Linux wiper malware used in South Korean attack

Linux wiper malware used in South Korean attack
South Korea was recently under a huge cyber attack and according to Symantec, the code used in the attack was tucked inside a Windows malware to target Linux computers.

This is a very interesting case, according to the security firm. "We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," said the company on its blog.

Another security firm, McAfee, also published an analysis of the attack code, which wrote over a computer's master boot record, which is the first sector of the computer's hard drive that the computer checks before the operating system is booted.

A computer's MBR is overwritten with either one of two similar strings: "PRINCPES" or "PR!NCPES." The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won't start.

 "The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable, so even if the MBR is recovered, the files on disk will be compromised too."

Two South Korean antivirus products were also the targets of the malware. A Bash shell script attempted to erase Unix systems, including Linux and HP-UX.

The attack came from an IP in China but is believed to be operated by North Korean army. Also according to Avast, the attacks against South Korean banks originated from the  website of the Korean Software Property Right Council.
The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.
linux tips and tricks