Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
NOV 2014: <strong>SONY</strong> ATTACK <strong>DESTOVER</strong> BACKDOOR SAMPLES ARE BASED ON KORDLLBOT<br />
The Destover “lightweight backdoor” (sha256<br />
4c2efe2f1253b94f16a1cab032f36c7883e4f6c8d9fc17d0ee553b5afb16330c) mentioned in official statements<br />
related to the Sony intrusion is a digitally signed file. There is also an almost identical unsigned file in existence with<br />
the sha256 eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55. This unsigned file is the<br />
original. It was established that the signed file was created as a “joke” by a researcher (4).<br />
We were able to locate more malware samples similar to this backdoor. Many of these were created in a<br />
timeframe well before the Sony intrusion came to light. Some also match the import hash indicators mentioned in<br />
the US-CERT advisory, though import hashes are non-unique indicators and cannot always be relied upon.<br />
Closer investigation reveals that this Destover sample is indeed derived from the same source base as KorDllbot.<br />
This is based on the following indicators:<br />
• The Chopstring API string obfuscation<br />
• The CMXE command line construction<br />
• Same way of declaring API’s<br />
• Similarities with later samples, such as:<br />
o A printf “MessageThread” statement in the beginning of the command handling function (similar<br />
to Destover “MessageThread” samples)<br />
o Use of the XOR-A7 encoding to decode strings (similar to Destover “b076e058” samples)<br />
Throughout 2014 and 2015 and still ongoing in 2016, Destover-related backdoors have continued to be used in<br />
various campaigns. They share many common traits, but there are also clear differences in functionality, hinting at<br />
a common source repository but where customization is added as needed. Some subfamilies have received their<br />
own variant names – i.e. Volgmer and Duuzer – while others have no separate moniker. See appendix for detailed<br />
descriptions of variants.