#sonyhack : this is the only sure thing that discovers the wiperware beacon (snort)

the advantage of having a snort on your network - or if it is too big on the most important part of your network - is that it can discover botnets and viruses before the identities of your antivirus have been updated and distributed 

there is for the moment no virustotal check for the file so there is no way of knowing if your network was attacked with it 

"“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.


Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:


Alert tcp any any – > [,,] [8080, 8000] (msg: “wiper_callout”;
dsize:42;  content:  “|ff  ff  ff  ff|”;  offset:  26;  depth:  4;  sid:  314;http://krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data/

but that you understand it rightly 

if that kind of traffic arrives than you have to take down the machine immediately because the beacon has started destroying all data on that disk and you are not sure that you will be able to recover it - there is absolutely no guarantee 

and this is as important for your servers as for your desktops or laptops

The comments are closed.