Damballa finds tools related to the malware that hit Sony

18.11.2015
Security company Damaballa said it has found two utilities that are closely related to capabilities seen in the destructive malware that hit Sony Pictures Entertainment last year.

The utilities were discovered as Damballa was investigating a new version of the "Destover" malware, which rendered thousands of computers unusable at Sony after attackers stole gigabytes of sensitive company information.

One key question in the Sony breach is how the attackers were able to evade security systems. What Damaballa found are two utilities that help mask new files introduced to a system. 

"Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface," wrote senior threat researchers Willis McDonald and Loucif Kharouni, in a blog post on Wednesday.

One of the tools, setMFT, enables a technique called timestopping, which can make a file appear to have a different timestamp. It's often used in combination with renaming a newly introduced file to make it appear to blend in with a group of other files.

"This can conceal a file’s existence from security personnel looking for malicious files or scans of files created after a certain date," they wrote. "Timestomping can get past a cursory check."

The other tool, afset, is used for timestomping and cleaning up log data stored in Windows. It can also change the build time and checksum of an executable.

Afset "allows the attacker to remain stealthy and erase their tracks as they move through the network," they wrote. "A full forensic analysis of a system would reveal the presence of afset and missing log activity, but it’s likely this activity would go undetected initially creating high-risk infection dwell time."

It can be difficult for companies to detect intruders in their networks, particularly if the attackers are using valid login credentials stolen from an authorized user. Once in, using these utilities could make it even harder to detect strange activity.

Just one antivirus product was detecting both of the tools, the researchers wrote. That makes it likely that newer versions of them would not be detected, at least initially. 

"These capabilities, when used together with tools that enable attackers to obtain network credentials and disable defenses, allows them to permeate the network undetected for an extended period of time," they wrote.

Jeremy Kirk

Zur Startseite