Shamoon Malware Variant Running

Thursday, September 6, 2012 @ 03:09 PM gHale


Shamoon is still infecting computers throughout the world, this time with an updated variant, Symantec said.

The new version of the malware – detected by the firm as W32.Disttrack – wipes files by overwriting them with 192KB blocks of randomly generated data as opposed to the previous version, which used a 192KB block filled with a partial image of a burning U.S. flag.

RELATED STORIES
New Virus Hits Oil Giant, LNG Producer
Qatar’s RasGas Suffers Virus Hit
Saudi Aramco Back Up after Attack
Saudi Aramco Hacked

CIA sources told ISSSource Shamoon attacked last month the national oil company of Saudi Arabia, Saudi Aramco, and RasGas, one of Qatar’s two main LNG (Liquid Natural Gas) production and export companies.

“The virus hit Aramco and Qatari RasGas. In both cases, it knocked out computer workstations and corporate web sites,” the CIA sources said.

“The initial infection vector remains unconfirmed and may vary in different organizations, but once W32.Disttrack is inside a network, it will attempt to spread to every computer within the local area network via network shares,” said Symantec’s Security Response Team. “While Shamoon may piggyback on existing machine-to-machine credentials, typically Shamoon attackers have gained access to domain credentials and the domain controller itself, allowing them access to all machines on the local domain.”

The malware uses a hardcoded “wiping date” read from the .pnf file it creates on the file system, Symantec said. It will periodically check this date. Once it has passed, the malware will drop and execute the wiper component, which will target a prioritized list of files before moving on to the master boot record and active partition.

Once a target is found, Symantec said it will attempt to open and close the following files to determine it has access:
\\[TARGET IP]\ADMIN$\system32\csrss.exe
\\[TARGET IP]\C$\WINDOWS\system32\csrss.exe
\\[TARGET IP]\D$\WINDOWS\system32\csrss.exe
\\[TARGET IP]\E$\WINDOWS\system32\csrss.exe

“If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe,” the response team said. “If unsuccessful, it will try to load itself as a remote service. Once it has successfully looped through all target machines it will delete itself.”

Saudi Aramco officials said 30,000 workstations suffered a hit in the cyber attack. However, the oil giant said it was able to clean the systems and restore them to service.

RasGas found a virus in its office computer network just two weeks after Saudi Armaco suffered a hack attack.

“The company’s office computers have been affected by an unknown virus … It was first identified on Monday,” RasGas, one of two Qatari LNG producers, said in a statement.
In both cases, production remained up and running and unaffected.



Leave a Reply

You must be logged in to post a comment.