The description says the "destructive malware, was used by unknown operators." It is able to erase all data on infected computers under Windows and spread through the network to attack servers under Windows. To spread use built-in operating system file-sharing service.
Representatives of the company Sony Pictures characterized the program as "very difficult", and independent experts from Mandiant confirmed that at the moment оf its work were spreading determined antivirus software.
After installing the program communicates with the command server on the Internet. Although the investigators were able to establish a signature command traffic, but this is unlikely will help to identify malware, because the connection to the C & C-server already occurs after a process of removing files.
Experts are not able to determine how the initial infection occurred. When installing the dropper is run as a Windows-service and create a network drive using the variable "% SystemRoot%". To a network drive was given an access to all the computers on the LAN. Then the program is run the command line Windows Management Interface (WMI), to distribute files from a network drive to other computers.
Analysis of malware Trojan.Win32.Destover.a published in the database Malwr. According to him, the dropper contacted several IP-addresses, probably located in Japan (this may be due to the location of the headquarters of Sony).
Dropper installs a file, similar in name to the Internet Information Server (IIS), iissrv.exe, which listens for TCP / IP on port 80, and in reality is a tiny web server. It was he who showed the picture on the screen JPEG and text when deleting files.
At some point (perhaps at the direction of the C & C-server) runs the file igfxtrayex.exe, who carried out the removal of files sector by sector, previously associated with multiple IP-addresses in Italy, Thailand and other countries (probably compromised address and VPN proxy). After the deleting files using disk driver EldoS the computer went into sleep about for two hours, then rebooted.
Experts warn that such an attack vulnerable to all companies that use servers for Windows.
Source : xaker.ru
No comments:
Post a Comment