TLP: GREEN

National Cybersecurity and Communications Integration Center

2 December 2014

FBI Flash Destructive Malware

DISCLAIMER: This advisory is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any
warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this
advisory or otherwise. Further dissemination of this advisory is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see http://www.us-cert.gov/tlp/.

Summary
The Federal Bureau of Investigations (FBI) released a FLASH Alert on 1 December 2014 pertaining to a
recently discovered destructive malware campaign (FLASH Alert, 2014). According to the FBI, this
particular malware is capable of overwriting an infected machines master boot record (Base, n.d.) and
erasing data files stored on the machine. Some open source media outlets are making the connection
between this FLASH Alert and the recent campaign that impacted Sony Pictures last week ("Sony's New
Movies Leak Following Hack," 2014). However, the FBI issues FLASH Alerts and Advisories to the
general public periodically regarding investigation findings; they make no such connection to any specific
campaign or victim ("FBI Urges United States Companies to Beware Malicious Software Attacks,"
2014).
The following are some of the technical indicators gleaned from the FBI FLASH Alert.

Installer:
o File: d1c27ee7ce18675974edf42d4eea25c6.bin (originally diskpartmg16.exe)
o Size: 262.3 KB
o MD5: D1C27EE7CE1867597EDF42D4EEA25C6
o PE Compile Time: 22 November 2014
o Observed Language: Korean
o Objective: Installs the destructive malware file as well as the data, listener, and both
system read/write access files.

Destructive Malware:
o File: igfxtrayex.exe
o Size: 244 KB
o MD5: 760C35A80D758F032D02CF4DB12D3E55
o PE Compile Time: 24 November 2014
o Observed Language: Korean
o Objective: Copies itself into three different files (taskhost16.exe; taskhost32.exe; and
taskhost64.exe) and establishes connection with command-and-control (C2) servers over
port 445, 139, 8080, and 8000. Once connectivity is established with C2 servers, it
initiates a two hour countdown at which time the infected machine will reboot.

Data File:
o File: net_ver.dat
o Size: 4.5 KB
TLP: GREEN

TLP: GREEN

o
o

MD5: 93BC819011B2B3DA8487F964F29EB934
Objective: Contains victim IP addresses and hostnames.

Listener File:
o File: iissvr.exe
o Size: 112 KB
o MD5: E1864A55D5CCB76AF4BF7A0AE16279BA
o PE Compile Time: 13 November 2014
o Observed Language: Korean
o Objective: Monitors traffic over port 80.

System Read/Write File:

o File: usbdrv3_32bit.sys
o Size: 23.7 KB
o MD5: 6AEAC618E29980B69721158044C2E544
o PE Compile Time: 21 August 2009
o Objective: Gives attacker read/write access for installed files. This is a freely available
tool that is compatible with 32-Bit Windows systems.

System Read/Write File:

o File: usbdrv3_64bit.sys
o Size: 27.8 KB
o MD5: 86E212B7FC20FC406C692400294073FF
o PE Compile Time: 21 August 2009
o Objective: Gives attacker read/write access for installed files. This is a freely available
tool that is compatible with 64-Bit Windows systems.

The installer file, diskpartmg16.exe, also re-installs itself with another naming convention,
WinsSschMgmt, and then deleted the original file. Other files that were observed are as follows:
recdiscm32.exe; taskhosts64.exe; taskchg16.exe; rdpshellex32.exe; mobysynclm64.exe;
common32.exe; dpnsvr16.exe; expandmn32.exe; and hwrcompsvc64.exe

Mitigation & Recommendations

FBI developed the following Snort and YARA signature which can be implemented to detect malicious
traffic:

Figure 1: FBI-developed Snort Signature.

TLP: GREEN

TLP: GREEN

Figure 2: FBI-developed YARA Signature.

Who Can I Share This With?

Recipients may share TLP: GREEN information with peers and partner organizations within their sector
or community, but not via publicly accessible channels.
Contact Information:
Any questions regarding this advisory can be directed to DHS NCCIC and to be added to the normal
distribution for similar products, please send requests to NCCIC@hq.dhs.gov or (888) 282-0870.
References
FLASH Alert (#A-000044-MW). (2014). FBI.
FBI Urges United States Companies to Beware Malicious Software Attacks. (2014, December 1). Reuters.
Retrieved from http://www.theguardian.com/technology/2014/dec/02/fbi-united-states-hacking-malwareattacks-cybersecurity-sony-corp

TLP: GREEN

TLP: GREEN

Base, K.Retrieved from www.dewassoc.com/kbase/hard_drives/master_boot_record.htm

Sony's New Movies Leak Following Hack. (2014, November 30). CNBC. Retrieved from
http://www.cnbc.com/id/102225718

TLP: GREEN