Sony Pictures MEGAHACK: Securobods pull out probes, analyse badness

Experts start dissecting HDD-busting nasty

Security experts have been able to obtain and analyse samples of the malware linked to the Sony Pictures breach.

An FBI advisory issued on Monday, leaked to Reuters, warned US businesses to be vigilant about a new strain of “destructive” malware.

The link between the Sony breach and the malware described by the FBI is yet to be verified but the timing and behaviour of the malware match those from reports of the Sony Pictures network-hobbler.

The FBI flash memo titled “#A-000044-mw” describes malware capable of overwriting data on hard drives of computers, including the master boot record. Compromised Windows machines are incapable of even booting up.

Researchers at Trend Micro have put together an analysis of the malware, detected by the security firm as BKDR_WIPALL.

The primary infection (diskpartmg16.exe, detected by Trend as BKDR_WIPALL-A) is encrypted with a set of usernames and passwords that are then used to log into a shared network. Once logged in, the malware attempts to grant full access to system root to everyone on the network.

Jaime Blasco, director of AlienVault Labs, another researcher who has seen malware samples from the Sony hack, said whoever wrote the malware already knew all about Sony's internal network.

"From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials - usernames and passwords - that the malware uses to connect to systems inside the network," Blasco explained.

"The malware was used to communicate with IP addresses in Europe and Asia, which is common for hackers trying to obscure their location. The hackers who compiled the malware used the Korean language on their systems."

During its initial run the malware deletes users’ files as well as stopping the Microsoft Exchange Information Store service. It then hibernates for two hours before forcing an infected system to reboot.

Following the forced reboot the malware deletes all the files (format *.*) in fixed and network drives. At the same time secondary malware components (detected by Trend Micro as BKDR_WIPALL-B) are spawned.

BKDR_WIPALL-B comes pre-packed by routines that attempt to overwrite physical drives, according to a preliminary analysis of the malware by security researchers Rhena Inocencio and Alvin Bacani at Trend Micro

A slight variant of the same malware drops a graphics file as wallpaper bearing the phrase “hacked by #GOP” as walls.bmp in the Windows directory. "This appears to be the same wallpaper described in reports about the recent Sony hack," Trend Micro researcher Joie Salvio notes in a follow-up to the original blog post.

Sony Pictures Entertainment is the television and movie subsidiary of Sony Corporation.

The long dark teatime of the Seoul

Soon after the Sony Pictures hack became public two weeks ago, rumours began circulating that the North Korea's notorious Unit 121 cyber-army might have been behind the hack. The supposed motive, payback for an upcoming spy film called The Interview, always looked a bit sketchy even though the NORKS do have the capability of writing wiper malware, as evidenced by their suspected involvement in the so-called Dark Seoul attacks two years ago.

Sony unwittingly scotched rumours it was poised to finger North Korea as the culprit on Wednesday, instead confining itself to denouncing the 'brazen' cyberattack, which lead to the leak of five unreleased movies as torrents as well as hobbled corporate PCs in a leaked memo, picked up by Deadline.

Twitter accounts used by Sony to promote movies were hijacked to display messages attacking Sony Entertainment’s chief exec by a previously obscure group calling itself GOP (the Guardians of Peace). In a fresh leak this week the GOP released hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates and more, CSO online reports.

Staff details and salaries have also leaked.

The FBI are investigating the hack.

Security watchers have criticised Sony for weak security that made the entertainment giant a soft target. Sony has apparently failed to improve its security practices since the PSN megahack three years ago, which really ought to have acted as some kind of wake-up call.

"I am still shocked the Sony attackers exfiltrated TERABYTES of data without being noticed," said convicted hacker turned security consultant Kevin Mitnick in a tweet. "How sucky is their security?" ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022