Researcher Claims Destover Malware Hoax

Leaked Sony Certificate, Separate Extortion Attempt Emerge
Researcher Claims Destover Malware Hoax

A new version of the Destover "wiper" malware has been discovered that is signed using a legitimate digital certificate from Sony. But while the certificate is authentic, a security researcher says the latest version of the malware is a hoax.

See Also: Rethinking Endpoint Security

The revelation of the new Destover malware comes as new evidence has emerged, suggesting that days before wiper malware was used to erase an unknown number of hard drives at Sony Pictures Entertainment on Nov. 24, the same attackers attempted to extort the movie and television production studio. That has led some security experts to believe that a criminal gang was behind the attack.

The warning over the updated Destover malware was first sounded by Kaspersky Lab's global research and analysis team, who say the new version of Destover, which is also known as Wipall, appears to have been compiled on Dec. 5. If the malware infects a PC, it then attempts to connect, alternately, to two command-and-control servers, based in the United States and Thailand.

By using a legitimate certificate, attackers could disguise the malicious code as legitimate software, as well as make related infections more difficult to spot. "Having malware that is signed by a major corporation will make it much more likely for users to install the malware," says Johannes Ullrich, dean of research for the SANS Technology Institute, in a blog post.

But in the wake of the Kaspersky Lab report being released, Vancouver-based security researcher Colin Keigher has come forward, claiming that the new version of Destover is a hoax, although the digital certificate that was used to sign the malware sample is very real, and comes via a password-protected PFX file leaked by the group that attacked Sony Pictures Entertainment. PFX files store copies of the public and private keys needed to sign a digital certificate.

"Basically a researcher who doesn't want to be named found the certificate and then discovered its password to be its filename," Keigher says in a series of posts to Twitter. "They then went and signed the malware with the Sony certificate and uploaded it to VirusTotal" - a free virus-scanning site - after which Kaspersky Lab appears to have obtained a copy. Keigher says the researcher who uploaded the malware sample to VirusTotal also informed the issuing certificate authority that the certificate had been leaked following the Sony breach, and the certificate authority has reportedly added it to a certificate revocation list.

Keigher's account appears to square with Kaspersky Lab's teardown of the new version of Destover, which it says is functionally identical to a previous version of the malware that appears to have been compiled in July. Notably, however, a different version of Destover was used to attack Sony on Nov. 24, and was compiled just days before the attack and customized for Sony's infrastructure.

Latest Destover Not Found In The Wild

In response to Keigher's claims, Kaspersky Lab has clarified that it hasn't seen a sample of the latest Destover circulating in the wild, but says it was important to sound related warnings nevertheless. "The existence of this sample demonstrated that the private key was in the public domain," Kaspersky Lab's researchers say in the blog post. "At that point we knew we had an extremely serious situation at hand, regardless of who was responsible for signing this malware."

Kaspersky Lab researchers also criticized the unknown researcher who uploaded the new copy of Destover. "The certificate would have been revoked without the creation of new malware. There really was no need to create new malware to prove that the certificate hadn't been revoked yet."

Now that the Sony PFX file has not just been leaked, but also identified - together with its password - it still poses a potential risk, as do some of the other "dozens of PFX files [that] have been leaked online," Kaspersky Lab says, noting that they too are password-protected. If anyone who downloads the PFX files from BitTorrent sites can crack those passwords, however, Kaspersky Lab says some of the PFX could be used to sign malware, and wouldn't necessarily be blocked by certificate revocation lists. "Certificate revocation lists are notoriously unreliable and slow to update so it may take a while for the revocation to propagate," Ullrich at SANS Institute warns.

The report that the filename for Sony's certificate doubled as the PFX file's password suggests that poor security controls were in place at the movie and television production studio. That's because Sony's choice of password violates numerous security experts' guidance to always use strong passwords, and in particular passwords that are not just long, but also random and unique.

Prior Extortion Attempt Emerges

Sony's password-protected digital certificates were reportedly part of the series of stolen Sony data that has been leaked by a group that calls itself the Guardians of Peace, or G.O.P. Before unleashing wiper malware on an unknown number of systems at Sony Pictures Entertainment, G.O.P. also stole what it claims to be "tens of terabytes" of data, of which tens of gigabytes have so far been released via five batches, and are now circulating on BitTorrent networks.

The fourth batch of Sony data, released Dec. 8, was announced by hackers via a statement posted to source-code sharing repository GitHub, and includes a message to Sony: "We are sending you our warning again," it reads in part. "Do carry out our demand if you want to escape us. ... Stop immediately showing the movie of terrorism which can break the regional peace and cause the war!"

That appears to be a reference to The Interview, a Sony comedy about a feckless pair of tabloid television reporters who land an interview with North Korean dictator Kim Jong-un in Pyongyang, and are approached by the CIA to kill him instead. The film is due to debut on Dec. 25.

While North Korean officials have denounced the film as a "terrorist act," they have also claimed that they had nothing to do with the hack of Sony. Likewise, the FBI, which is investigating the Sony hack, has not cited Pyongyang as a culprit in its public pronouncements. "There is no attribution to North Korea at this point," Joe Demarest, assistant director with the FBI's cyber division, said at a Dec. 9 cybersecurity conference, Reuters reports.

In fact, some security experts say evidence is mounting that the Sony hack had nothing to do with a nation state, owing to Sony executives' e-mail in-boxes, which were also recently leaked by G.O.P. Among those e-mails, according to a review published by Mashable, is a message sent to multiple Sony Pictures executives - including CEO Michael Lynton and chairman Amy Pascal - that warns of "great damage" to Sony unless the hackers, who signed themselves as "God'sApstls," received "monetary compensation."

"Pay the damage, or Sony Pictures will be bombarded as a whole," reads the e-mail. "God'sApstls" also appears in the Destover malware code that was used to wipe Sony's computers, Mashable reports, noting that the e-mails didn't appear to have been read by any of the recipients.

In other words, before Sony's attackers wiped the company's PCs, they apparently issued an extortion demand, rather than demanding that a movie not be released. In light of that, the attack "looks more like criminals rather than state-sponsored," says Dublin-based information security consultant Brian Honan.

Attack Details Remain Scarce

Following the Nov. 24 hack attack, Sony has faced repeated criticism for failing to publicly describe the latest hack attack in a timely manner. "For me one of the biggest lessons from this attack is how important it is for the victim organization to communicate often and clearly on the breach," Honan says in a recent SANS Institute newsletter. "The lack of information from Sony about the attack has led to many wild speculations in various media outlets as to who is behind the attack and what their motivations are."

Sony Pictures has not responded to repeated requests for comment about the attack, or its security infrastructure. But Sony has published a preliminary report from FireEye, the digital forensics investigation firm that it has hired to investigate the attack. According to FireEye's report, "the attack is unprecedented in nature ... [and] neither SPE nor other companies could have been fully prepared."

On the other hand, Sony also appears to have failed to detect the intrusion. "The purported attackers - Guardians of Peace - have suggested that they were harvesting data for a year before it was detected," says fraud analyst Tom Wills, who directs the consultancy Ontrack Advisory.

Regardless of the exact timeline, the attackers lingered inside Sony's systems for long enough - without being detected - to steal a significant amount of sensitive information and unleash their wiper malware. Based on FBI alerts related to the Sony attack, furthermore, the attackers had access to ports associated with Active Directory, NetBIOS and remote-desktop control, says Tom Chapman, director of the security operations group at computer security firm EdgeWave.

In light of the Sony breach, "we need to start giving more emphasis to incident detection and response," Wills says.

Associate Editor Jeffrey Roman also contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network