Details Emerge on Sony Wiper Malware Destover

Kaspersky Lab has published an analysis of Destover, the wiper malware used in the attacks against Sony Pictures Entertainment, and its similarities to Shamoon and DarkSeoul.

Researchers are starting to stitch together clues about the wiper malware that has landed a body blow to Sony Pictures Entertainment. Not only were thousands of files and documents leaked that included unreleased movies, confidential company presentations and financial records, employee records, passwords and more, but an untold number of machines were left unusable by malicious code identified as Destover.

Destructive attacks aren’t new, and they’re happening with frequency at different scales. Smaller companies and individuals are falling victim to new strains of ransomware at alarming rates. CryptoLocker, for example, encrypts files on a compromised machine, promising a decryption key if a ransom is paid.

Destover, and the like, are much more dangerous in that they overwrite the master boot record on a computer, not only rendering the computer useless after robbing it blind, but also leaving few bread crumbs for investigators to follow.

Kaspersky Lab researcher Kurt Baumgartner today published a report exposing Destover’s functionality and describing similarities between this malware and similar code used in the Shamoon attack against Saudi Aramco and the DarkSeoul attack last year in South Korea.

Across the three attacks, Baumgartner notes the use of commercially available Eldos RawDisk driver files (Shamoon and Destover), that wiper drivers are maintained in the dropper’s resource section (Shamoon, Destover), and disk data and the MBR are overwritten with encoded political messages (Shamoon, DarkSeoul).

Destover, Baumgartner said, was compiled anytime in the 48 hours prior to the attack, similarly to the DarkSeoul attacks, and that the attackers already had a longstanding foothold on the network. Shamoon was also compiled in the days leading up to the Aramco attack, a tight timeline given the number of workstations (30,000-plus) that were damaged.

“In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” Baumgartner wrote.  “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.”

In the case of Destover, the popular narrative has been to blame North Korea for the attack on Sony in retaliation for the upcoming release of “The Interview” in which the plot revolves around a fictional attempt by the CIA to assassinate North Korea’s leader Kim Jong Un. When details regarding “The Interview” were announced in June, a spokesman for the North Korean Foreign Ministry condemned the film, calling it a “blatant act of terrorism and war.”

In his report, Baumgartner explains other similarities between the three attacks, including their use of the EldoS RawDisk drivers to overwrite disk data and the MBR, backdoors used in the attack, and the potential for data recovery.

“The above list of commonalities does not, of course, prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover. But it should be noted that the reactionary events and the groups’ operational and toolset characteristics all carry marked similarities,” Baumgartner wrote. “And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.”

The Sony saga picked up steam this week not only as the leaks intensified, but also after the FBI on Sunday issued a confidential flash alert to enterprises in the United States warning them of wiper malware attacks.

The FBI did not name any victims such as Sony in the flash alert, but Ars Technica today reported it had seen the memo and shared some of its contents, including a Snort rule for the signal sent to the malware’s command and control infrastructure, and a YARA rule to be used for detection.

News on the Sony attack broke before Thanksgiving last week when it was reported that most internal systems were down and unusable. Screens on internal workstations popped up claiming that Sony had been “Hacked By #GOP,” a hacker group named Guardians of Peace. The notice, alongside a red skull, went on to warn the company that it had “obtained all your internal data including your secrets and top secrets” and that it would release it unless the company obeyed the group.

Suggested articles