Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.

Supreme Leader

[Dorianny]

What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.

Re:Supreme Leader

[Frosty+Piss]

Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value.

Because they are obsessed with the "respect" to their Dear Leader. It is a cult obcession with these people, don't try to read logic into it. Think "Scientologists".

Can we stop the embellishment?

[PhrostyMcByte]

I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.

To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.

This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.

Then maybe we can finally answer an old question

[Opportunist]

I think it was Thomas Hesse, back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?".

Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?