Menu
Technical evidence links destructive malware to attack against Sony Pictures

Technical evidence links destructive malware to attack against Sony Pictures

The malware contains usernames, passwords and an image associated with Sony Pictures Entertainment, researchers said

The destructive malware program that the FBI alerted some companies about this week was likely used against Sony Pictures Entertainment, according to technical evidence found by researchers in the program's code.

Reports surfaced online Nov. 24 that the computer network of Sony Pictures Entertainment, a U.S.-based subsidiary of Sony, was infiltrated by hackers. The company's employees were reportedly no longer able to use their computers after a message from the attackers, a group called the Guardians of Peace (GOP), was displayed on their screens.

On Monday the FBI sent a confidential five-page alert to a number of private companies about a destructive malware program that can overwrite data on a computer's hard disk drive, including its master boot record that holds information about partitions.

Some security professionals speculated that the malware was used to attack Sony, but the FBI declined to confirm this hypothesis. However, security researchers from Trend Micro and AlienVault obtained samples of the malware described in the FBI warning and found strong evidence that it was used against Sony.

The malware, which Trend Micro detects as BKDR_WIPALL, has several components including diskpartmg16.exe, igfxtrayex.exe and usbdrv32.sys, the Trend Micro researchers said in a blog post Wednesday. The diskpartmg16.exe file is the initial installer and contains a set of encrypted usernames and passwords that are used to access the shared network, they said.

The credentials are intentionally blurred in a screen shot of the malware program's code that was published by Trend Micro, but visible parts show that they're arranged on lines starting with SPE, which likely stands for Sony Pictures Entertainment.

A bitmap image file called walls.bmp that is dropped by the malware on infected systems is an even stronger connection to the company. This file is a wallpaper containing the GOP message that Sony Pictures Entertainment employees reportedly saw on their computers.

Researchers from AlienVault also connected the malware to the attack against SPE.

"From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials -- usernames and passwords -- that the malware uses to connect to systems inside the network," said Jaime Blasco, director of AlienVault Labs, via email.

Read more: Buyer Beware: Five Cybersecurity Consumer Tips for the Holiday Season

The hackers who compiled the malware used the Korean language on their systems, according to Blasco. Some view this aspect as something that supports the theory that North Korean was behind the attack, but security experts say that is unlikely.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags trend microsecurityAlienVaultdata breachFederal Bureau of InvestigationAccess control and authenticationSony Pictures Entertainmentsonymalwareintrusion

Featured

Slideshows

Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
Show Comments