An Analysis of the “Destructive” Malware Behind FBI Warnings

TrendLabs engineers were recently able to obtain a malware sample of the “destructive malware” described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses last December 2. According to Reuters, the FBI issued a warning to businesses to remain vigilant against this new “destructive” malware in the wake of the recent Sony Pictures attack. As of this writing, the link between the Sony breach and the malware mentioned by the FBI has yet to be verified.

The FBI flash memo titled “#A-000044-mw” describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up.

Below is an analysis of our own findings:

Analysis of the BKDR_WIPALL Malware

Our detection for the malware detailed in the FBI report is BKDR_WIPALL. Below is a quick overview of the infection chain for this attack.

The main installer here is diskpartmg16.exe (detected as BKDR_WIPALL.A). BKDR_WIPALL.A’s overlay is encrypted with a set of user names and passwords as seen in the screenshot below:

Figure 1. BKDR_WIPALL.A’s overlay contains encrypted user names and passwords

These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network. . Once logged in, the malware attempts to grant full access to everyone that will access the system root.

Figure 2. Code snippet of the malware logging into the network

The dropped net_var.dat contains a list of targeted hostnames:

Figure 3. Targeted host names

The next related malware is igfxtrayex.exe (detected as BKDR_WIPALL.B), which is dropped by BKDR_WIPALL.A. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines:

Figure 4. BKDR_WIPALL.B (igfxtrayex.exe) sleeps for 10 minutes

Figure 5. Encrypted list of usernames and passwords also present in BKDR_WIPALL.B

Figure 6. Code snippet of the main routine of igfxtrayex.exe (BKDR_WIPALL.B)

This malware’s routines, aside from deleting users’ files, include stopping the Microsoft Exchange Information Store service. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.

Figure 7. Code snippet of the force reboot

It also executes several copies of itself named taskhost{random 2 characters}.exe with the following parameters:

taskhost{random 2 characters}.exe -w – to drop and execute the component Windows\iissvr.exe
taskhost{random 2 characters}.exe -m – to drop and execute Windows\Temp\usbdrv32.sys
taskhost{random 2 characters}.exe -d – to delete files in all fixed or remote (network) drives

Figure 8. The malware deletes all the files (format *.*) in fixed and network drives

The malware components are encrypted and stored in the resource below:

Figure 9. BKDR_WIPALL.B malware components

Additionally, BKDR_WIPALL.B accesses the physical drive that it attempts to overwrite:

Figure 10. BKDR_WIPALL.B overwrites physical drives

We will be updating this post with our additional analysis of the WIPALL malware.

Analysis by Rhena Inocencio and Alvin Bacani

Update as of December 3, 2014, 5:30 PM PST

Upon analysis of the same WIPALL malware family, its variant BKDR_WIPALL.D drops BKDR_WIPALL.C, which in turn, drops the file walls.bmp in the Windows directory. The .BMP file is as pictured below:

Figure 11. Dropped wallpaper

This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase “hacked by #GOP.” Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures.

Note that BKDR_WIPALL.C is also the dropped named as igfxtrayex.exe in the same directory of BKDR_WIPALL.D.

We will update this blog entry for more developments.

Additional analysis by Joie Salvio

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

An Analysis of the “Destructive” Malware Behind FBI Warnings