South Korean Banks, Media Companies Targeted by Destructive Malware

 

Attack from just 49 IPs and 48,000 servers (Linux/HP Unix) boot records were deleted in South Korea (20-March-2013), including servers at major (4) Banks and (3) TV stations.

Interesting thing is, that it was done using windows malware “Wiper or Jokra  or KillMBR-FBIA” which uses Internet Explorer bug (which was patched in 2012 by Microsoft) and after gaining control of windows PC, it checks for a software mRemote (for accessing Linux over SSH, Windows over RDP, and VNC servers).
“Wiper” uses mRemote saved credentials to access Linux/HP-UX machines, but why on 20th-March-2012> it just triggers and corrupt the Linux/HP-UX MBR Records of almost 48,000 servers.

Corrupted-MBR-300x69

A Malware that work on multiple operating systems, nice, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat

The malware code does not contain any function related to network communication, and no indication that it can communicate with a remote host.

Also, it didn’t make any other changes in the system such as dropping files or changing registry keys. The goal of the attack appears to be solely to make the targeted computers unusable.

So the question is who created that malware “wiper” ?

Ref: http://blogs.mcafee.com/mcafee-labs/south-korean-banks-media-companies-targeted-by-destructive-malware
Ref: http://www.computerworld.com/s/article/9237768/Symantec_finds_Linux_wiper_malware_used_in_S._Korean_attacks