Rob here with Patriot Privacy and the Self-Reliance Institute.
I’m sure you’ve seen news reports about the cyberattack on Sony that resulted in Sony’s decision to hold off on showing the movie “The Interview.”
The FBI announced yesterday that the attack was conducted by the government of North Korea and almost everyone has an opinion on whether Sony did the right thing by pulling the movie because of the threats it received.
But beyond what’s in the headlines and has become fodder for news and talk shows, I’d like to share with you information that most folks are not aware of because the mainstream media rarely covers important details when it comes to cybercrime or what, in this case, may actually be cyberwar.
The reason I’d like you to have this knowledge is because the attack on Sony is not as rare as some believe and is certainly indicative of the type of crime and warfare that we as citizens will battle for the rest of our lives.
For that reason, it’s important to have an understanding of the types of malware (malicious software) involved in the attack on Sony as it is instructive of just how damaging and threatening malware can be when used as a cyber-weapon.
Late yesterday, US-CERT (United States Computer Emergency Readiness Team) released details of the malware involved. The full release is available by clicking here: “Alert (TA14-353A) – Targeted Destructive Malware.”
But to save you time, here are the details of the malware involved.
While much of the jargon is highly technical, I want you to have an understanding of how sophisticated these threats can be and the types of actions malware can carry out.
Reviewing this so as to have a general familiarity with what’s actually involved will put you far ahead of the general public in understanding the dangers we will face as individuals and as a nation from this day forward.
I’ve highlighted some key aspects.
“SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
“Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase “National Football League.” Additionally, this implant listens for connections on TCP port 195 (for “sensvc.exe” and “msensvc.exe”) and TCP port 444 (for “netcfg.dll”). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, “HTTP/1.1 GET /dns?\x00.” The controller then responds with the string “200 www.yahoo.com!\x00” (for “sensvc.exe” and “msensvc.exe”) or with the string “RESPONSE 200 OK!!” (for “netcfg.dll”). The controller sends the byte “!” (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.
“Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
“Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.
“Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
“Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
“Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.”
OK. As I said above, this is a bit technical. But, it’s not the technical aspects I want you to grasp. I just want you to come away with an understanding of how sophisticated, pervasive and destructive some malware is and how it can be (and is being) used as a cybercrime and cyberwar weapon.
Boiled down to its essence, this attack broke into the entirety of Sony’s computer network, stole almost all of the data on the network, and then destroyed the network so that Sony lost most of the data on the network.
The significance for the rest of us is that the Sony incident is just a taste of what we will all confront with increasing frequency in the future.
Please share this with your friends and family so that they will also have a better understanding of what’s involved than the nonsense the mainstream media is broadcasting.
As always, share your thoughts with me at [email protected]
Be safe, secure and free!
Rob Douglas – Former Washington DC Private Detective
Freedom Writers Publishing
1815 Central Park Dr. #358
Steamboat Springs, CO 80487