelihood of success.
It is possible for Windows malware to do limitless damage though, if the Linux OS resides on a dual boot or is a VM hosted by the infected Windows. But if so, why would the malware even need a Linux component? It could do all its dirty work from Windows.
Note that its point of attack is again another unpatched browser hole.
Do we really think some functionary in a South Korean bank is running a dual-boot Windows/Linux machine? I'm sure we can all spin scenarios where some thing bad might happen, but we are talking about large corporations with, presumably, highly-managed networks. Not some guy sitting at home in Seoul playing on a dual-boot machine and being distracted while watching Girls Generation.