Federal Security Unit Warns Sony Malware Could Spread

'SMB Worm' a sophisticated and destructive software

Kim Jong Un
Kim Jong Un / AP
• December 19, 2014 7:30 pm


The federal government issued a warning Friday about additional cyber attacks using the malicious software from the Sony Pictures cyber attack.

The U.S. Computer Emergency Response Team (US-CERT) said the targeted destructive malware affecting Microsoft Windows systems could be used in additional attacks.

"US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company," the notice states.

The FBI said in a statement Friday that the Sony attack was carried out by "the North Korean government."

The cyber attack "destroyed systems and stole large quantities of personal and commercial data." The perpetrators posed as members of a group calling itself the Guardians of Peace.

The North Korean link was confirmed through technical analysis of the malware that is similar to software used by North Korea in the past.

The malware also is similar to March 2013 cyber attacks against South Korean banks and news media outlets by the North Koreans.

"We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there," the FBI said, noting it is "one of the gravest national security dangers to the United States."

President Obama also said the United States would retaliate against the Sony cyber attacks. He did not provide details of how or when the counter attacks would take place.

Cyber security expert Dmitri Alperovitch said the North Korean cyber attack was unrivaled in its impact.

This is unprecedented," said Alperovitch, founder and chief technology officer of CrowdStrike. "A thuggish dictator of brutal country has managed to suppress free speech and expression here in the United States."

According to the US-CERT, the sophisticated software worm burrows into networks using several components. They include what the emergency notice describes a "listening implant" that helps gain initial remote access to a target network, and a "lightweight backdoor" used to break through firewalls and exploit universal plug and play mechanisms in a hunt for routers and gateways, while adding network port features that allow for easy access to protected networks.

The notice said the listening tool used security codes that are decrypted using a key derived from the phrase "National Football League."

Additionally, the "proxy tool" feature of the malware gives hackers the capability to "fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files," the warning notice states.

The destructive software is loaded into a computer by a "dropper"—a software program designed to install the components into an affected system. Droppers are installed when a computer user is fooled into clicking on a hyperlink disguised as a known Internet location.

Two additional components include a destructive hard drive tool, and destructive target cleaning tool. The data wiper "is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery," US-CERT stated.

The malware also is designed so that it caused further damage to hard drives when the computer is rebooted. "This further results in the victim machine being non-operational with irrecoverable data," the notice said.

The target cleaning malware "renders victim machines inoperable by overwriting the master boot record," the notice says.

The software also includes the capability of spreading throughout an entire network and destroying data on remote systems and reporting back to its controllers about the destructive activity.

"Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems," the report says.

The US-CERT recommended using and maintaining anti-virus software and keeping it current.

"Install software patches so that attackers can't take advantage of known problems or vulnerabilities," the notice said.

The hackers used a command and control network located in several countries including Poland, Bolivia, Singapore, Cypress, and the United States.

Investigators believe the North Korean hackers operated from a hotel in Thailand, a country with a large number of North Korean intelligence officers who operate from diplomatic outposts.

Additional technical details, recommendations for handling infected networks and a list of security procedures for countering the SMB worm can be found here at the US-CERT website.

Published under: North Korea