Sony Hack: 'Destover' Malware Identified

Security Experts Find Destructive Malware After FBI Alert
Sony Hack: 'Destover' Malware Identified

The destructive "wiper" malware that was used to infect and erase hard drives at Sony Pictures Entertainment has been identified as "Destover," which is also known as "Wipall." Security experts say it's the first time such an attack has been launched against a U.S. organization (see Sony Hack: FBI Issues Malware Alert).

See Also: Fencing an Imaginary Yard; How to Secure your IP with an Unidentifiable Network Perimeter

Anti-virus vendor Trend Micro has tied the Nov. 24 hack attack against Sony to a Dec. 1 FBI warning and Dec. 2 FBI Flash alert, which said that a destructive malware attack had been launched against an unnamed U.S. business (see Defending Against 'Wiper' Malware). Trend Micro says it has recovered samples of the malware referenced in the FBI alert and found that after erasing a PC's hard drive and rebooting the system, the malware would then display a copy of a bitmap image that multiple Sony employees reported finding on their machines, which told them that they had been hacked by a group calling itself "G.O.P."

"This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase "hacked by #GOP," Trend Micro says. "Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures."

Sony has declined to respond to multiple requests for comment on the hack attack against it.

Following the attack against Sony, a group called Guardians of Peace claimed credit. An e-mail sent to Information Security Media Group by someone claiming to be the leader of G.O.P. promised that the group would be leaking "tens of terabytes" of Sony data that attackers stole before wiping Sony hard drives and network drives. To date, however, the group appears to have leaked only about 30 gigabytes of data. But that reportedly includes not just high-quality digital versions of unreleased movies, including a remake of Annie and the Oscar-tipped Brad Pitt World War II drama Fury, but also sensitive internal documents listing all employees' salaries.

Security experts say, it's still not clear how attackers stole all of that data, and while they've found that the Destover malware has the ability to "wipe" hard drives, there have been no reports of malware modules designed to exfiltrate data.

Attackers Knew Sony's Network

The attackers appear to have had an edge, in that they seem to be very familiar with Sony's network topology. "We have been investigating the attack and discovered new pieces of malware that are likely related to the same attackers," says security researcher Jaime Blasco, labs director of security management and threat intelligence vendor AlienVault. "From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials/usernames and passwords that the malware uses to connect to system inside the network."

That suggests that the Sony hack may have been the work of one or more insiders. But security experts say that the attackers could also have been external, and simply had substantial time to conduct reconnaissance of Sony's network, and then create malware that was designed only to attack Sony's network. Creating that type of customized malware would mean that no anti-virus engines had a related signature for the attack code, which would make it harder to spot.

The hackers also went to great lengths to hide their related communications, and likely also associated data exfiltration. "The malware samples we have found talk to IP addresses in Italy, Singapore, Poland, U.S., Thailand, Bolivia and Cyprus - probably hacked systems or VPN/proxies that the attackers use to hide the origin," Blasco says, referring to virtual private networks or proxying services that can be used to obscure an attacker's IP address.

Security researchers are continuing to pore over malware samples, with Trend Micro saying it's found at least four related versions so far. Sophos, meanwhile, reports that it's found three versions of Destover: Destover-B and Destover-C, as well as Destover-A. While the "A" version was found this week, Sophos says it appears to date from Aug. 28.

Sophos didn't immediately respond to a request for comment on the implications of the Destover malware appearing to be almost three months old before it was used to begin forcibly erasing hard drives at Sony.

Malware Employs HTTPS

After infecting a system, Destover attempts to "phone home" to related command-and-control servers via port 443, which is used for secure HTTP, or HTTPS, communications, which get encrypted using SSL/TLS. In other words, the malware appears to communicate with the attackers' malicious infrastructure by using encrypted communications to make the attack - and potentially related data exfiltration too - more difficult to spot.

Symantec says Destover can infect Windows 7 and all previous versions of Windows, back to Windows 95. After infecting a PC, Symantec says the malware has the ability to create and execute processes using the Windows command-line prompt, gather system information, change files' time stamps, as well as delete files.

That information further squares with the information contained in the FBI alert. "The FBI flash memo titled '#A-000044-mw' describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up," Trend Micro says.

Trend Micro notes that after the malware infected a Sony system, it attempted to log into the shared network - using hardcoded credentials and hostnames - and then to "grant full access to everyone that will access the system root," presumably to make it easier for follow-on malware components to execute. The malware also downloaded and executed related code - which it calls Wipall B - which would remain dormant for 10 minutes, and then deactivate the Microsoft Exchange Information Store service and begin deleting all files stored on fixed and network-attached drives, Trend Micro says. The malware then forced the system to reboot and displayed the aforementioned "Hacked by #GOP" image.

Infection Vector Unknown

While security experts have been able to test the wiper malware employed against Sony Pictures Entertainment, they say it's still not clear how the malware infected Sony in the first place. "My educated guess would be that someone was targeted [with] a spear phishing e-mail, which granted access to a system," Tom Chapman, director of the cyber-operations group at cybersecurity firm EdgeWave, tells Information Security Media Group. "The hacker(s) then escalated privileges and took control of the mail server and possibly the Active Directory. From there, the hackers owned the system."

Another theory is that attackers first gained physical access to Sony's systems, then were able to move "laterally" to steal data and unleash malware. But Sean Sullivan, a security adviser at anti-virus firm F-Secure, says there is insufficient evidence to support that theory, at least so far. Instead, he says it's much more likely attackers infected a third-party site that a Sony employee visited, in what's known as a watering-hole attack. "There must be plenty of popular industry websites that could be used to exploit various companies," he says.

The identity of Sony's attackers remains unknown. Speculation has focused on whether the attack might have been launched by the government of North Korea, in retaliation for the release of a forthcoming Sony comedy about a CIA assassination plot against leader Kim Jong-un. But a senior North Korean diplomat in New York - speaking on condition of anonymity to Voice of America - dismissed that any link between Pyongyang and the Sony hack, calling it a "fabrication."

Chapman notes that Sony has previously been the subject of numerous hack attacks - as well as distributed-denial-of-service attacks launched by so-called hacktivists.

News writer Jeffrey Roman contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network