South Korean malware hides Linux-wiper inside Windows

As tensions rise across the length of the Korean peninsula, the spectre of Linux focused malware vulnerabilities in South Korean has thrown an increasingly eerie shadow over events currently unfolding.

Recent cyber attacks against South Korean banks and local broadcasting organisations have led security analysts to spend time deconstructing the code used to carry out the threats.

Results of analysis have shown that code inside a piece of malware initially flagged as Windows-related does in fact have the capability to wipe Linux machines.

The malware has been identified by Symantec and dubbed as Jokra and the so-called “dropper” for Trojan.Jokra is now known to contain a module for wiping remote Linux machines.

NOTE: A virus spreads to a user’s hard disks and also onto other computers in a network (or via the web) by means of a function called a “dropper”.

Although Symantec classified Jokra as a low risk Trojan, the company does make the following statement on its blog…

“We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager.”

The function of these attacks is thought to have been engineered to specifically avoid the engineering offered by anti virus software produced by two Korean firms i.e. Ahnlab and Hauri.

Security firm Avast has posted an analysis of the recent Korean attacks and provides the below image depicting the home page of the site that the attacks originated from.

The site,, is a legitimate Korean website which belongs to Korea Software Property Right Council (SPC) says Avast.


Image Credit: Avast