All of you must have read the cyber attack on the South Korean computer network on Wednesday, 20th. Those who don't know or have not read about the attack, here is a brief summary of the attack. Three major banks and another three television stations in South Korea were made to go offline simultaneously at 2 pm Seoul Standard Time. The South Korean Government later confirmed that malware was used to bring the networks down. The sheer ferocity of the attack brings out many questions. Is a malware inspite of its viciousness capable of bringing such huge networks down. Lets understand its working so as to know how it took down the networks
Three major banks and TV stations had to shut down their systems in view of a cyber attack. While some of the banks reopened there websites within matter of hours, one of the largest tv networks of South Korea, KBS is still down with following message :
KBS World Radio
We extend our sincere apology for the inconvenience caused by the sudden stoppage of the KBS website service. We are currently making our best efforts to normalize the service as soon as possible. We ask you for your patience and understanding. We will do our utmost to provide a more stable service in the near future. Thank you very much.
The sheer ferocity of the attack has bewildered many, hackers and security analysts alike. Earlier the South Korean Government blamed North Korea of perpetrating the attack but later it was deemed as a malware attack. Now the news has filtered in that the malware that has been identified is not capable for causing such a huge attack without a very active co-ordination between hackers and with several malwares instead of one. The latest update from South Korean Government points out that the attack has been pinpointed to a Chinese IP address but efforts are still on to identify the attackers.
The primary malware has been identified as the “wiper”, a strain of Windows trojan which first surfaced a year ago. This malware or a similar version of it called Shamoon attacked the energy companies of Middle East last year. However Director of Operations for Symantec Security Response Liam O'Murchu said that the malware, which his company identifies as Trojan.Jokra, has nothing remarkable about it. "Nothing stands out about it," he said. The execution part or "dropper" portion of the attack, effectively how wiper was used to install in the networks is still being investigated. Nobody seems to know how or what carried the wiper aboard it.
The malware first kills the execution files of antivirus and security software then starts overwriting the Master Boot Record of the computer. It replicates the same procedure on any other drives and mapped drives that are available. When this is done it attempts to overwrite the MBR of unmapped drives forcing the a shutdown of the computer. This is done through execution of the shut down command line. Once the machine is re-booted it is unusable till the time it is formatted or restored back to its original pre malware time.
What surprising is that this malware used sophisticated time execution system. That is ising a clock call API to check the time and execute the code at the wanted time in this case 2pm on March 20 to trigger. This looks like a controlled detonation of code.
How did it infect the Linux and Unix machines. The wiper installed a trojan called Trojan.Jokra on these machines and used a script called mRemote. Once the mRemote is hacked it finds the SSH connections of Linux machines and executed the batch commands for drive wipe on on Linux, Solaris, AIS, or HP-UX. On Linux, the commands delete the /kernel, /usr, /etc, and /home directories.
The malware is not as complex as other malwares available in the wild yet it was able to take down many of the networks in South Korea. This is more frightening especially that South Korea is in a war like situation with is neighbour.
Please write in your comments on the article.