Researchers at Symantec have discovered a third “wiper” malware linked to the recent attacks in South Korea. The malware used during the attacks have been widely discussed by the research community and media over the last few days, and Symantec’s discovery adds more curiosity to the plot.
Aside from the attacks themselves, aimed at South Korean broadcasting and financial sectors, most of the discussions have centered on the malware discovered – including the fact that it’s destructive in nature and timed to wipe the targeted system completely depending on a set of variables. The wiping aspect is where the debate comes in to play, as completely destroying a system seems like a useless act on the part of an alleged state-sponsored aggressor.
The malware used in the attacks, named “Jokra” by Symantec, has two variants that were developed to wipe the compromised host immediately on execution. Another was set to execute and wipe the system on March 20, at 2:00 p.m. local time.
However, researchers discovered a third variant, which was set to wipe the host at 3:00 p.m. March 20, only this time the year didn’t matter. Where the others were only to activate in 2013, this latest variant isn’t dependent on the year at all.
Symantec wouldn’t speculate on what their latest discovery means, as it relates to the attack and ongoing research and investigations. However, the fact that a variant exists that didn’t rely on given year is almost to be expected since most major malware campaigns undergo several revisions. It’s also possible that this variant was an earlier creation, later scrapped in order to launch a more focused attack.
On Friday, South Korean official stepped back from their earlier accusation that an IP address used in the attack was hosted in China, reporting instead that the IP address was actually assigned to a computer in one of the targeted banks.
Investigators from the Korea Internet and Security Agency (KISA) said that the possibility that the attack originated abroad is still there however, as they are “tracking some dubious IP addresses.”
Last week’s attacks knocked KBA, MBC, and YTN TV stations off the air, and crippled operations at three banks.