The sophisticated Wiper malware which was launched against Sony Pictures does exactly what it sounds like: wipes anything and everything from systems.
“Wiper” uses a malicious set of attacks:
- Wipe out all information held on hard disks
- Reboot servers
- Prevent access to Exchange emails
- Close down networks
- Used on all versions of Windows
How Wiper malware works:
- The Wiper executable file, recognized as exe, is known as a “dropper” file.
- This file will install itself over supporting files and as a trusted Windows service.
- It also creates a network share within the system root directory. This allows any other computer over the network to reach it.
- It uses the WMI (Windows Management Interface) to communicate with other machines and run code to and from them to spread itself further across the network.
- This allows wiper to gain access to any machine on the system via a computer network exploitation (CNE).
- Broadcasts are sent out to remote command networks via a “beacon” message, the malware is already accessing the hard drive to delete data by each sector.
- It overwrites data with ordinary user privileges by disguising itself as a USB 3.0 device driver. This is a commercially available disk driver, made by EldoS.
- It then instructs the operating system to halt for a couple of hours then wake up with a reboot. By this time, all the data is wiped clean by the malware.
Wiper attack on Sony Pictures
Sony Pictures is a prime example of being on the receiving end of the “Wiper” attack. This particular attack recently gained media attention, got the FBI involved and caused a stir at Antivirus companies.
A snippet from the FBI memo about Wiper
Speculation at Sony from a Re/code analysis reports links the attack to North Korea. This is partly due to a near identical attack carried out against South Korea by their northerly neighbors. Originally it was claimed the attack was motivated by disgruntled ex-workers who were laid off due to a company restructure earlier in the year.
What can you do?
It’s likely that this kind of attack is mostly aimed at very high profile companies, like in our example above. In general it’s wise to do the following to keep on top of your business or home security:
- Update Anti-virus definitions. Be sure to have the latest updates from you Antivirus provider. Updates are added regularly to detect and quarantine suspicious files from doing further damage.
- Verify your backups, and opt for an offsite or Cloud solution, in the case of a catastrophic data loss.
- Update your critical Windows Servers and desktops with the latest operating system security patches.
- Avoid being spear fished. Do not open unknown emails which contain attachments or files. Be conscious of spoof emails that may trick you into clicking attachments.
- Lock down USB usage. With the help of an endpoint management solution, you can set policies to only allow authorized USB devices, which can help prevent this type of attack.
- Revise your IT policies to only give specific administrators privileges to run, execute and share resources.
For more information about the Wiper virus and how you can protect your business from malicious malware, contact your local IT professionals.
