The “wiper” malware that knocked Sony Pictures’ corporate network offline for over a week, now being called Destover, bears a striking resemblance not only to the “DarkSeoul” malware that struck South Korean companies last year, but the Shamoon “wiper” that struck Saudi Aramco in 2012, according to analysis by Kaspersky Labs and other security researchers. While there is nothing in the analysis that would tie the three attacks to the same malware developers, they all used similar techniques, as well as some of the same commercial Windows drivers to attack the hard drives of their victims.
In an e-mail exchange with Ars, Kaspersky Lab security researcher Kurt Baumgartner said, “Of the three, the Shamoon and Destover implementations share the most similarities, and based on these similarities it is possible that there was shared guidance or expertise between the two projects. All three share operational similarities.”
The Sony Pictures malware used commercial software to do its damage to the victim computers’ hard drives—the RawDisk library from EldoS, which allows Windows applications to gain direct access to disk hardware without having to run in administrator mode. As EldoS advertises on its website for RawDisk, the library “offers software developers direct access to files, disks and partitions of the disks (hard drives, flash disks, etc,) for user-mode applications, bypassing security limitations of Windows operating systems.” This allowed the malware to skip past any restrictive security permissions in Windows’ NTFS file system and overwrite the data on the drive, including the master boot record (MBR). (Further details of the malware's behavior are in Ars' updated analysis article.)