#sony attack : the destructive wiperware and more information coming out (links)

it is impossible to say who protects against the file because virustotal doesn't give any answer, nor on the MD5 nor on the filename

maybe this is done at the demand of the FBI to make it impossible for the attacker to discover which networks can be attacked easily because their antivirus isn't uptodate yet - even if in the other cases it doesn't mean that all the antiviruses on all the machines in the networks have updated libraries and protections 

it is also clear that this virus is generic, it isn't build for a specific machine or model or version, it just attacks all the boot processes so it makes it much harder to protect against and much more dangerous to protect against once it is inside your environment (because if it had been written specifically for a specific machine you could calculate how many more of such machines you had and where they were located and what was the risk of each machine and concentrate immediately on those that are of most value to the organisation, business or network) 

File: igfxtrayex.exe
Size: 249856 bytes (244.0 KB)
MD5: 760c35a80d758f032d02cf4db12d3e55
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean
http://it.slashdot.org/story/14/12/02/188233/fbi-wiper-malware-has-korean-language-packs-hard-coded-targets

normally the name of the software would have let it pass through process controls 

igfxtray.exe is a process which allows you to access the Intel Graphics configuration and diagnostic application for the Intel 810 series graphics chipset.This program is a non-essential system process, and is installed for ease of use via the desktop tray. http://www.processlibrary.com/en/directory/files/igfxtray/24866/

the virusfile was uploaded yesterday to this sandbox (with connections to Tokio)

https://malwr.com/analysis/MWZkZjU4Mjc1ZTNlNDQzN2FkOWFhNWI1NjNmYjk0Nzc/ 

This file was already called malware in 2011 by this site (and it was attributed to the TRUECRYPT organisation but it isn't digitaly signed (well as long as such software can be placed into the boot or root of a pc without any digital signing we are just riding in the dark without lights - and if they were signed they have to be checked)

http://www.isthisfilesafe.com/md5/77EA9586C6D588386EE9C98DBF5B7B32_details.aspx

virustotal has for this file an analysis  but some antiviruses didn't protect against it 

this was an 32bits version - one that shouldn't have worked in an 64bits environment 

2011 seems to be a very difficult year for the rootkit-bootkit developers as they have to migrate to 64bits :)

The comments are closed.