Disttrack/Shamoon: a new targeted and destructive virus

[siljaline]

Disttrack/Shamoon: a new targeted and destructive virus

Quote:

Anti-virus companies and researchers are warning about a new targeted and destructive virus variously known as Shamoon and Disttrack. It seems to be targeted at the oil industry – and it wipes PCs.

Although not widely distributed, Disttrack/Shamoon is surprisingly aggressive. These days it is more usual for malware to covertly steal data from its victims; but this one draws attention by destroying it. This is puzzling. “Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a 0-day vulnerability in order to silently install a sophisticated malware... Why would someone wipe files in a targeted attack and make the machine unusable?” asks SecuLert.

SecuLert’s analysis shows the malware first infects a computer attached to the internet, and then seeks to infect other machines on the internal network that might not be directly connected to the internet. What Disttrack does to - or on - those systems is not clear, because it then wipes the data and overwrites the MBR – but not before sending a list of the wiped files to the original computer, which then sends them to the attacker’s C&C server.

[JRViejo]

Shamoon the Wiper - Copycats at Work by GReAT, Kaspersky Lab Expert.

[siljaline]

Cited elsewhere:

• Mystery malware wreaks havoc on energy sector computers

• Disttrack Sabotage Malware Wipes Data At Unnamed Middle East Energy Organization

• Malicious Windows malware 'Shamoon' deletes computer contents, prevents reboot

• A Sinister New Breed of Malware is Growing

• Shamoon, energy sector malware

• Shamoon, a two-stage targeted attack

• Destructive Shamoon attack targets energy sector

• Data-wiping Shamoon targeting Middle East energy sector

• Shamoon malware allegedly deals death blow to infected computers

[Dermot7]

Quote:

We continue to analyse the Shamoon malware. This blog contains information about the internals of the malicious samples involved in this campaign.

https://www.securelist.com/en/blog/2...per_in_details

[siljaline]

30,000 Machines Infected In Targeted Attack On Saudi Aramco

Quote:

Oil company's revelation matches counts by hackers claiming responsibility and Shamoon connection.

In what may be the closest sign yet to a public confirmation that this month's targeted attack against Saudi Aramco was actually the malicious Shamoon malware attack, the massive oil company yesterday revealed that 30,000 of its workstations had been infected in the attack -- the same number quoted by the attackers who took responsibility for it and gave a hat tip to the Shamoon research in an online post.

Security biz U-turns on Gauss, Flame joint cyberspy hub claim.

Quote:

Computer security biz FireEye has withdrawn claims that the Gauss and Flame super-viruses may be linked.

This is after it emerged that what FireEye had thought was a shared command-and-control server, used to send instructions to PCs compromised by the malware, was actually a "sinkhole" maintained by rival researchers at Kaspersky Lab.

FireEye had noticed communications from both virus strains were heading to the same IP address – but this was a system set up by the Russian lab, which had asked DNS providers to redirect data sent from the two software nasties so as to examine their network traffic.

[axial]

RasGas in Qatar was hit:

http://www.bbc.co.uk/news/technology-19434920

>> RasGas, one of the world's largest producers of liquid petroleum gas, said production was not hit by the attack. <<

[siljaline]

Kaspersky Lab dissects Wiper oil estate targeting malware

Quote:

Kaspersky Lab has today published key findings of a report on the Wiper malware – which was first spotted back in April attacking Iran’s oil ministry and which subsequently led to the discovery of the Flame malware a month later. In May of this year, the security vendor says that its research team conducted a search prompted by the International Telecommunication Union to investigate the incidents and determine the potential threat from this new malware as it related to global sustainability and security.

The analysis, says the company, provides insight into Wiper’s highly effective method of destroying computer systems, including its unique data wiping pattern and destructive behaviour.

Security Researchers Document Wiper Malware`s Disappearing Act

Quote:

Following the unrelated "copycat" Shamoon attack, Kaspersky Lab discusses its research into a mysterious attack on Iranian systems earlier this year, stressing that the program known as Wiper did such a good job of deleting itself that little evidence exists.

Late last year and earlier this year, attackers snuck into Iranian systems and did—something. Exactly what happened will likely never be known, however, because their last act was to run a program—now known in the security community as "Wiper" malware—that deleted almost every trace of the attack and then effectively destroyed compromised systems.

[siljaline]

New Shamoon Malware Variant Appears: Symantec

Quote:

Shamoon is still busy infecting computers throughout the world, this time with an updated variant, according to new findings by Symantec.

The new version of the malware – detected by the firm as W32.Disttrack – wipes files by overwriting them with 192KB blocks of randomly generated data as opposed to the previous version, which used a 192KB block filled with a partial image of a burning U.S. flag.

Shamoon is believed by many to have been used in an attack last month on Saudi Aramco, the national oil company of Saudi Arabia. It is also has been linked by some to an attack that forced one of Qatar's two main LNG (Liquid Natural Gas) production and export companies offline.

[siljaline]

Insiders Suspected in Aramco Attack

Quote:

Reuters is reporting that sources close to the investigation efforts in the Aramco attack are reporting that insiders are partly responsible. In August, Aramco, Saudi Arabia’s national oil company – and the world’s largest oil producer – had to contend with a malware outbreak that hit 30,000 systems in a single go.

According to Reuters’ Jim Finkle, insiders with high-level access to Aramco’s network helped attackers target the organization. The story cites sources familiar with the company’s ongoing investigation, who said the attack was made possible by, “someone who had inside knowledge and inside privileges within the company.”