Saturday, 20 December 2014

US warns of SMB worm that was used against Sony

The Computer Emergency Readiness Team (US-CERT) of the US government has issued a warning for an SMB (Server Message Block) -worm that started against Sony. The worm uses brute force authentication to spread through shared Windows SMB shares.

Every five minutes makes the malware connects to the server command of the attackers to send data successfully to another Windows computer via SMB port 445 has infected. The tool also listens for connections on TCP port 195 and TCP port 444. Furthermore, the worm has a backdoor that allows to download files and execute commands. The worm can so via Universal Plug and Play (UPNP) ports in your firewall to discover routers, gateways and port mappings.

Thus it is possible to attacked computers that are behind a NAT (Network Address Translated) network are to allow incoming connections. The part of the worm that is most striking is the "clear", which overwrites the Master Boot Record of the hard drive and thus makes the system unusable. The delete function is also used against systems that are accessible via shared network folders. The malware attempts to log on to these computers via a number of usernames and passwords that are previously specified by the attackers.

The US-CERT warns that organizations that deal with this malware get must take account of the theft of intellectual property and the disruption of critical systems. As a solution to get the system advised to use virus scanners and keep up-to-date, operating systems and software to keep up-to-date, "defense in depth" to apply strategies and a plan to establish order with destructive malware to go.

No comments:

Post a Comment