mRemote users beware: Windows malware wipes linux boxes via mRemote

another good reason to keep your networks safe, end to end:

From: Greg Freemyer <xxxxxx@xxxxxxxx.com>
Date: Thu, 21 Mar 2013 10:01:48 -0400
Message-ID:
<CAGpXXZKgMETy78NhutAUHTHqmc8gYAeNGbRVvTxNe4noKdVRwg@mail.gmail.com>
Subject: [opensuse] mRemote users beware: Windows malware wipes linux
boxes via mRemote
To: suse <opensuse@opensuse.org>

All,

This is a first for me. Per:

http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-korean-attacks-more-detail?source=CSONLE_nlt_update_2013-03-21

There is a piece of windows malware that looks for mRemote installs
on windows. If found it looks for cached “root” credentials. If
those are found it uploads a script to wipeout /kernel, /usr, /etc,
and /home.

I gather the key vulnerability is that mRemote stores the destination
host and credentials in plaintext. (or a easily decoded format).

If anyone has mRemote installed on a windows box, I’m curious how the
password is stored. The config info is at:

%UserProfile%\Local Settings\Application
Data\Felix_Deimel\mRemote\confCons.xml

fyi: the target of this attack was South Korea, but once malware code
like this is made public, it starts to show up in other malware.

Greg


dd

On Thu 21 Mar 2013 02:56:47 PM CDT, dd wrote:

another good reason to keep your networks safe, end to end:

[quote]
From: Greg Freemyer <xxxxxx@xxxxxxxx.com>
Date: Thu, 21 Mar 2013 10:01:48 -0400
Message-ID:
<CAGpXXZKgMETy78NhutAUHTHqmc8gYAeNGbRVvTxNe4noKdVRwg@mail.gmail.com>
Subject: [opensuse] mRemote users beware: Windows malware wipes linux
boxes via mRemote
To: suse <opensuse@opensuse.org>

All,

This is a first for me. Per:

http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-korean-attacks-more-detail?source=CSONLE_nlt_update_2013-03-21

There is a piece of windows malware that looks for mRemote installs
on windows. If found it looks for cached “root” credentials. If
those are found it uploads a script to wipeout /kernel, /usr, /etc,
and /home.

I gather the key vulnerability is that mRemote stores the destination
host and credentials in plaintext. (or a easily decoded format).

If anyone has mRemote installed on a windows box, I’m curious how the
password is stored. The config info is at:

%UserProfile%\Local Settings\Application
Data\Felix_Deimel\mRemote\confCons.xml

fyi: the target of this attack was South Korea, but once malware code
like this is made public, it starts to show up in other malware.

Greg

[/QUOTE]
I posted in tech news as well :wink:

I do note that it’s not supported/maintained anymore;
http://www.royalts.com/main/home/mRemote.aspx

There is a fork called mRemoteNG;
http://www.mremoteng.org/


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.1-desktop
up 13:20, 3 users, load average: 0.00, 0.03, 0.06
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile

On 03/21/2013 04:10 PM, malcolmlewis wrote:
> I posted in tech news as well

impossible to be TOO safe!

with state intel and whatnots getting involved in “cyber warfare” i’m
wondering what else i need to do.


dd
openSUSE®, the “German Engineered Automobile” of operating systems!

On Thu 21 Mar 2013 04:16:18 PM CDT, dd wrote:

On 03/21/2013 04:10 PM, malcolmlewis wrote:
> I posted in tech news as well

impossible to be TOO safe!

with state intel and whatnots getting involved in “cyber warfare” i’m
wondering what else i need to do.

Don’t remote access as root :wink: Don’t use winders…


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.1-desktop
up 15:09, 3 users, load average: 0.06, 0.07, 0.09
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile

On 2013-03-21 17:58, malcolmlewis wrote:
>

> On Thu 21 Mar 2013 04:16:18 PM CDT, dd wrote:
>
> On 03/21/2013 04:10 PM, malcolmlewis wrote:
>> I posted in tech news as well
>
> impossible to be TOO safe!
>
> with state intel and whatnots getting involved in “cyber warfare” i’m
> wondering what else i need to do.
>
>
>

> Don’t remote access as root :wink: Don’t use winders…

This is a targeted attack IMHO.

It was launched against banks and institutions in South Korea. Surely
the attackers, guessing from the north, knew already that in the south
they use this mRemote tool to connect to the Linux servers they use on
those banks.

If somebody with resources launches an attack against anybody, surely
they will find holes, no matter what antivirus or whatever you use.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)