TrendLabs engineers were recently able to obtain a malware sample of the “destructive malware” described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses last December 2. According to Reuters, the FBI issued a warning to businesses to remain vigilant against this new “destructive” malware in the wake of the recent Sony Pictures attack. As of this writing, the link between the Sony breach and the malware mentioned by the FBI has yet to be verified.
The FBI flash memo titled “#A-000044-mw” describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up.
Below is an analysis of our own findings:
Analysis of the BKDR_WIPALL Malware
Our detection for the malware detailed in the FBI report is BKDR_WIPALL. Below is a quick overview of the infection chain for this attack.
The main installer here is diskpartmg16.exe (detected as BKDR_WIPALL.A). BKDR_WIPALL.A’s overlay is encrypted with a set of user names and passwords as seen in the screenshot below:
Figure 1. BKDR_WIPALL.A’s overlay contains encrypted user names and passwords
These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network. . Once logged in, the malware attempts to grant full access to everyone that will access the system root.
Figure 2. Code snippet of the malware logging into the network
The dropped net_var.dat contains a list of targeted hostnames:
Figure 3. Targeted host names
The next related malware is igfxtrayex.exe (detected as BKDR_WIPALL.B), which is dropped by BKDR_WIPALL.A. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines:
Figure 4. BKDR_WIPALL.B (igfxtrayex.exe) sleeps for 10 minutes
Figure 5. Encrypted list of usernames and passwords also present in BKDR_WIPALL.B
Figure 6. Code snippet of the main routine of igfxtrayex.exe (BKDR_WIPALL.B)
This malware’s routines, aside from deleting users’ files, include stopping the Microsoft Exchange Information Store service. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.
Figure 7. Code snippet of the force reboot
It also executes several copies of itself named taskhost{random 2 characters}.exe with the following parameters:
- taskhost{random 2 characters}.exe -w – to drop and execute the component Windows\iissvr.exe
- taskhost{random 2 characters}.exe -m – to drop and execute Windows\Temp\usbdrv32.sys
- taskhost{random 2 characters}.exe -d – to delete files in all fixed or remote (network) drives
Figure 8. The malware deletes all the files (format *.*) in fixed and network drives
The malware components are encrypted and stored in the resource below:
Figure 9. BKDR_WIPALL.B malware components
Additionally, BKDR_WIPALL.B accesses the physical drive that it attempts to overwrite:
Figure 10. BKDR_WIPALL.B overwrites physical drives
We will be updating this post with our additional analysis of the WIPALL malware.
Analysis by Rhena Inocencio and Alvin Bacani
Update as of December 3, 2014, 5:30 PM PST
Upon analysis of the same WIPALL malware family, its variant BKDR_WIPALL.D drops BKDR_WIPALL.C, which in turn, drops the file walls.bmp in the Windows directory. The .BMP file is as pictured below:
Figure 11. Dropped wallpaper
This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase “hacked by #GOP.” Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures.
Note that BKDR_WIPALL.C is also the dropped named as igfxtrayex.exe in the same directory of BKDR_WIPALL.D.
We will update this blog entry for more developments.
Additional analysis by Joie Salvio
Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:
- An Analysis of the “Destructive” Malware Behind FBI Warnings – analysis of the “destructive” malware described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses
- WIPALL Malware Leads to #GOP Warning in Sony Hack – this entry discusses other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees
- The Hack of Sony Pictures: What We Know and What You Need to Know – timeline of the Sony Pictures hack
- Sony Pictures Corporate Network Hit by Major Attack: Why You Need to Stay Ahead of Targeted Attacks – discussion on responses to targeted attacks