Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Destover Malware Signed By Stolen Sony Certificate

Posted by Soulskill on from the everything-but-the-kitchen-sink dept.

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it's representative of the genre of malware that doesn't just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords. The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

3 of 80 comments (clear)

  1. This whole Sony story by ruir · · Score: 5, Insightful

    gets better everytime. This is not news anymore, it is a damn mexican soap opera.

  2. Oh great, now I can't trust Sony by NotDrWho · · Score: 4, Funny

    Just yesterday, they were the bastion of trustworthy software. Now this!

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  3. Apparently not. by Anonymous Coward · · Score: 4, Informative

    From ISC SANS

    "Update: Turns out that the malware sample that Kaspersky was reporting on was not actual malware from a real incident. But the story isn't quite "harmless" and the certificate should still be considered compromised. A researcher found the certificate as part of the SONY data that was widely distributed by the attackers. The filename for the certificate was also the password for the private key. The researcher then created a signed copy of an existing malware sample retrieved from Malwr, and uploaded it to Virustotal to alert security companies. Kaspersky analyzed the sample, and published the results, not realizing that this was not an "in the wild" sample. [1] The certificate has been added to respective CRLs."