12/04/2014

#sonyhack the filenames of the malware are known by the FBI but not online or by Virustotal

"“The FBI is providing the following information with HIGH confidence,” the note reads, according to one person who received it and described it to WIRED. “Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”

The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.

It’s unclear if these files were found on Sony systems. So far there have been no news reports indicating that data on the Sony machines was destroyed or that master boot records were overwritten. A Sony spokeswoman only indicated to Reuters that the company has “restored a number of important services.” http://www.wired.com/2014/12/sony-hack-what-we-know/

it is also intriguing to see the names usbdrv - maybe that is an indication that they are using USB drivers or exploits to attack the system

the fact that they have been rewritten for 64bits shows that it is necessary nowadays for 32bits viruses to have a version in 64bits to make an impact 

the fact that it are .sys files show that they were infecting the program files, the systemfiles and probably the kernel and core of the system - they took the name of something that is used by other software to hide and as these files are not signed and not checked it is easy to do this 

the operation itself is probably done the same way the #Belgacomhack was done and that is through the accounts of the network operators (again). Only here it was not to get certain specific information from certain specific installations but to destroy and leak everything or as much as possible over a 6 month period (what is seen in the operative scenario's for total network compromise as a standard period to take over (own) a whole network). 

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.