Security experts have been able to obtain and analyse samples of the malware linked to the Sony Pictures breach.
An FBI advisory issued on Monday, leaked to Reuters, warned US businesses to be vigilant about a new strain of “destructive” malware.
The link between the Sony breach and the malware described by the FBI is yet to be verified but the timing and behaviour of the malware match those from reports of the Sony Pictures network-hobbler.
The FBI flash memo titled “#A-000044-mw” describes malware capable of overwriting data on hard drives of computers, including the master boot record. Compromised Windows machines are incapable of even booting up.
Researchers at Trend Micro have put together an analysis of the malware, detected by the security firm as BKDR_WIPALL.
The primary infection (diskpartmg16.exe, detected by Trend as BKDR_WIPALL-A) is encrypted with a set of usernames and passwords that are then used to log into a shared network. Once logged in, the malware attempts to grant full access to system root to everyone on the network.
Jaime Blasco, director of AlienVault Labs, another researcher who has seen malware samples from the Sony hack, said whoever wrote the malware already knew all about Sony's internal network.
"From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials - usernames and passwords - that the malware uses to connect to systems inside the network," Blasco explained.
"The malware was used to communicate with IP addresses in Europe and Asia, which is common for hackers trying to obscure their location. The hackers who compiled the malware used the Korean language on their systems."
During its initial run the malware deletes users’ files as well as stopping the Microsoft Exchange Information Store service. It then hibernates for two hours before forcing an infected system to reboot.
Following the forced reboot the malware deletes all the files (format *.*) in fixed and network drives. At the same time secondary malware components (detected by Trend Micro as BKDR_WIPALL-B) are spawned.
BKDR_WIPALL-B comes pre-packed by routines that attempt to overwrite physical drives, according to a preliminary analysis of the malware by security researchers Rhena Inocencio and Alvin Bacani at Trend Micro
A slight variant of the same malware drops a graphics file as wallpaper bearing the phrase “hacked by #GOP” as walls.bmp in the Windows directory. "This appears to be the same wallpaper described in reports about the recent Sony hack," Trend Micro researcher Joie Salvio notes in a follow-up to the original blog post.
Sony Pictures Entertainment is the television and movie subsidiary of Sony Corporation.
The long dark teatime of the Seoul
Soon after the Sony Pictures hack became public two weeks ago, rumours began circulating that the North Korea's notorious Unit 121 cyber-army might have been behind the hack. The supposed motive, payback for an upcoming spy film called The Interview, always looked a bit sketchy even though the NORKS do have the capability of writing wiper malware, as evidenced by their suspected involvement in the so-called Dark Seoul attacks two years ago.
Sony unwittingly scotched rumours it was poised to finger North Korea as the culprit on Wednesday, instead confining itself to denouncing the 'brazen' cyberattack, which lead to the leak of five unreleased movies as torrents as well as hobbled corporate PCs in a leaked memo, picked up by Deadline.
Twitter accounts used by Sony to promote movies were hijacked to display messages attacking Sony Entertainment’s chief exec by a previously obscure group calling itself GOP (the Guardians of Peace). In a fresh leak this week the GOP released hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates and more, CSO online reports.
Staff details and salaries have also leaked.
The FBI are investigating the hack.
Security watchers have criticised Sony for weak security that made the entertainment giant a soft target. Sony has apparently failed to improve its security practices since the PSN megahack three years ago, which really ought to have acted as some kind of wake-up call.
"I am still shocked the Sony attackers exfiltrated TERABYTES of data without being noticed," said convicted hacker turned security consultant Kevin Mitnick in a tweet. "How sucky is their security?" ®