Menu
Technical evidence links destructive malware to attack against Sony Pictures

Technical evidence links destructive malware to attack against Sony Pictures

The malware contains usernames, passwords and an image associated with Sony Pictures Entertainment, researchers said

The destructive malware program that the FBI alerted some companies about this week was likely used against Sony Pictures Entertainment, according to technical evidence found by researchers in the program's code.

Reports surfaced online Nov. 24 that the computer network of Sony Pictures Entertainment, a U.S.-based subsidiary of Sony, was infiltrated by hackers. The company's employees were reportedly no longer able to use their computers after a message from the attackers, a group called the Guardians of Peace (GOP), was displayed on their screens.

On Monday the FBI sent a confidential five-page alert to a number of private companies about a destructive malware program that can overwrite data on a computer's hard disk drive, including its master boot record that holds information about partitions.

Some security professionals speculated that the malware was used to attack Sony, but the FBI declined to confirm this hypothesis. However, security researchers from Trend Micro and AlienVault obtained samples of the malware described in the FBI warning and found strong evidence that it was used against Sony.

The malware, which Trend Micro detects as BKDR_WIPALL, has several components including diskpartmg16.exe, igfxtrayex.exe and usbdrv32.sys, the Trend Micro researchers said in a blog post Wednesday. The diskpartmg16.exe file is the initial installer and contains a set of encrypted usernames and passwords that are used to access the shared network, they said.

The credentials are intentionally blurred in a screen shot of the malware program's code that was published by Trend Micro, but visible parts show that they're arranged on lines starting with SPE, which likely stands for Sony Pictures Entertainment.

A bitmap image file called walls.bmp that is dropped by the malware on infected systems is an even stronger connection to the company. This file is a wallpaper containing the GOP message that Sony Pictures Entertainment employees reportedly saw on their computers.

Researchers from AlienVault also connected the malware to the attack against SPE.

"From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials -- usernames and passwords -- that the malware uses to connect to systems inside the network," said Jaime Blasco, director of AlienVault Labs, via email.

Read more: Buyer Beware: Five Cybersecurity Consumer Tips for the Holiday Season

The hackers who compiled the malware used the Korean language on their systems, according to Blasco. Some view this aspect as something that supports the theory that North Korean was behind the attack, but security experts say that is unlikely.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags trend microsecurityAlienVaultdata breachFederal Bureau of InvestigationAccess control and authenticationSony Pictures Entertainmentsonymalwareintrusion

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Show Comments