Technical evidence links destructive malware to attack against Sony Pictures

04.12.2014
The destructive malware program that the FBI alerted some companies about this week was likely used against Sony Pictures Entertainment, according to technical evidence found by researchers in the program's code.

Reports surfaced online Nov. 24 that the computer network of Sony Pictures Entertainment, a U.S.-based subsidiary of Sony, was infiltrated by hackers. The company's employees were reportedly no longer able to use their computers after a message from the attackers, a group called the Guardians of Peace (GOP), was displayed on their screens.

On Monday the FBI sent a confidential five-page alert to a number of private companies about a destructive malware program that can overwrite data on a computer's hard disk drive, including its master boot record that holds information about partitions.

Some security professionals speculated that the malware was used to attack Sony, but the FBI declined to confirm this hypothesis. However, security researchers from Trend Micro and AlienVault obtained samples of the malware described in the FBI warning and found strong evidence that it was used against Sony.

The malware, which Trend Micro detects as BKDR_WIPALL, has several components including diskpartmg16.exe, igfxtrayex.exe and usbdrv32.sys, the Trend Micro researchers said in a blog post Wednesday. The diskpartmg16.exe file is the initial installer and contains a set of encrypted usernames and passwords that are used to access the shared network, they said.

The credentials are intentionally blurred in a screen shot of the malware program's code that was published by Trend Micro, but visible parts show that they're arranged on lines starting with SPE, which likely stands for Sony Pictures Entertainment.

A bitmap image file called walls.bmp that is dropped by the malware on infected systems is an even stronger connection to the company. This file is a wallpaper containing the GOP message that Sony Pictures Entertainment employees reportedly saw on their computers.

Researchers from AlienVault also connected the malware to the attack against SPE.

"From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials -- usernames and passwords -- that the malware uses to connect to systems inside the network," said Jaime Blasco, director of AlienVault Labs, via email.

The hackers who compiled the malware used the Korean language on their systems, according to Blasco. Some view this aspect as something that supports the theory that North Korean was behind the attack, but security experts say that is unlikely.

Lucian Constantin