Menu
Damballa finds tools related to the malware that hit Sony

Damballa finds tools related to the malware that hit Sony

The tools make it easier for attackers to move undetected through a network

Security company Damaballa said it has found two utilities that are closely related to capabilities seen in the destructive malware that hit Sony Pictures Entertainment last year.

The utilities were discovered as Damballa was investigating a new version of the "Destover" malware, which rendered thousands of computers unusable at Sony after attackers stole gigabytes of sensitive company information.

One key question in the Sony breach is how the attackers were able to evade security systems. What Damaballa found are two utilities that help mask new files introduced to a system. 

"Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface," wrote senior threat researchers Willis McDonald and Loucif Kharouni, in a blog post on Wednesday.

One of the tools, setMFT, enables a technique called timestopping, which can make a file appear to have a different timestamp. It's often used in combination with renaming a newly introduced file to make it appear to blend in with a group of other files.

"This can conceal a file’s existence from security personnel looking for malicious files or scans of files created after a certain date," they wrote. "Timestomping can get past a cursory check."

The other tool, afset, is used for timestomping and cleaning up log data stored in Windows. It can also change the build time and checksum of an executable.

Afset "allows the attacker to remain stealthy and erase their tracks as they move through the network," they wrote. "A full forensic analysis of a system would reveal the presence of afset and missing log activity, but it’s likely this activity would go undetected initially creating high-risk infection dwell time."

It can be difficult for companies to detect intruders in their networks, particularly if the attackers are using valid login credentials stolen from an authorized user. Once in, using these utilities could make it even harder to detect strange activity.

Just one antivirus product was detecting both of the tools, the researchers wrote. That makes it likely that newer versions of them would not be detected, at least initially. 

"These capabilities, when used together with tools that enable attackers to obtain network credentials and disable defenses, allows them to permeate the network undetected for an extended period of time," they wrote.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments