The U.S. CERT, part of the Department of Homeland Security, has released an alert describing the malware that took Sony apart pretty effectively. Without going into a lot of detail, here is the high level overview:
- The malware takes advantage of Windows SMB (server message block) protocols that are common to all versions of windows
- The malware worms its way through the target’s network using brute force guessing of Windows share passwords. It reports back home every 5 minutes with its successes and asks for new instructions
- It has a listening component that listens on specific ports on the infected machine (probably for commands)
- It has a backdoor component that handles file transfer, system survey, proxying and can execute arbitrary commands. It can even open ports on the victim’s host firewall (one reason I don’t like software based firewalls)
- The malware has a proxy tool that allows it to listen on a particular port and perform a variety of administrative functions for the malware
- It contains a module to overwrite data on up to 4 disk drives and if the user has local admin privileges, it also overwrites the master boot record so the computer will not boot.
- It has a network propagation wiper that allows it to worm its way through the network using built in network shares, drop the malware on the new machine and start destroying that machine.
As you can tell from this very brief description, this is a pretty sophisticated piece of software that someone spent a fair amount of time constructing.
Based on what is described in the alert, this malware would do a pretty good job of laying waste to any network it was found on.
The wiper part is what does the actual damage. The rest is for recon and control. By overwriting the disk, you make recovery, for all reasonable situations, impossible and the only option left is to rebuild the system from scratch. This is why Sony told employees not to turn on their computers and not to connect to the company Wi-Fi.
There were reports in the media of security experts (like Kevin Mandia of Mandiant) saying that there was nothing Sony could have done to protect itself. Given this analysis and the assumption that someone did something to get it started inside the Sony network (like clicking on a malicious link), I tend to agree with him.
They probably should have seen the data going out. 50 or 100 terabytes of outbound traffic is a lot, even for Sony. But if these guys were in there for 6 months, then even that might not be obvious. And, Sony may not do outbound traffic analysis.