While the malware that took down computers at Sony Pictures last week was compiled just days before it was triggered, an earlier version of the code used to unleash the destructive attack may have been in use much earlier within Sony’s network. Malware with the same cryptographic signature and filename as the “Destover” malware was spotted by the security firm Packet Ninjas in July.
That malware communicated with one of the same IP addresses and domain names as the final “Destover” malware: a server at Thammasat University in Bangkok, Thailand. The malware, which was found in a Cisco Partner ThreatGrid repository, also communicated with a network address assigned to a New York business customer of TimeWarner Cable.
The Packet Ninjas report adds to the evidence that the attackers were inside Sony Pictures’ network for an extended period of time before unleashing the destructive attack that wiped the hard drives of PCs at the company and took its e-mail system offline. And further analysis of the malware’s code and behavior shows that it was tailored specifically to use parts of Sony Pictures’ e-mail server infrastructure to spread.