6 December 2014

In ‘Sony hack exposes poor security practices’ Warwick Ashford talks about the lessons learned from the latest Sony cyber attach.

‘According to the FBI, the malware comes wrapped in an executable “dropper” that installs itself as a Windows service.’

The big question is: How comes a dropper on my computer? And why could a dropper start itself as a service? Under normal conditions, administrative privileges are required to start a Service.

‘It also uses the command line of the Windows Management Interface (WMI) to spread to other computers on the network.’

This is definitely the most important information. If you are somewhat familiar with Windows computer networks you know, that you can install services on another computer in your network only, if you have administrative privileges on this computer.

In other word, this means that the attackers got access to a domain administrator account. Or a service account which is installed on all computers in the network, including the servers.

All this sounds like phishing and weak passwords, flavored with a missing concept for privileged account management. It’s always the same old story…

If you like to read more about the impressive technical details of the malware see this report on ars technica.

Lütetsburg Park, 53°35’55.0″N 7°15’39.5″E

Have a good Weekend!