Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

Posted by timothy on from the forewarned-is-forearmed dept.

wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.

3 of 177 comments (clear)

  1. Re:Supreme Leader by Frosty+Piss · · Score: 5, Interesting

    Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value.

    Because they are obsessed with the "respect" to their Dear Leader. It is a cult obcession with these people, don't try to read logic into it. Think "Scientologists".

    --
    If you want news from today, you have to come back tomorrow.
  2. Then maybe we can finally answer an old question by Opportunist · · Score: 5, Interesting

    I think it was Thomas Hesse, back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?".

    Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:Can we stop the embellishment? by Bert64 · · Score: 4, Interesting

    It's common practice to put all of your servers and workstations in an active directory domain, and once you have a tiny foothold on an active directory domain it is almost always trivially easy to get administrative privileges over the whole domain (have been working as a pentester for 10+ years and never failed to get domain admin when the job scope allowed it)...
    Once you have domain admin, you typically have access to pretty much everything. Even if the organisation has devices which aren't linked to active directory (typically unix boxes, routers, switches etc), you will probably find that the guys responsible for managing these devices do so from a windows workstation which is part of the domain, so you just find their workstation and start keylogging (or in many cases just find the textfile full of passwords).
    Also in my experience, very few companies notice once you take control of their domain, and as a legitimate pentester i'm not trying to cover my tracks. The chances of most organisations noticing someone who is being careful is virtually 0.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!