Damballa finds tools related to the malware that hit Sony

The tools make it easier for attackers to move undetected through a network

Security company Damaballa said it has found two utilities that are closely related to capabilities seen in the destructive malware that hit Sony Pictures Entertainment last year.

The utilities were discovered as Damballa was investigating a new version of the "Destover" malware, which rendered thousands of computers unusable at Sony after attackers stole gigabytes of sensitive company information.

One key question in the Sony breach is how the attackers were able to evade security systems. What Damaballa found are two utilities that help mask new files introduced to a system. 

"Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface," wrote senior threat researchers Willis McDonald and Loucif Kharouni, in a blog post on Wednesday.

One of the tools, setMFT, enables a technique called timestopping, which can make a file appear to have a different timestamp. It's often used in combination with renaming a newly introduced file to make it appear to blend in with a group of other files.

"This can conceal a file’s existence from security personnel looking for malicious files or scans of files created after a certain date," they wrote. "Timestomping can get past a cursory check."

The other tool, afset, is used for timestomping and cleaning up log data stored in Windows. It can also change the build time and checksum of an executable.

Afset "allows the attacker to remain stealthy and erase their tracks as they move through the network," they wrote. "A full forensic analysis of a system would reveal the presence of afset and missing log activity, but it’s likely this activity would go undetected initially creating high-risk infection dwell time."

It can be difficult for companies to detect intruders in their networks, particularly if the attackers are using valid login credentials stolen from an authorized user. Once in, using these utilities could make it even harder to detect strange activity.

Just one antivirus product was detecting both of the tools, the researchers wrote. That makes it likely that newer versions of them would not be detected, at least initially. 

"These capabilities, when used together with tools that enable attackers to obtain network credentials and disable defenses, allows them to permeate the network undetected for an extended period of time," they wrote.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?