Korean Mystery Malware Wiped Unix, Windows Machines
Roman legion reenactors stage a mock battle at the Biskupin archaeological museum in Poland in 2004.
CREDIT: Jan Jerszynski/Creative Commons
The malware that hit South Korean banks and broadcasters yesterday (March 20) was a wrecking machine, deleting core files on both Windows and Unix-based machines and rendering them inoperable, researchers have found.
Analysis by security firms AlienVault, McAfee, Sophos, Symantec and Trend Micro showed that the Trojan, which Sophos dubbed "DarkSeoul" and Symantec called "Jokra," overwrites the Master Boot Record (MBR) that loads Windows upon startup, and then reboots the machines into oblivion.
It also deletes the kernel and other crucial directories on machines running Linux and proprietary flavors of Unix owned by Oracle, Hewlett-Packard and IBM — operating systems frequently used by servers and databases.
"We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," Symantec researchers wrote on the company's Security Response blog.
South Korean officials said they traced the attack back to an IP address in China, but continue to suspect North Korea of involvement.
A Chinese military spokesman pointed out that "hackers often use the IP addresses of other countries to carry out their attacks," according to Reuters.
The South Korean government estimated that about 32,000 machines nationwide were affected.
Maybe not Pyongyang
Security researchers weren't so sure the attacks were state-sponsored.
"Out of all the possible things you could do with a compromised machine, wiping it empty is the least useful thing for an advanced attacker," F-Secure chief research officer Mikko Hypponen tweeted today (March 21).
"Surely that depends on your eventual purposes?" replied Trend Micro director of security research Rik Ferguson.
A previously unknown group calling itself Whois Team claimed responsibility soon after the attacks began, posting a lurid video on YouTube.
Some users reported seeing grinning skulls, similar to those in the Whois Team video, appearing on the screens of infected machines.
But it's not clear whether Whois Team were the real perpetrators, or simply pranksters capitalizing on a breaking story.
Whatever the case, the malware being used as the "dropper" to first infect the machines was neither new nor, according to Sophos, "particularly sophisticated."
"Nothing stands out about it," Symantec lead security researcher Liam O Murchu told the tech blog Ars Technica.
Nor, according to most researchers, was the dropper's "payload," the part that does damage, related to the drive-damaging Shamoon malware that struck the Saudi Aramco oil company last August.
What's Latin for Linux?
Sophos' archives showed DarkSeoul first appeared in malware scans nearly a year ago, and both Sophos' and Trend Micro's anti-virus software already protect against it.
But the malware did seem to have been tailored to hit South Korean targets. Before overwriting the MBR, DarkSeoul tries to disable anti-virus products sold by two local vendors, Ahn Labs and Hauri.
More intriguingly, the MBR is overwritten with countless repetitions of two Latin words referring to infantrymen during the Roman Republic: "Hastati" and "Principes."
The former were poor men who carried little armor, but a large shield; the latter were wealthier infantrymen who could afford better armor.
Symantec and McAfee researchers found that the dropper also carries another payload that scans the infected machine's network for connections to Unix-based machines.
If it finds any, it tries to execute root privileges on the Unix machines and deletes the /etc, /home, /kernel and /user directories, making them useless without a full system reinstallation.