The highly destructive malware believed to have hit the networks of Sony Pictures Entertainment contained a cocktail of malicious components designed to wreak havoc on infected networks, according to new technical details released by federal officials who work with private-sector security professionals.
An advisory published Friday by the US Computer Emergency Readiness Team said the central malware component was a worm that propagated through the Server Message Block protocol running on Microsoft Windows networks. The worm contained brute-force cracking capabilities designed to infect password-protected storage systems. It acted as a "dropper" that then unleashed five components. The advisory, which also provided "indicators of compromise" that can help other companies detect similar attacks, didn't mention Sony by name. Instead, it said only that the potent malware cocktail had targeted a "major entertainment company." The FBI and White House has pinned the attack directly on North Korea, but so far have provided little proof.
"This worm uses a brute force authentication attack to propagate via Windows SMB shares," Friday's advisory stated. "It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2."