Menu
Damballa finds tools related to the malware that hit Sony

Damballa finds tools related to the malware that hit Sony

The tools make it easier for attackers to move undetected through a network

Security company Damaballa said it has found two utilities that are closely related to capabilities seen in the destructive malware that hit Sony Pictures Entertainment last year.

The utilities were discovered as Damballa was investigating a new version of the "Destover" malware, which rendered thousands of computers unusable at Sony after attackers stole gigabytes of sensitive company information.

One key question in the Sony breach is how the attackers were able to evade security systems. What Damaballa found are two utilities that help mask new files introduced to a system. 

"Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface," wrote senior threat researchers Willis McDonald and Loucif Kharouni, in a blog post on Wednesday.

One of the tools, setMFT, enables a technique called timestopping, which can make a file appear to have a different timestamp. It's often used in combination with renaming a newly introduced file to make it appear to blend in with a group of other files.

"This can conceal a file’s existence from security personnel looking for malicious files or scans of files created after a certain date," they wrote. "Timestomping can get past a cursory check."

The other tool, afset, is used for timestomping and cleaning up log data stored in Windows. It can also change the build time and checksum of an executable.

Afset "allows the attacker to remain stealthy and erase their tracks as they move through the network," they wrote. "A full forensic analysis of a system would reveal the presence of afset and missing log activity, but it’s likely this activity would go undetected initially creating high-risk infection dwell time."

It can be difficult for companies to detect intruders in their networks, particularly if the attackers are using valid login credentials stolen from an authorized user. Once in, using these utilities could make it even harder to detect strange activity.

Just one antivirus product was detecting both of the tools, the researchers wrote. That makes it likely that newer versions of them would not be detected, at least initially. 

"These capabilities, when used together with tools that enable attackers to obtain network credentials and disable defenses, allows them to permeate the network undetected for an extended period of time," they wrote.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments